Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

For Security & IT Teams

Beacon gives security and IT teams local endpoint visibility into supported AI agent runtimes. It captures supported activity from Claude Code, Codex CLI, Cursor, and Claude Cowork, normalizes it into a stable endpoint event schema, writes Wazuh-compatible JSONL for local inspection, and can forward to Splunk HEC or customer-managed pipelines. Beacon is local-only by default. The endpoint agent does not require a Beacon-hosted account, remote policy fetch, or external network dependency during normal collection.

Operational workflow

1

Deploy the endpoint agent

Use the signed and notarized macOS .pkg for MDM deployment, or install the CLI directly for local evaluation. Production MDM deployments use system mode and write events to /var/log/beacon-agent/runtime.jsonl.
2

Inventory and validate health

Track Beacon version, collector service health, runtime log freshness, configured harnesses, content retention mode, and log writability through your device-management platform.
3

Review retention settings

Select full, redacted, or metadata retention based on your approved telemetry collection policy.
4

Forward endpoint events

Use Wazuh localfile ingestion, Splunk HEC export, or a customer-managed log shipper to forward Beacon events to your SIEM or data pipeline.

Guides

MDM deployment

Plan managed macOS rollout with the packaged system agent.

Jamf

Deploy and inventory Beacon with Jamf Pro policies and extension attributes.

Fleet

Deploy Beacon with Fleet software, policies, queries, and scripts.

SIEM forwarding

Forward Beacon events to Wazuh, Splunk HEC, or a customer-managed SIEM pipeline.

Endpoint event schema

Review the normalized JSONL contract used for endpoint events.

Supported surfaces

See supported runtimes, deployment modes, storage paths, and forwarding boundaries.

What to monitor

AreaRecommended signal
Install coverageBeacon package or binary version is present
Collector healthcom.beacon.endpoint.collector is running
Event freshnessLast runtime event age is within your expected window
Runtime configurationConfigured harnesses match the approved deployment scope
RetentionContent retention mode matches policy
Forwarding readinessRuntime log exists and is writable; Splunk HEC destination is configured when required

Boundaries

Beacon currently focuses on endpoint telemetry for supported AI agent runtimes. It does not provide kernel or process monitoring, shell history collection, cloud audit ingestion, browser or SaaS telemetry, credential-use attribution, MCP configuration inventory, or direct Datadog/Elastic exporters.