IT-RAT the stack/idryx GitHub ↗
access plane · wave 1

Idryx. Every identity on one graph, every unused grant on notice.

Your IdP counts the humans. Nobody counts the keys, the service accounts, or the agents acting on their behalf. Idryx reads what Okta, Entra, AWS, GCP and Azure already log, adds the agent-event bus, stitches all of it into one identity graph with delegation chains and blast radius, and runs 21 deterministic detectors over the result. Read-only by design: it proposes Terraform diffs, it never applies.

releasev0.2.0 · prebuilt binaries
coreGo · 21 detectors
connectorsOkta · Entra · AWS · GCP · Azure
outputCycloneDX 1.6 Agent-BOM
postureread-only, proposes diffs
sixty seconds, one graph

Watch the graph catch a runaway.

This is a simulation, but it replays the shape of the live validation run: TokenFuse agent-event NDJSON and Agent Passports land in a Postgres-backed graph, the detectors read the state back, and findings fire. The same three detectors fired against a real Postgres 16 during validation: runaway_agent, attestation_missing, orphaned_nhi.

under the hood

Sources in. Findings out. Nothing written back.

Five read-only connectors describe the humans, keys and service accounts; the agent-event bus streams what TokenFuse, Wardryx, Mockryx and Verdryx watched the agents do. One core resolves the graph, walks delegation chains root-first, and runs the 21 detectors. Everything that leaves is an alert, a BOM, or a proposed diff a human applies.

Okta Entra AWS GCP Azure agent-event bus tokenfuse · wardryx mockryx · verdryx idryx core identity graph delegation chains 21 detectors blast radius baseline engine postgres 16 graph chains resolve root-first reads everything, applies nothing alerts Slack · SIEM webhook, filtered by severity Agent-BOM CycloneDX 1.6 · idryx bom right_size proposed Terraform diff · PR, never applied serve :8080 read-only dashboard + JSON API
what it holds

Five identity kinds. One set of answers.

One graph, every identity

Humans, service accounts, keys, MCP servers and AI agents: five node kinds in one graph, not five tools. Agents are first-class, keyed name@url, with owner, runtime and attestation pinned to the node instead of lost in a generic service-account bucket.

Delegation chains

on_behalf_of edges record who acts for whom: agent to sub-agent to service account to human. The walk is cycle-safe and resolves root-first, so the question audits stall on for weeks gets answered from the graph in one query.

21 deterministic detectors

runaway_agent, impossible_travel, mfa_fatigue, data_exfiltration, tainted_agent, mcp_drift and fifteen more. Statistics and rules over the graph; the LLM is never in the detection path, so every finding is reproducible and auditable.

The Agent-BOM

When the auditor asks what agents you run, the answer is a CycloneDX 1.6 document: owner, runtime, attestation, tools and delegation chain for every agent identity. Its companion detector, bom_incomplete, flags the agents the BOM cannot yet prove.

Blast radius

What does this key reach, transitively? Idryx computes the union of every permission reachable through an identity's delegation chain. excessive_agency fires when an agent reaches admin-equivalent power through that chain (OWASP LLM06).

eBPF network sensor

A Linux-only sensor on the sys_enter_connect tracepoint captures real outbound connections and flags egress to known LLM APIs. unmanaged_egress fires for identities the sensor is the only evidence of: no IAM record, no passport, just traffic.

an honest comparison

Built for the identities that never log in.

SailPoint and CyberArk are serious IGA products for the identities they were built around: employees with logins. Idryx does not replace them, and it reads Okta and Entra as sources of truth. The difference is who gets first-class treatment: the keys, service accounts and agents that never log in at all.

IdryxIGA suitesSpreadsheets + scripts
Covers AI agents nativelyYes: agents are a node kindBolted onNo
Time to first insightMinutes: point it at logsQuarters of rolloutWeeks of grep
Enforcement stanceRead-only, proposes diffsHeavy write accessManual
Delegation chains for agentsFirst-class, root-firstRareNo
Evidence outputCycloneDX Agent-BOMProprietary reportsNone
PriceApache-2.0Six figuresYour weekends
in the stack

The one that reads everything and touches nothing.

Idryx consumes the same envelope TokenFuse, Wardryx, Mockryx and Verdryx write: the agent-event. It validates Agent Passports against the platform contract, and the loop closes at the policy plane: its attestation_missing detector is the reason an unattested agent meets a 403 from Wardryx policies instead of your production data.

try it now
idryx detect events.ndjson
idryx serve events.ndjson

Download a v0.2.0 release binary (SHA256SUMS ships next to it), run detect against a log, then serve for the read-only dashboard on :8080.