KATAR
Endpoints stream telemetry into Katar; security tools query it via GraphQL YOUR FLEET SECURITY TOOLS KATAR single agent · one schema linux-prod-01 RHEL 9 · eBPF app-server-04 Ubuntu 22.04 win-dc-01 Windows · ETW k8s-prod 54 pods oracle-db-01 OEL 8 SIEM Logs, alerts & queries SOAR Playbooks & response Vulnerability CVEs, SBOM & packages DLP Outbound data flow EASM External surface mapping CSAM / CMDB Asset inventory & ownership

One agent. Any tool. Total visibility.

Katar is a single hyper-lightweight agent that captures every signal modern security tools need — EDR, FIM, vulnerabilities, packages, listening services, identities, network reachability — and exposes it through one GraphQL surface. Any vendor integrates by registering a scoped key. No more five agents per host, no more per-tool collection pipelines.

See the attack-path view How vendors integrate
5+agents replaced
1GraphQL surface
eBPF+ WASM + XDP
mTLS+ Ed25519 actions
The problem

Every host runs five agents.
None of them talk to each other.

Endpoints are choking under EDR, FIM, vulnerability scanner, DLP, CSAM, patch-management, and container-security collectors — each gathering overlapping telemetry, each maintaining its own pipeline, each adding kernel hooks that could take a fleet down on the next bad update. And when a pentester hands you an external IP, nothing on your stack can answer which internal asset owns it, who runs it, and what it can reach.

Agent fatigue

Five overlapping collectors per host. Single-agent failure modes, multiplied across the fleet.

Per-tool plumbing

Every new tool means a new agent, new config push, new ticket, new POC cycle.

No on-prem topology

Cloud platforms map exposure end-to-end. On-prem? Spreadsheets and Slack threads.

Vendor lock-in

Your data sits in five proprietary pipelines. Switching tools means rebuilding collection.

For vendors

Onboard a tool by creating a key.
Not by writing a collector.

Vendors integrating with Katar get the GraphQL schema, integration guides, and conformance suite. Every customer query is scoped, rate-limited, and audited. No agent of your own to ship; no per-customer collection pipeline; just a key and a GraphQL endpoint.

01
Customer creates a keyscoped to read:inventory, read:events, action
02
You query GraphQLexactly the fields you need — no overcollection, no surprises
03
Every request auditeddurable consent log per key, per scope, per query
SIEM / Data lakeLogs, alerts & events — OCSF or Parquet output
SOAR / ResponseSigned enforcement actions over a verified channel
VM / EASMSBOM-rich findings, deduplicated across feeds
CSAM / CMDBBitemporal asset facts with provenance
EDR / DFIRProcess trees, ancestry, network flows, file events
DLPOutbound socket metadata via LSM hooks
How it works

Proto-first.
Standard-defined, end to end.

The Katar protocol contract lives in kos/proto/ as the single source of truth. The Rust agent does kernel-adjacent work; the Go control plane is the integration hub. Vendors integrate against the contract, not against any one product.

SECURITY TOOLS
SIEM
SOAR
VM
DLP
CSAM
EASM
Patch
Container
↑ GraphQL · scoped keys · per-query audit ↑
KATAR CONTROL PLANE · Go
GraphQL API
Asset Registry
Attack-Path Engine
Action Signer (Ed25519)
Push Pipeline
↑ mTLS gRPC · bidirectional · backpressure-aware ↑
KATAR AGENT · Rust
eBPF Sensor
WASM Engine
TPM Identity
XDP Enforcement
Inventory Scanner
HMAC Audit Log
↓ kernel-resident · zero-copy ↓
OS KERNEL
Linux eBPF
Windows ETW
XDP / LSM
Container cgroups
Attack paths

From an IP to the asset it touches.
Every hop, every blast-radius edge.

A pentester hands you an external IP. Katar walks the trail in real time — across firewalls, NAT entries, load-balancer pools, all the way to the process running on the host that owns the data. Hover any node to dig deeper.

Attack path from external IP to internal application AttackerInternet ext-fw-001201.56.67.1 ext-fw-002201.56.67.2 lb-00110.11.35.4 AT-app0110.0.34.1 Attack Path1 instance
Topology edges
Active attack path
Source: external pentest finding · CVSS: 8.7
Walk forwardExternal IP → NAT → load balancer → backend pool → process → identity → data reachable.
Walk backwardPick any internal asset and surface every external path that ultimately reaches it.
Choke pointsWhich one fix removes the most paths? Surface in a single query.
Time travelShow the path that existed on the day of the pentest, not today's path.
What makes Katar Katar

Four properties everything else builds on.

01

One agent

eBPF on Linux, ETW on Windows. Hyper-lightweight, kernel-resident, zero-copy. Modules load on demand; nothing you don't use ever runs on the host.

02

One contract

The Katar protocol contract is canonical. Both services derive from it. Vendors integrate against the standard, not against any one company's product.

03

Cryptographic actions

Every enforcement action is Ed25519-signed and verified at the agent with a ±5 s replay window. HMAC-chained audit log on every host. Self-lockout guards.

04

Total exposure graph

Bitemporal asset graph spanning hosts, services, packages, identities, and reachability. Pentest finding to internal owner to blast radius — in a single query.

Roadmap

Where we are.
Where we're going.

Shipped

Foundation

Signed actions, mTLS, audit chain, conformance harness.

In progress

Asset graph

Inventory, listening services, expanded GraphQL surface.

Next

Vendor integration

Per-tool scoped keys with a durable consent log.

Soon

Attack-path engine

End-to-end exposure mapping across the hybrid estate.

Horizon

Hardening

Production scale, structured ops, vendor conformance suite.

Ready to see it on your fleet?

The agent and control plane run side by side on a laptop. Read the docs, integrate against the GraphQL schema, or get in touch about an early-design partnership.

Read the enrollment guide GraphQL reference Become a design partner