Overview
Together, Scout, Agent Controls, and Agent Policy help security teams move from discovering local AI coding tools, to observing agent activity, to enforcing organizational standards for secure AI-assisted development:
Scout is Cato AI Security’s endpoint discovery solution for local AI coding agents. It answers a key security question: What AI tools are developers using on their machines? Scout scans developer workstations to identify locally installed AI-powered development tools and give security teams visibility into AI tool adoption across the organization.
Agent Controls extend this visibility into agent interactions by providing event-triggered integration points for local AI coding agents. When supported agent activity occurs, such as a user message, tool call, tool response, or MCP-related interaction, Agent Controls surface the event to Cato AI Security so it can be evaluated using Agent Policy.
Agent Policy can govern what users are allowed to send to coding agents, which tools or MCPs agents are allowed to use, and what action to take when activity matches a rule.
Supported OS
macOS, Windows, and Linux
Deploying Agent Controls via Scout Settings
Configure Scout Settings before deploying Scout to endpoints. These settings determine whether Agent Controls are deployed with Scout and which users or groups receive their enforcement.
Agent Controls provide event-triggered integration points for local AI coding agents. They allow supported coding-agent activity to be surfaced to Cato AI Security for visibility and Agent Policy evaluation.
When Enforcement is enabled, Scout enforces Agent Controls on detected AI coding tools. This allows Cato AI Security to receive supported agent events, so those events can be evaluated using Agent Policy.
The Enforcement Policy controls which users or groups receive Hooks enforcement. Select specific users or groups to limit enforcement to those identities. If the enforcement policy is empty, Agnet Controls enforcement applies to everyone.
To deploy Agent Control and configure the enforcement policy:
From the CMA navigation menu, click AI Security > Integrations.
From the navigation menu, click AI Security > User Interaction Policy.
Navigate to the AI Security > Scout page and click Settings.
Click the Enforcement toggle to enable enforcement.
Optional: Define which users and groups the Agent Control enforcement applies to.
Deploying Scout
Deploying Scout does not require TLS inspection, a network proxy, or a browser extension. Scout operates at the endpoint level and can be deployed through an MDM or endpoint management solution.
Before deploying Scout, configure Scout Settings to determine whether Hooks are deployed and which users or groups receive Hooks enforcement.
To deploy Scout:
Navigate to AI Security > Scout.
Optional: Configure Scout Settings to determine whether Hooks are enforced as part of the Scout deployment.
Click Install.
Copy the installation script and deploy it to target endpoints using your MDM or endpoint management solution, such as Kandji, Intune, Jamf, or an equivalent tool.
In the third-party solution, schedule the script to run periodically. We recommend running it every 6 hours.
Every time the script runs it updates the Scout and pulls new AI usage data.
Working with Scout
The Scout page provides visibility into Scout deployments across developer endpoints. It helps security teams understand where Scout is installed, which endpoints are actively reporting, and whether those endpoints are configured with inline Hooks for local AI coding-agent interactions.
Scout Page Widgets
Widget | Description |
|---|---|
Scout Activity | Shows Scout activity over the last 30 days, including the number of active Scouts. |
Identified Users | Shows the number of users identified by Scout over the last 30 days. |
OS Distribution | Shows the distribution of Scout installations by operating system. |
Daily Scouts Installed | Shows the number of Scout installations detected per day over the last 30 days. |
Scout Installations Table
Field | Description |
|---|---|
Scout ID | Unique identifier for the Scout installation. |
User | User associated with the Scout installation, when available. |
Hostname | Hostname of the endpoint where Scout is installed. |
Inline Hooks | Indicates whether inline Hooks are detected or configured for the endpoint. |
OS | Operating system of the endpoint. |
First Seen | Date and time when the Scout installation was first detected. |
Last Seen | Date and time when the Scout installation last reported activity. |
Supported Coding Agents
The following sections list the coding agents and coding agent controls that can be detected by Cato AI Security.
Coding Agent Discovery
Claude Code
Cursor
Codex
OpenClaw
Claude Cowork
Google Antigravity
PyCharm
IntelliJ IDEA
Junie
JetBrains
Windsurf
Copilot
VS Code
Coding Agent Controls
Claude Code
Cursor
Codex
Many More to Come