Discovery is an Alpha Release — the same badge you’ll see on the Discover section in the dashboard. The sensor and findings model are evolving, and surfaces may change between releases.
What the sensor finds
Each scan runs six scanners and emits one structured report:
The framework taxonomy separates signal from noise: a bare LLM SDK or a local model runtime only counts as agentic when it’s linked to a genuine agent anchor on the same host, so a plain RAG dependency doesn’t light up your fleet as autonomous agents.
Read-only by design
The sensor observes; it never runs what it finds.- Discovered MCP servers are never executed. Their tool surface is read by static analysis of the on-disk package. When a server’s tools can’t be read statically (HTTP transport, dynamic registration, minified code), it’s reported as an unreadable tool surface — a visibility finding — rather than launched to find out.
- Package managers are never invoked. Framework detection is a static walk of
node_modulesand Pythonsite-packagesdirectories — nonpmorpipsubprocesses. - Secrets never leave the host. A detected API key is reported as a SHA-256 fingerprint of its value, never the key itself.
- Coverage is honest. The report records per-scanner coverage, so “zero findings” is distinguishable from “couldn’t look.” A degraded scan surfaces as Needs coverage — it never silently reads as safe.
Two ways to deploy
The sensor ships as a single self-contained binary per platform — Linux (x64, arm64), macOS (Intel, Apple silicon), and Windows (x64) — with zero runtime dependencies. No Node, Python, or agent framework is required on the endpoint.Deployed Sensor
Recommended. The sensor installed persistently as a managed app through your device-management platform. It scans on the schedule you set in Discovery settings and can update itself in place with
visiq-discovery update.On-Demand Scan
The same binary run once through your existing endpoint tooling. Nothing stays installed on the host, and the scan schedule is whatever your own tooling defines.
VISIQ_API_KEY and VISIQ_ENDPOINT set it reports each scan to your dashboard; without them (or with --no-report) it runs local-only and prints the JSON report.
Where results land
Scan results power the Discover section in the dashboard sidebar:- Reach Map — every agentic surface in your fleet, arranged by how far VisIQ governance can reach it today.
- Inventory — one row per scanned host, with the custom AI agents, MCP servers, AI frameworks, and tools found on each.
- Findings — one row per detected risk factor per host, with severity, evidence, and remediation status.
How risk is scored
Every host gets a 0–100 risk score from an additive point budget: each exposure signal the sensor looks for is a catalog factor with a fixed weight, the weights sum to exactly 100, and a host’s score is simply the sum of the factors detected on it. No opaque formula — the score always reconciles against the factor grid you see in the dashboard.
Scores band as Low (0–39), Medium (40–64), High (65–84), and Critical (85–100). A host the sensor couldn’t fully assess lands in a fifth lane, Needs coverage, which sorts above Low — degraded visibility is itself a finding, never a clean bill of health.
Findings map 1:1 to these factors, and remediation is derived automatically from scan history: when a factor stops appearing in a host’s latest scan, its finding flips to remediated on its own. Nobody has to close tickets by hand.
Settings
Discovery is configured per organization under Settings → Discovery:- Auto-install harness plugin — off by default. When enabled, deployed sensors may automatically install the VisIQ harness plugin into supported agent tools they detect (such as OpenClaw), wiring up runtime governance with no manual step. VisIQ never modifies your agents unless you opt in.
- Scan frequency — how often the Deployed Sensor scans each endpoint: hourly, every 6 hours, every 12 hours, daily (the default), or weekly. This governs only the Deployed Sensor; an On-Demand Scan runs on your own tooling’s schedule.
- Harness status — how many discovery-installed harnesses are registered for your tenant and when one last reported.
Next steps
Quickstart
Put the agents Discovery found under governance with one
visiq() call.Action Governance
How tool-call authorization works once an agent is harnessed.