How does Aguara v0.5.0 affect the Oktsec security stack?

Aguara v0.5.0 upgrades the detection engine that powers Oktsec's content scanning pipeline from 153 to 173 rules. Confidence scoring enables smarter policy enforcement: Oktsec can block high-confidence findings, alert on medium-confidence findings, and suppress low-confidence matches, reducing alert fatigue while maintaining security coverage.

What is confidence scoring and why does it matter for enterprise deployments?

Confidence scoring assigns a 0.0-1.0 value to every finding measuring scanner certainty. For enterprises, this enables threshold-based policies: auto-block above 0.9, create tickets between 0.5-0.9, suppress below 0.5. This reduces false positive noise while keeping true positive detection rates high, which is critical for production agent deployments where alert fatigue leads to missed real threats.

What new threat categories are covered in Aguara v0.5.0?

The 20 new rules expand 8 categories: Third-Party Content (+5 rules covering eval injection, unsafe deserialization, missing SRI), Indirect Injection (+4 rules for database-driven behavior, webhook callbacks, git clone attacks), Unicode Attack (+3 rules for zero-width chars, normalization bypass, mixed-script confusables), MCP Attack (+2), MCP Config (+2 for Docker escalation), Supply Chain (+2 including sandbox escape), Prompt Injection (+1), and Credential Leak (+1).

Aguara v0.5.0: 173 Detection Rules and Confidence Scoring Strengthen the Oktsec Security Stack

The detection layer just got significantly stronger

Oktsec's security pipeline runs every agent message through Aguara, the open-source detection engine that performs content scanning across the MCP Gateway, proxy, audit, and MCP server operational modes. Today, Aguara v0.5.0 ships with the largest single-release expansion in the project's history: 20 new detection rules across 8 categories, pushing the total from 153 to 173 YAML-defined rules (177 including dynamic analyzer rules).

But the rule count is not the headline. Confidence scoring is. Every finding now carries a 0.0–1.0 confidence value that measures how certain the scanner is that a match is a true positive. For enterprise teams running Oktsec in production, this changes how you configure policies, set CI/CD gates, and manage alert fatigue.

177 total detection checks

20 new rules in v0.5.0

8 categories expanded

0.0–1.0 confidence scoring

What confidence scoring means for enterprise deployments

Before confidence scoring, every finding from the same rule had the same weight. A credential pattern in application code and a credential pattern in a markdown tutorial both triggered the same alert. Both matched the pattern. Only one was an actual risk. Without confidence, your SOC team had to investigate both with equal priority.

Confidence scoring solves this. Every finding now includes a confidence field (0.0–1.0) that is independent from severity. Severity measures impact if the finding is real. Confidence measures whether it is real. This distinction unlocks three capabilities for Oktsec deployments:

Threshold-based CI/CD gating

Block deployments only when findings exceed both severity AND confidence thresholds. A CRITICAL finding with 0.55 confidence generates a warning, not a pipeline failure. A HIGH finding with 0.95 confidence blocks immediately.

Alert fatigue reduction

Route low-confidence findings to a review queue instead of paging on-call. Aguara's code-block detection automatically drops confidence by 40% for findings inside documentation, tutorials, and test fixtures.

Correlation amplification

When multiple findings from different rules occur within 5 lines, all findings receive a 10% confidence boost (capped at 1.0). Clustered security indicators are a strong signal of intentional malicious behavior.

Per-analyzer calibration

NLP-based findings start at 0.70 confidence because natural language analysis inherently produces more false positives. Pattern matching with all-match rules starts at 0.95. The scoring reflects the actual reliability of each analyzer engine.

How confidence flows through the Oktsec pipeline

When Oktsec's content scanner processes an agent message, Aguara returns findings with confidence values. These values flow through the entire Oktsec security pipeline:

MCP Gateway: per-agent tool allowlists can now include confidence thresholds. An agent might be allowed to call a tool unless the request triggers a HIGH+ finding with confidence above 0.8.
Webhook payloads: the confidence field appears alongside rule_name, category, and match in webhook payloads. PagerDuty, Slack, and S3 destinations receive the confidence value for downstream processing.
Audit trail: confidence values are stored in the audit database. Forensic investigations can filter by confidence to focus on high-certainty events.
SARIF output: confidence maps to the SARIF rank property (0–100 scale) for integration with GitHub Advanced Security, SonarQube, and other SARIF consumers.

20 new rules closing real-world gaps

Every new rule came from one of two sources: attack patterns observed in Aguara Watch scans across 42,969 skills, or techniques documented in academic research. The expansion targets categories that were underrepresented relative to their risk in enterprise environments.

Third-Party Content (+5 rules)

The largest expansion. Third-party content execution is one of the most common attack vectors in MCP skill ecosystems. The new rules detect eval() and new Function() with external data, unsafe deserialization (pickle.loads, yaml.unsafe_load), script loading without SRI integrity checks, HTTP downgrades from HTTPS, and unsigned plugin/extension loading. THIRDPARTY_003 alone accounts for findings in 12 skills across Aguara Watch.

Indirect Injection (+4 rules)

Indirect injection is where an attacker places malicious instructions in a data source that an agent later reads and executes. The new rules detect database/cache queries driving agent behavior, webhook/callback registration with external services, git clone followed by code execution, and environment variable injection from network sources. The INDIRECT_013 pattern (git clone + execute) is particularly common in CI/CD integration skills.

Unicode Attack (+3 rules)

Zero-width character sequences, Unicode normalization inconsistencies, and mixed-script confusable identifiers. These techniques bypass string-matching security controls by exploiting the gap between what humans see and what machines process. A function named with Cyrillic "a" looks identical to one with Latin "a" but they are different identifiers.

MCP Attack & Config (+4 rules)

Auth-before-body parsing (slow-body DoS), canonicalization bypass via double-encoding, Docker --cap-add capabilities escalation, and --network host unrestricted container network access. The Docker rules came directly from Aguara Watch findings: 7 skills with --cap-add SYS_ADMIN and 23 skills with --network host in production registries.

Supply Chain, Prompt Injection & Credential Leak (+4 rules)

Sandbox escape via process spawn (CRITICAL), runtime events injected as user-role prompts, and HMAC/signing secrets in source code. SUPPLY_018 (sandbox escape) is rated CRITICAL because successful exploitation gives full host access. PROMPT_INJECTION_018 targets the subtle but powerful vector where tool error messages containing instructions get injected as user-role messages that the LLM follows.

Full detection landscape: 177 checks across 12 categories

Category	Rules	Severity Breakdown
credential-leak	20	7 CRITICAL, 8 HIGH, 4 MEDIUM, 1 LOW
prompt-injection	18	4 CRITICAL, 9 HIGH, 5 MEDIUM
supply-chain	18	2 CRITICAL, 10 HIGH, 6 MEDIUM
external-download	17	3 CRITICAL, 2 HIGH, 5 MEDIUM, 7 LOW
command-execution	16	6 HIGH, 7 MEDIUM, 3 LOW
exfiltration	16	10 HIGH, 6 MEDIUM
mcp-attack	16	3 CRITICAL, 10 HIGH, 3 MEDIUM
mcp-config	11	5 HIGH, 3 MEDIUM, 3 LOW
ssrf-cloud	11	3 CRITICAL, 7 HIGH, 1 MEDIUM
indirect-injection	10	7 HIGH, 2 MEDIUM, 1 LOW
third-party-content	10	5 HIGH, 2 MEDIUM, 3 LOW
unicode-attack	10	3 HIGH, 7 MEDIUM

Five analyzer engines process every scan target in sequence: Pattern Matcher, NLP Injection Detector, Toxic Flow Analyzer, Rug Pull Detector, and the post-processing pipeline (deduplication, scoring, correlation, confidence). All five engines now produce confidence-scored findings.

Configurable limits and operational hardening

Two additional changes in v0.5.0 affect operational deployments:

Configurable max file size: the hard 50 MB scan limit from v0.4.0 is now configurable via --max-file-size flag, .aguara.yml, or the Go library API. Range: 1 MB–500 MB. Default remains 50 MB. This matters for teams scanning monorepo configurations or large YAML manifests that legitimately exceed the default threshold.
Atomic state persistence: Aguara's state file (~/.aguara/state.json) now uses the tmp+rename pattern for writes. On POSIX systems, rename(2) is atomic within the same filesystem. A crash or OOM kill during a write no longer corrupts the state file. This is a correctness fix that matters for long-running CI/CD integrations where scans are killed by pipeline timeouts.

Stack alignment: from 153 to 173 rules across all modes

Aguara v0.5.0 is a drop-in upgrade. Because Aguara is embedded as the detection engine in Oktsec, upgrading Aguara immediately upgrades content scanning across all four Oktsec operational modes: proxy, audit, MCP server, and gateway. The 20 new rules apply to every message that passes through the pipeline.

Metric	Before	After	Delta
Detection rules (YAML)	153	173	+20
Total detection checks	157	177	+20
Categories with new rules	—	8	+8
Confidence scoring	No	Yes (0.0–1.0)	new
Configurable file limits	Fixed 50 MB	1–500 MB	configurable
State persistence	Direct write	Atomic (tmp+rename)	crash-safe

What's next

The detection engine is heading toward 200+ rules. The next batch will focus on agentic tool abuse patterns: multi-step attack chains where individual tool calls look benign but the sequence is malicious, implicit permission escalation through tool composition, and data exfiltration via tool output channels. These patterns require understanding tool call sequences and context flow — the natural extension of the confidence scoring architecture.

Confidence scoring opens the door to adaptive policy enforcement. Instead of static severity filters, Oktsec will support confidence-based policies at the gateway level: auto-block critical findings above 0.9 confidence, create tickets for high findings above 0.7, and suppress anything below a team-defined threshold. Smarter defaults, fewer false positives, more actionable security outputs.

Every component ships under the same coordinated release cadence. When Aguara gains new detection rules, Oktsec gains them immediately. The security pipeline is production-ready. If your AI agents are connecting to databases, APIs, payment systems, or file servers without a security layer in between, let's talk about your deployment.

Upgrade your detection layer

177 detection checks. Confidence scoring on every finding. The strongest detection engine we have shipped.

Aguara v0.5.0 Release Notes GitHub Let's talk