puck-security

puck-security / puck-scout

Public

Autonomous, read-only endpoint investigation via MCP. Ask a question about your fleet, get a narrative answer with containment recommendations.

puck.security ai ai-security endpoint-security golang incident-response
10
1
85% credibility
Found May 30, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

Puck is an autonomous, read-only endpoint investigation tool that uses the Model Context Protocol (MCP) to allow users to query their fleet of computers using natural language and receive narrative answers with containment recommendations through AI agents.

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is puck-scout?

Puck is an autonomous endpoint investigation tool that lets you ask security questions about your infrastructure in plain English and get narrative answers with containment recommendations. It works as an MCP server (Go) paired with lightweight endpoint agents (Rust) that run read-only commands across your fleet. You connect via Claude Code, Cursor, or any MCP client, ask something like "check for credential exposure on my fleet," and Puck fans out commands, collects results, and synthesizes findings. The policy engine validates every command against a typed allowlist before execution, and the agent binaries never write to disk.

Why is it gaining traction?

The read-only constraint is the selling point. Unlike traditional IR tools that drop scripts or modify state, Puck's endpoint agent is a compiled binary that only reads. The worst-case outcome of a compromise is unauthorized read access, not persistence or lateral movement. The typed policy grammar (embedded TOML) is enforced independently by both the server and agent, so a compromised server cannot instruct the agent to run anything outside the compiled-in grammar. Fleet-wide parallel investigation with skill-based playbooks means you write investigation logic in YAML without touching Rust or Go.

Who should use this?

Security teams running incident response who want to give AI agents safe, auditable read access to endpoints. SOC analysts investigating credential exposure, malware presence, or policy drift across dozens of hosts. DevOps teams that need to ask "what's running on my fleet right now" without deploying heavyweight agents or writing custom scripts. Not for teams wanting write access or real-time blocking.

Verdict

Puck solves a real problem with a thoughtful security model, but at 10 stars it's early and unproven at scale. The documentation is solid and the dual-enforcement policy engine shows serious security thinking. The 0.85 credibility score reflects a small but active project with good test coverage and clear architecture. Worth evaluating for homelab or small fleet IR, but wait for more community adoption before betting on it for production security operations.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.