Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

For Security & IT Teams

Use this path when you are piloting Beacon for a security operations, IT, or endpoint-management rollout. Beacon runs locally on the endpoint, writes normalized AI agent activity to JSONL, and can forward events into Wazuh, Splunk HEC, or a customer-managed pipeline.

1. Choose a pilot scope

Start with a small macOS pilot group that uses supported AI agent runtimes such as Claude Code, Codex CLI, Factory Droid, Cursor, or Claude Cowork. Decide before rollout:
  • Which runtimes are in scope for collection.
  • Whether content retention should be full, redacted, or metadata.
  • Whether events will stay local first, flow into Wazuh localfile, forward to Splunk HEC, or ship through a customer-managed forwarder.
Review Supported surfaces for current runtime, deployment, forwarding, and boundary details.

2. Deploy the endpoint agent

For managed rollout, use the signed and notarized macOS package through Jamf Pro, Fleet, or another MDM. Package deployments use system mode and write endpoint events to /var/log/beacon-agent/runtime.jsonl. 
sudo beacon endpoint install --system --content-retention metadata
beacon endpoint status
Use metadata when you want endpoint events to exclude prompt text, raw attributes, command output, and raw diffs. Use redacted or full only when that matches your approved telemetry collection policy. For detailed package deployment instructions, see MDM Deployment, Jamf, and Fleet.

3. Validate health and collection

After deployment, confirm that the collector is running, the runtime log is writable, and configured harnesses match the intended scope. 
beacon endpoint status --json
beacon endpoint discover --json
beacon endpoint wazuh validate
Track these signals in your device-management platform:
AreaSignal
Install coverageBeacon package or binary version is present
Collector healthcom.beacon.endpoint.collector is running
Runtime log/var/log/beacon-agent/runtime.jsonl exists and is fresh
Harness scopeConfigured harnesses match the approved runtime list
RetentionContent retention matches policy
ForwardingWazuh localfile, Splunk HEC, or customer-managed forwarding is configured when required
See For Security & IT Teams for the broader operational workflow.

4. Connect security workflows

Beacon always preserves local JSONL. Add forwarding when your team is ready to centralize events.

5. Add runtime hooks where needed

The base endpoint agent configures local collector telemetry. Cursor and Factory hooks are installed separately because hook configuration is user or project scoped. 
beacon endpoint hooks install --harness cursor
beacon endpoint hooks status --harness cursor
See Runtime hooks for supported hook telemetry and operational guidance.

MDM Deployment

Plan managed macOS rollout with the packaged system agent.

SIEM Forwarding

Forward Beacon events into Wazuh, Splunk HEC, or customer-managed pipelines.

Endpoint status

Inspect collector, service, harness, diagnostic, and runtime log state.

Command reference

Jump to detailed guides for each Beacon command.