AgentMonitorSee what your AI agent actually did.by
CogniGuard AI
See what your AI agent actually did.
AgentMonitor records every move your AI agent makes — the prompts,
the tools it called, the files it touched, the money it spent —
so when it does something weird, you can rewind and see exactly
what happened.
1
Record
Every agent run is captured automatically — the prompts, the
tool calls, the files touched, the tokens spent, the money
burned. Works with Cursor, Claude Code, OpenAI, Anthropic,
LangChain, AutoGen, Ollama. No code changes.
2
Replay
Open any past run and scroll through it like a video. See
exactly what the agent thought, what it tried, what worked,
what didn't — step by step.
3
Rewind
When something goes wrong, you have the receipts. The exact
prompt, the exact response, the exact file diff, the exact
cost — all in one place, in one click.
100% on your machine.
Your agents stay on your laptop. We never see your data.
Free, forever.
No signup, no cloud, no telemetry. Pro features are free during beta.
Works with what you already use.
7+ AI runtimes supported. No code changes needed.
Overview
Recent runs
Agents
Every agent class registered in this monitor.
A run is created in run the first time the agent emits work.
Runs
Cost (token economics)
Honest accounting: we compute cost from
your reported token counts × public list prices,
stored in agent_monitor/pricing.py. Unknown models
and runs that never reported tokens show —,
not zero. Local-runtime runs (Qwen / Llama-Guard / Ollama) are
modelled at $0.00 by accounting policy — you already paid
for the GPU. To override a price, drop a
pricing_overrides.json in the data directory.
Breakdown
Pricing catalog
Show the model price table that's
currently active (list prices + your overrides).
Posture (offensive-pattern classifier)
What this is: a defender-side pattern matcher
that reads agent trace text and reports signals
associated with exploit-development workflows. It is
not a verdict. Every match comes from a public
source (MITRE ATT&CK, LOLDrivers, Microsoft WDK docs,
common defender literature) and is shown with its weight and
source URL. A high score means “this trace exhibits
patterns worth reviewing,” not “this agent is
malicious.”
What this is not: a vulnerability scanner,
a detection-rule generator, or anything that reads source
code or driver binaries. We look only at the text the agent
itself produced.
Flagged runs
Signature catalog
Show every active signature with its
weight and source URL.
Live trace
Memory
Interp (text-level + Qwen residual-stream)
Honest scope: the text-level harm classifier (Llama Guard 3)
and the toy embedding probes work on any trace text and apply to
all runtimes. Mechanistic residual-stream probes
(interp_real/) only run against
qwen-vllm runs — for OpenAI, Anthropic, Ollama, AutoGen,
smolagents, and LangChain the model weights and activations aren't ours,
so those panels stay empty by design.
Primary harm signal is
Llama Guard 3 (Meta's purpose-built safety classifier,
served locally via Ollama). The toy embedding probes
(harm_toy / refusal / hedging)
are kept as cheap drift detectors. If Llama Guard is unreachable, the
dashboard falls back to the toy harm probe and labels it as such.
See interp/PRODUCTION_PROBES_PLAN.md for the full design note.
Thoughts
Inspired by Anthropic's
Natural Language Autoencoders
(NLA): turn an agent's apparent reasoning into readable text and flag
things the model may be thinking but not saying — evaluation
awareness, hidden motivations, safety-relevant deliberation.
Browser
Headless Chromium controlled via Playwright.
Useful for read-only verification: open a URL, capture a screenshot,
extract text.
Code Scan (v1.5 — screening tool)
Drop a SARIF or sandbox-report JSON here
Or — we auto-detect SARIF v2.1 vs Cuckoo / generic sandbox envelope.
About this scan
Honest scope: this is a small-LLM screening tool, not a
replacement for static analyzers (CodeQL/Coverity/Semgrep), fuzzers
(syzkaller/AFL++), or formal verification. Expect false positives.
Every excerpt shown is verified to be a verbatim substring of the
source file — if you don't see code in the finding, no finding was kept.
…
scan only files changed since this ref + untracked
Scans
id
label
root
status
files
findings
started
Scan —
Scanner Obs (the dashboard over your scanners)
The observability layer over Semgrep / CodeQL / Bandit /
your own scanner. Read the KPIs nobody else gives you:
$/finding,
false-positive rate after triage,
time-to-fix,
scanner-version drift,
finding density per kind.
AgentMonitor is not a scanner. We are the meta-tool.
Drop a SARIF or sandbox-report JSON here
Or — auto-detects format.
Fleet KPIs
Per-tool breakdown
Drift between scans
— compare the two most-recent scans of (tool, root)
Finding density by kind
Triage console
— mark recent findings as FP / confirmed / fixed
Detonations (v1.10 — sandbox traces)
One row per VM sandbox run ingested via
POST /api/scan/external/sandbox. Each detonation
carries the sample SHA-256, the tool that ran it (Cuckoo / Joe /
VMRay / ANY.RUN / your own), and the signatures it fired. We do
not run the sandbox or grade severity — we persist what the
report said.
Drop a sandbox report (Cuckoo JSON or generic envelope)
Or — auto-detects format.
Detonation
About AgentMonitor
AgentMonitor is a free desktop app that records every move your
AI agent makes — so when it does something weird, you can rewind
and see exactly what happened.
Why this exists
Once at 3am, an AI agent had been running unattended for six hours.
When I came back there were 47 files changed, a $90 OpenAI bill,
three commits I didn't recognize, and a tweet drafted in my
scheduling queue. I had no idea what it had done.
I wanted a dashcam for my AI agents. So I built one.
What it does
Record. Every agent run is captured
automatically — prompts, tool calls, files touched, tokens
spent, money burned.
Replay. Open any past run and scroll through
it like a video.
Rewind. When something goes wrong, you have
the receipts.
What it works with
Cursor, Claude Code, OpenAI, Anthropic, LangChain, AutoGen,
Smolagents, Ollama, and any custom agent you've built. No code
changes needed.
Where your data lives
On your machine. Only on your machine.
AgentMonitor is a desktop app. It does not send your prompts,
your code, or your agent's data to any cloud. No signup. No
telemetry. No account.
What it costs
Free. Forever, for the core features in the
Recorder and Insights groups. The features
marked PRO in the sidebar will
become paid later for teams — but during beta everything is
free and unrestricted.
Honest notes for power users
These caveats matter if you're building on top of
AgentMonitor. Skip if you're just here to record agents.
Model-internals probes (the Interp panel) only work
on our bundled Qwen runtime. Other runtimes get text-level
safety probes only.
Behavior probes (harm / refusal / hedging) were trained on
small datasets (16–24 examples each). Useful drift signals,
not safety proofs.
AutoGen and Smolagents adapters work post-hoc — they ingest
the agent's own conversation memory after the run finishes,
not during.
Who made this
AgentMonitor is made by CogniGuard AI —
a small team building developer tools for the AI-agent era.
AgentMonitor is our flagship product.