Asymptote Labs launches Agent Beacon telemetry layer

Asymptote Labs launched Agent Beacon, an open-source endpoint telemetry layer that captures and normalizes activity from AI coding and knowledge-work agents. The tool supports 12+ agent harnesses including Claude Code and Cursor, and can forward events to SIEMs such as Elastic and Microsoft Sentinel. CEO Justin D'Souza framed the project as a foundational visibility layer for AI agent governance.

Asymptote Labs launches Agent Beacon telemetry layer Asymptote Labs published Agent Beacon , an open-source endpoint telemetry layer that captures and normalizes activity from AI coding and knowledge-work agents. The project's GitHub repository hosts the source code MIT licence, written in Go, Homebrew install on macOS , while documentation describes a local-first architecture that accepts OTLP gRPC/HTTP and native hook payloads, normalizes logs/traces/metrics into a shared event model, and writes a one-object-per-line JSONL record for local inspection and forwarding Help Net Security; Asymptote documentation . Beacon supports 12+ agent harnesses including Claude Code, Codex CLI, Cursor, and Claude Cowork, and can forward events to SIEMs and log destinations including Elastic, Microsoft Sentinel, AWS CloudWatch, Wazuh, and Rapid7 InsightIDR Help Net Security . CrowdStrike EDR and Falcon users are named as early design partners using Beacon as a complementary agent visibility layer alongside their existing stack, not as a connector target Help Net Security . CEO Justin D'Souza framed the project as building toward governance: 'The precondition for governance is a visibility layer built on a normalized schema of agent activity across local + CI + cloud agent harnesses' Help Net Security . What happened Asymptote Labs released Agent Beacon , an open-source telemetry layer for AI agents, with source code on GitHub MIT licence, written mostly in Go, macOS install via Homebrew tap . Help Net Security covered the launch on June 22, 2026, reporting that Beacon discovers supported local runtimes and configures data collection for them, while also supporting CI and cloud-agent telemetry paths. The Asymptote documentation describes Beacon as a local-first endpoint architecture that accepts OTLP gRPC/HTTP and native hook payloads, maps runtime-specific signals into a unified event model, and writes one JSON object per line to a local JSONL store for inspection and forwarding Asymptote documentation; Help Net Security . Technical details Per Help Net Security and project documentation, Beacon configures runtimes such as Claude Code and Codex CLI to export OpenTelemetry data to a collector on localhost. For Cursor, it installs hooks that emit local endpoint events covering sessions, prompt submission, tool use, command execution, approval decisions, and file edits. A bundled collector converts OpenTelemetry logs and hook events into a normalized JSON event log with a local dashboard for inspection. Claude Cowork support requires OpenTelemetry export configured by a Team or Enterprise admin in the Claude admin console with an OTLP endpoint reachable over the public internet Help Net Security . The tool writes to local JSONL by default and supports customer-controlled forwarding to SIEMs and log destinations including Elastic, Microsoft Sentinel, AWS CloudWatch, AWS S3, Google Cloud Storage, Wazuh, and Rapid7 InsightIDR. Configurable retention modes allow excluding prompt text, raw attributes, command output, and raw diffs; a redacted mode applies local redaction and size limits before logging Help Net Security . CEO context and roadmap CEO Justin D'Souza told Help Net Security: "The precondition for governance is a visibility layer built on a normalized schema of agent activity across local + CI + cloud agent harnesses. We believe we are the first to do this in a comprehensive way, significantly extending OpenTelemetry genAI standards." D'Souza described the path ahead as requiring three elements beyond the open-source foundation: a detection rule standard, a policy layer for real-time enforcement, and streaming-first infrastructure for near-real-time ingestion. He noted a detection rule standard 'remains an open problem' tied to the absence of a normalized agent activity schema across the industry Help Net Security . CrowdStrike -- design partner, not a connector target D'Souza named CrowdStrike EDR and AIDR as tools used by early design partners who are deploying Beacon as a complementary agent visibility layer alongside their existing security stack. CrowdStrike is not listed among Beacon's forwarding destinations; confirmed SIEM and log forwarding destinations are Elastic, Microsoft Sentinel, AWS CloudWatch, AWS S3, Google Cloud Storage, Wazuh, and Rapid7 InsightIDR Help Net Security . Editorial analysis -- technical context Agent runtimes produce a mix of telemetry types that do not fit traditional log schemas: prompt content, tool calls, shell commands, and file diffs. Normalizing these heterogeneous signals into a reusable event model is a practical prerequisite for SIEM detection, incident triage, and policy enforcement. For practitioners, the local-first JSONL export and consistent schema lower friction for ingesting agent activity into existing observability pipelines. Current limitations noted by Help Net Security: Beacon omits kernel and process monitoring, shell history collection, broad browser and SaaS telemetry, and general-purpose credential-use attribution. Bottom line Asymptote's open-source Agent Beacon provides a concrete starting point for endpoint telemetry aimed at agent-driven workflows, with independent coverage from Help Net Security and a stated roadmap toward detection rules, policy enforcement, and real-time streaming. Practitioners should evaluate schema compatibility, retention controls, and SIEM exporter maturity before adopting Beacon at scale Help Net Security; GitHub; Asymptote documentation . Scoring Rationale Agent Beacon is a well-covered open-source tool launch addressing a genuine enterprise security gap: normalized telemetry for AI agent runtimes. Help Net Security coverage and a roadmap toward detection rules and policy enforcement give it practical significance for security and ops practitioners. Adjusted down from 6.9 as it remains a small-startup OSS launch without broad adoption evidence; corrected SIEM list Elastic, Sentinel, Wazuh, Rapid7 InsightIDR replaces the originally stated but unconfirmed Datadog/Splunk/CrowdStrike Falcon targets. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems