Praxen: Open-source AI agent behavior verification

Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the agent operates, and points out every spot where the two drift apart.

It is the reference implementation of Agent Behavior Verification, a control model that hands each agent an authorized role and then confirms the controls hold that agent to it. The idea borrows from how companies manage their own employees. Every person gets a defined set of permissions, and the same logic now applies to software agents, where each one carries a scope of activity it is allowed to perform.

How the verification works

A team writes a Worker Remit, a markdown policy document that declares what the agent may do, including its mission, authorized tools, approved channels, counterparties, and forbidden actions. Praxen then reads evidence such as source code, deployment state, behavioral logs, and governance documents, and reports the gap between declared intent and observed behavior. Findings arrive as a self-contained HTML report, a machine-readable JSON file, and a plain-text summary written to a local reports folder. The tool keeps all data local. Teams install it as a Claude Code plugin.

Each analysis runs a set of named checks. These cover policy-implementation divergence, credential exposure, configuration gaps, capability drift, supply-chain risk, half-wired controls, empty stub files in security-relevant paths, secondary prompt discovery, and compound signal reasoning that chains individual findings into a higher-severity attack path.

Every finding carries tags from the OWASP Top 10 for LLM Applications 2025, the OWASP Top 10 for Agentic AI Applications 2026, the OWASP Secure MCP Server Development Guide 2026, and the RAISE Framework, which assigns a maturity score across six categories. Praxen runs before deployment and on each release. It requires a coding agent, tested against Claude Code, and Python 3.9 or later.

One policy across the agent lifecycle

Runtime monitoring sits in a separate layer called Agent Behavior Analytics. Steve Wilson, Chief AI Officer at Exabeam, told Help Net Security that the company wants the Worker Remit to serve both stages. “Our aim is a single policy,” he said. The remit gives “a structured, human-readable definition of an agent’s intended role, permissions, responsibilities, constraints, and approval requirements.”

Wilson connected the runtime layer to the same definition. “Exabeam ABA is designed to analyze the behavior of deployed agents over time and identify activity that deviates from expectations, policy, or established baselines,” he said, adding that the remit “provides a natural foundation for that analysis because it captures the organization’s explicit expectations for the agent.” Verification answers whether a team built the agent it intended, and analytics answers whether the agent behaves as intended in production. The two capabilities stand separate at present. “Over time, we expect them to become increasingly connected as part of a broader Behavior Intelligence strategy for AI agents,” Wilson said.

Consistency across repeated runs

A coding agent performs the analysis, so two runs against the same evidence can produce a different set of findings. Wilson said the major results hold steady. “The major findings and overall security themes are highly stable,” he said, with smaller movements in severity counts or maturity scoring at the margins. Every finding traces back to source material. Praxen “cites the files, configurations, and artifacts that support its conclusions, allowing a reviewer or auditor to independently verify the claim.”

Exabeam measures consistency with a frozen regression suite of representative agent implementations that validates major findings, themes, and maturity assessments across releases. For governance, compliance, or benchmarking, Wilson recommended that teams “run the analysis multiple times, report the median result and range, and union the material findings across runs.” A single run gives a useful read on an agent’s security posture, and repeated runs add statistical confidence.

Handling evidence that exceeds the context window

Large evidence sets can exceed a model’s context window. Praxen begins with a discovery pass across source code, configuration files, dependency manifests, tool and MCP definitions, memory artifacts, and logs, and prioritizes the material most relevant to agent behavior and security controls. Large logs are sampled to widen coverage.

Wilson pointed to a risk in long-running analysis, where earlier observations can be summarized away as a session grows. Praxen writes findings incrementally and checkpoints the analysis state into a structured manifest before the report is generated. “If the underlying AI session exceeds its context window, the report can be reconstructed from that checkpoint,” he said. Coverage is recorded directly, so findings drawn from sampled evidence carry a marker and missing evidence registers as a signal of its own. “Context-window limits are a real constraint for every AI-powered analysis platform,” Wilson said. “The goal is to make them visible, measurable, and recoverable so users can trust the results they receive.”

Praxen is available for free on GitHub.

Must read:

• 25 open-source cybersecurity tools that don’t care about your budget
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!