Frequently asked questions

Ten direct answers. If you need something else, write to freddavidblum@catalystais.com.

1. What data does the agent collect?

Every 60 seconds, each agent sends a snapshot containing:

We do not collect file contents, environment variables (except what's leaked into process names), keystrokes, network payloads, disk contents, or anything about users outside your machines. The full schema is visible in the API reference.

2. Is my data shared with other Kefal customers?

No. Your snapshots, graph, and incidents are tenant-isolated by user_id at every DB query. No other customer can see your infrastructure.

What is shared across tenants: the detection rules themselves. When a customer contributes a new invariant and it survives adversarial verification, that rule becomes available to everyone. This is our "collective defensive intelligence" model — the threats we detect get better over time because everyone benefits, but nobody's data crosses the boundary.

3. How do I uninstall the agent?

On Linux with the systemd unit:

sudo systemctl stop kefal-agent
sudo systemctl disable kefal-agent
sudo rm -f /etc/systemd/system/kefal-agent.service /usr/local/bin/kefal-agent
sudo rm -rf /etc/kefal/

On Windows:

schtasks /delete /tn "Kefal Agent" /f
Remove-Item -Recurse -Force "C:\Program Files\Kefal"
Remove-Item -Recurse -Force "C:\ProgramData\Kefal"

Then go to kefal.dev/app/ → Settings → Agents and delete the agent record. This removes its historical snapshots and incidents from the DB.

4. What do the severity levels mean?

Severity is assigned by the invariant that fires — see the invariants page for each rule's baseline severity. It doesn't escalate automatically based on context yet (that's on the roadmap).

5. How does the trial work?

Every new account gets 7 days of full functionality, including unlimited agents. After day 7, the /api/v1/ingest endpoint returns 402 Payment Required and your agents stop sending snapshots until you subscribe. Your dashboard stays readable — existing data isn't deleted, it just stops being updated.

6. Can I monitor multiple servers?

Yes. Install the agent on each server with the same credentials. Each becomes a distinct host in your graph. Plan limits:

7. What happens when my trial expires?

Ingest returns 402. Your agents keep trying and retry with backoff — they don't need to be reinstalled when you subscribe. Your dashboard, graph, and incident history remain visible but stop updating. Subscribe via PayPal from the dashboard billing page and ingest resumes within the next 60-second cycle.

8. Is the agent open source?

Not today. The agent is a Go binary, statically linked, distributed from kefal.dev/download/. The protocol between agent and backend is documented in our API reference — you can reproduce what the agent sends if you need to audit, but the source is proprietary for now.

We're considering open-sourcing the agent once the product stabilizes. If that matters to you, tell us so.

9. How do I report a bug?

Email freddavidblum@catalystais.com with:

Security vulnerabilities: same email, subject prefixed with [SECURITY]. Please don't disclose publicly until we've had a chance to patch.

10. What is "collective defensive intelligence"?

Kefal's detection layer is built on shared invariants — rules that describe patterns worth flagging. We ship 32 built-in invariants. Customers can contribute new ones through the POST /api/v1/invariants/contribute endpoint. Contributions go through adversarial verification (we use two LLM prompts, one constructive and one red-team, to test whether the rule is precise and useful) before being activated for everyone.

The result: your defenses improve when someone else's agent detects a novel attack. No data crosses tenant boundaries — only the rule definitions do. This is how SMBs can collectively reach defense quality previously reserved for Fortune 500 SOCs.