Capabilities
Nine sub-capabilities — the deepest surface.
Chokepoint Discovery
Continuous, real-time visibility — at the chokepoint, not an estate-wide scan.
- Route — Every agent or MCP call passing through the gateway is observed in real time.
- Identify — Discovery is scoped to traffic that reaches the chokepoint — Whiteswan is the gate nothing executes without passing through, not a scanner reaching independently into every corner of the network.
- Update — Visibility is continuous, not a periodic scan.
Verified — boundary statedDiscovery in un-instrumented or cloud-native environments where traffic never reaches the gateway requires a network-sensor or CNAPP layer — there is no out-of-band sensor built into Whiteswan today.
Capability Registry
Know every tool, prompt, and resource an MCP server exposes — automatically.
- Connect — When a server connects, its full capability set is captured.
- Populate — The registry auto-populates with every tool, prompt, and resource the server offers.
- Maintain — The registry stays current as servers connect and disconnect.
Verified
Agent & Server Approval
Nothing acts without explicit approval — passive discovery, active gating.
- Discover — New agents are passively identified and placed into a PENDING state.
- Decide — An admin explicitly approves or blocks each agent or server.
- Enforce — Unregistered servers cannot connect; unapproved agents cannot pass.
Verified
JIT Authorization & Per-Call Inspection
Every call inspected before it executes — not sampled, not after the fact.
- Inspect — Each agent call passes through a multi-step inspection sequence before execution.
- Validate — Identity, capability, and scope are checked against policy at every single call.
- Decide — The call is permitted or refused based on that inspection — in-line, not retrospectively.
Verified
Cryptographic Identity at Spawn
Every agent gets its own verifiable identity the moment it exists.
- Issue — Each agent receives its own per-session cryptographic key pair via SPIFFE/SPIRE at the moment it spawns.
- Scope — The identity is scoped to that specific session — not reused, not shared.
- Retire — The cryptographic identity is retired automatically when the session ends.
Verified
Token Validation & Delegation Lineage
Know whether a human or an automated process is really behind every call.
- Validate — Every agent token is checked against your identity provider on every single call.
- Classify — Tokens are distinguished as delegated (human-on-behalf-of) or fully automated (agent-credential).
- Trace — The original human initiator is identifiable for delegated actions.
Verified — boundary statedSingle-hop delegation lineage is live today; multi-hop lineage across chained agents (user → agent → agent → tool) is in design, not yet claimable.
Real-Time Interception
Stop unauthorized activity at the next hop — fast, even if not literally mid-operation.
- Detect — Unauthorized or anomalous agent activity is identified.
- Disconnect — A compromised or misbehaving server is disconnected immediately, draining its in-flight work.
- Block — A specific agent is blocked, taking effect on its very next call.
Verified — boundary statedThis is next-hop and in-flight-drain control, not literal mid-operation/in-flight blocking of a single call already underway — a distinction worth being precise about rather than implying more than is true.
Audit & Forensics
Every decision, attributable and exportable.
- Log — Every decision and action is written to a tamper-evident trail spanning 48 event types across 7 areas.
- Inventory — Complete agent, capability, and server inventories are maintained alongside the trail.
- Export — The full trail is exportable via REST API for audit and forensic review.
Verified — boundary statedArtifacts are fully exportable, but pre-built, regulator-shaped report templates are not yet built — the underlying data is complete; the curated template layer is a future build.
Approval Workflow Governance
Onboarding an agent is a recorded, audited decision — not a default-allow.
- Request — A new agent or server enters the governed pipeline.
- Approve — A human reviews and explicitly approves or blocks it.
- Record — The decision, and who made it, is logged.
Verified at scope confirmedAdmin approve/block, recorded and audited. A richer manifest-to-SecOps-to-CISO sign-off ceremony is not corroborated and is not claimed here.