Skip to main content
Oso integrates with your EDR (Endpoint Detection and Response) platform to discover what AI agent software is installed across your fleet. This lets you find unsanctioned agents before they’re used, without waiting for network traffic to appear.

How it works

  1. Connect your EDR: provide a read-only API key to your EDR platform. Oso uses this to pull data from your endpoints.
  2. Automatic scanning: Oso scans managed devices for known agent software from the agent catalog, including desktop apps, CLI tools, and background processes.
  3. Continuous discovery: scanning runs continuously, so new installations are detected as they appear.

What it detects

Oso scans for agent binaries, NPM packages, and OS-packaged software across known installation paths:

Desktop apps

Claude Desktop, Cursor, Antigravity, OpenClaw, Microsoft Copilot, GitHub Copilot, Kiro, Windsurf

CLI tools

Claude Code, Codex, Gemini CLI

Supported platforms

EDR

  • CrowdStrike

MDM

  • JAMF
Support for additional EDR and MDM platforms is planned. If you use a platform not listed here, reach out to us to discuss your needs.

What appears in the inventory

Agents discovered via EDR appear in the same agent inventory as browser and proxy-discovered agents:
ColumnDescription
AgentThe agent name and environment type (Terminal, Desktop)
DevicesWhich devices the agent was found on
UsersUsers associated with those devices
Last SeenWhen the agent was last detected on the endpoint
The detection source shows “CrowdStrike” so you can distinguish it from browser extension or proxy discoveries.

EDR vs. other discovery methods

Other discovery methods (edge proxy, browser extension) detect agents when they generate network traffic. EDR detects agents when they are installed, even if they have never been launched. EDR discovery does not include session content. To monitor what agents are doing inside their sessions, route their traffic through the edge proxy or use the browser extension.