Skip to content
Puck Docs

Glossary

Definitions for terms used throughout the Puck documentation. Terms link to the page where the concept is covered in depth.

Agent A single instance of the puck binary running on a host (endpoint, cloud account, or container). The agent is read-only: it executes whitelisted system commands, reports results to the brain, and receives investigation plans. See Endpoint agent install and Cloud agent.

Anomaly score A numeric heuristic the agent computes locally on collected results before shipping them to the brain. Higher scores indicate results that diverge significantly from the behavioral baseline — unusual process trees, unexpected network connections, or scheduled jobs that match no known-good pattern. The brain uses the anomaly score to route results to the appropriate LLM tier.

Blast radius The set of resources, accounts, or systems that a compromised identity or misconfigured permission can reach. Puck’s investigations map blast radius by following trust chains and permission grants across the fleet. The console’s findings feed surfaces blast-radius estimates as part of each finding’s narrative.

Brain The central coordination process that manages the fleet. The brain: receives agent heartbeats, runs pathfinder explorations, compiles investigation plans, reasons over agent results with an LLM, correlates findings across the fleet via the hive mind, and emits webhook events. Deployed as a dedicated single-tenant service in your AWS account or on-prem. See the architecture documentation for the brain’s internal structure.

Catalog extension A tag-policy field that extends or overrides the set of commands available to agents carrying that tag. extra_allowed adds commands beyond the base whitelist; extra_denied removes commands that would otherwise be allowed. Cloud agents use catalog extensions to enable aws, gcloud, and kubectl calls. See Tag policy for field reference.

Curiosity item A low-priority investigation lead the brain queues when it has spare capacity. Curiosity items are generated from hive-mind correlation signals that are interesting but not urgent enough to warrant an immediate investigation. The curiosity queue is configurable per account.

Deviation trigger A condition defined in an investigation plan that causes an agent to call home to the brain rather than continuing autonomously. When a deviation trigger fires, the agent packages its current context and sends it to the brain’s escalation endpoint; the brain engages in a multi-turn LLM conversation with that specific agent to determine next steps. See Plan format.

Effective policy The merged tag policy that applies to a specific agent, computed by combining all tag policies whose tags the agent carries. When multiple policies set the same field, the most restrictive value wins (for deny lists) or all values are unioned (for allow lists). The brain computes the effective policy on each heartbeat. See Tag policies.

Finding A classified, human-readable observation produced by the result analyst after reasoning over an agent’s results. Each finding has a severity (low, medium, high, critical), a confidence score, a reasoning chain an analyst can follow, and a link to the investigation that produced it. Findings are the primary output of Puck investigations. See the Findings console page.

Hive mind The cross-fleet correlation layer in the brain. When one agent discovers an indicator — a suspicious file hash, a known-malicious process name, an unusual network connection — the hive mind propagates that indicator as a lead to every other connected agent. What one Puck finds, every Puck knows. See Hive Mind.

Investigation A lifecycle from NL query to narrative report. An investigation begins when an analyst submits a query (via the console or the API), proceeds through pathfinder exploration, plan compilation, fleet-wide execution, result analysis, and hive-mind correlation, and ends when the brain writes a narrative report. Investigations are the primary unit of work in Puck. See Investigations.

Lead A hive-mind signal pushed from the brain to one or more agents after cross-fleet correlation. A lead includes a short micro-plan for the agent to execute immediately — for example, “check whether this file hash appears on your host” — and a time-to-live after which the lead is discarded. Leads enable the fleet to respond to discoveries in near-real-time without waiting for a full investigation cycle.

Pathfinder The brain-side agent that explores an investigation space by running a multi-turn LLM conversation. The pathfinder is not a separate process — the brain selects one connected agent per target OS and uses the agent’s command execution capability as a tool. The pathfinder conversation transcript is used to compile the investigation plan that is then distributed to the fleet. See How Puck investigates.

Plan A signed JSON document that encodes the steps an agent should execute for a given investigation. Plans include scripted steps (Tier 1), conditional branches and template-variable chains (Tier 2), and deviation triggers (Tier 3). Plans are signed with Ed25519 by the brain; the agent verifies the signature before executing any step. See Plan format.

Pre-sort bucket A classification bucket the brain assigns to incoming agent results before routing them to the tiered model router. Results are bucketed as clean, expected, unusual, suspicious, or critical based on anomaly score and pattern matching. Higher buckets are routed to more capable (and more expensive) LLM tiers.

Subscription A persistent binding between a target URL, a set of event types, and an optional filter, used for webhook delivery. When a matching event fires, Puck creates a delivery for every active, matching subscription. See Subscription management.

Tag A free-form label attached to an agent at startup (e.g. cloud-aws, team-engineering, account-prod-payments). Tags are shipped to the brain on every heartbeat and matched against tag policies to compute the agent’s effective policy. Tags are also propagated to findings and events, enabling per-tag filtering in subscriptions and investigations.

Tag policy A named, version-controlled rule set attached to a tag. A tag policy can override the system prompt the pathfinder uses, extend or restrict the command catalog, set a severity floor, route findings to a specific webhook, and cap investigation depth. Multiple policies compose additively on an agent that carries multiple tags. See Tag policies.