Agent #9 · Live

Supply Chain Continuous Monitoring

Knox anchors events as they happen. Agent #9 anchors the second half of the story — how the truth changed after the first anchor. Register an SBOM, a multi-tier supply chain, or an exclusion-screen query set. The agent re-verifies on a schedule and writes a Bitcoin-anchored delta for every state change. Vendors appear on sanctions lists overnight. Transitive suppliers turn out to be foreign-jurisdiction entities. Software components pick up critical CVEs. If these changes aren't captured at the moment they happen, they're impossible to reconstruct later.

What the agent reads

Your registered baselines

Agent #9 operates on three kinds of baseline that you register under your Knox API key. At registration the agent captures a full state snapshot, anchors it, and persists. On every check tick it re-runs the check against the authoritative public feeds and diffs against the most recent known-good state.

Per-API-key scopedThree baseline typesOFAC / SAM / FAR / OSV

What the agent writes back

A self-anchored delta per change

Every detected change becomes a KnoxMonitoringDelta row with a dedicated Bitcoin- anchored record of exactly when the state change was first observed. The analyze endpoint returns a drift index (0–100), a drift band (quiet / routine / active / critical), the triggered signal set, and a SHA-256 report hash — itself committed to the Knox chain so you cannot edit history of what the agent observed at a prior run.

Index 0–1004 bandsReport hash anchored

Three baseline types

What you can register

sbom

A software bill of materials you previously illuminated through Agent #1 / Phase 1.

targetId = KnoxSbomSnapshot.id

Drift surfaces: New critical CVEs, high-severity CVE surges.

supply_chain_root

A multi-tier supply-chain graph rooted at a Knox vendor entity (Phase 2).

targetId = KnoxVendorEntity.id (your root)

Drift surfaces: New supplier nodes, new edges, adversarial-jurisdiction additions.

exclusion_queries

A roster of vendor names you screened through Phase 6 OFAC/SAM/FAR.

queries = [name, name, ...]

Drift surfaces: New hits on any query, previously-hit entries clearing.

Eight signals analyzed

What drift strength looks like

new_exclusion_hitweight 30

A tracked name matched an OFAC SDN / SAM Exclusions / FAR 52.204-25 entry that did not previously match.

critical_cve_arrivalweight 25

A new critical-severity CVE appeared against a tracked SBOM component between check ticks.

high_cve_surgeweight 15

High-severity CVE count increased by 5+ absolute or 20%+ against a tracked SBOM.

supply_chain_topology_shiftweight 15

A new supplier node or edge appeared in a tracked multi-tier supply-chain graph.

foreign_jurisdiction_driftweight 15

A tracked supply chain added nodes in an adversarial jurisdiction (CN, RU, IR, KP, BY, SY, VE, CU).

feed_unavailable_streakweight 10

3+ upstream feed fetch failures in window. Monitor coverage is degraded for at least one baseline.

drift_velocity_spikeweight 10

Last hour's delta rate is 5× or more above the rolling mean. Drift burst.

stale_baselineweight 5

A baseline active for 30+ days has logged no deltas. Verify the check is still running or dismiss as genuinely stable.

Call it with your key

Register a baseline

The agent is authenticated. Provision a Knox API key at bonissystems.com/bonis — free tier covers 10,000 events / month and includes the agent API. Then:

# Register an exclusion-screen baseline
curl -s https://bonissystems.com/api/knox/agents/continuous-monitoring \
  -H "Authorization: Bearer knox_YOUR_KEY_HERE" \
  -H "Content-Type: application/json" \
  -d '{
    "baselineType": "exclusion_queries",
    "label": "Top 25 suppliers — Q2 2026",
    "queries": ["Vendor Name A", "Vendor Name B", "Vendor Name C"]
  }'

# Pull the drift report (default window = 7 days)
curl -s "https://bonissystems.com/api/knox/agents/continuous-monitoring?hours=168" \
  -H "Authorization: Bearer knox_YOUR_KEY_HERE"

hours controls the analysis window (default 7 days, max 90 days). The report returns as JSON and a continuous_monitoring_report anchor event is written to your chain. An hourly cron re-checks every active baseline.

Positioning

What this is and is not

This agent is

A drift detector across SBOM CVE surface, supply-chain topology, and OFAC/SAM/FAR exclusion rosters
A self-anchored, litigation-ready record of exactly when each state change was first observed
A hand-off trigger for procurement review, compliance teams, counsel

This agent is not

A sanctions finding, risk determination, or vendor approval / rejection
An attribution system — does not identify who caused the drift or what adversary is involved
A replacement for CISA / DCSA / primary SCRM-platform tooling or human compliance judgment

Get a Knox API key Verify an anchor How Knox works