Create your account
10 seconds
Sign up at kefal.dev/app with your email. No credit card. 7-day free trial — full feature access from minute one.
Kefal gives your infrastructure architectural awareness. It knows what's running, what's exposed, and what doesn't belong — before an attacker does.
Installs in 33 seconds No config files No vendor lock-in
April 2026. Claude Mythos became the first AI to complete a 32-step network attack autonomously. 73% success rate on expert-level CTFs. It's not a lab demo — it's what's coming for your stack.
If you've added AI to your business — a RAG layer on client documents, a coding assistant for your dev team, an AI diagnostic agent for your clinic — you've opened paths that traditional security tools can't see. Signatures don't catch what has no signature yet.
That's what Kefal is for.
10 seconds
Sign up at kefal.dev/app with your email. No credit card. 7-day free trial — full feature access from minute one.
5 seconds
In your dashboard, open Settings → API Keys → Generate. Copy the kfl_… key — it's shown once and then only its hash is kept on our servers.
kfl_••••••••••••••••••••••••••••••••
30 seconds
Download the static binary on the server you want to monitor, run it, paste your API key when prompted. That's it.
curl -L -o kefal-agent \
https://kefal.dev/download/kefal-agent-linux-amd64
chmod +x kefal-agent
sudo ./kefal-agentmacOS, ARM64 and Windows binaries available — see install docs.
Two views, same data. Graph for the architect's eye. Incidents for the on-call engineer. Remediation written in plain English — and in the exact shell command you'd run.
Seven compositional engines run on every scan. The same architecture that powers autonomous research — now applied to defending your network.
Learns the normal rhythm of your infrastructure and detects when behavior shifts.
Maps relationships between every process, port, and identity. Surfaces hidden paths.
Maintains a persistent model of what your system should look like. Notices what drifts.
Tracks what your infrastructure knows and how that knowledge evolves over time.
Anticipates what an attacker would try next based on your current exposure.
Strengthens trust in common patterns. Isolates the ones that don't fit.
Breaks multi-step attacks into the causal chain you can actually act on.
This isn't a rule engine with a fancy UI. It's the same compositional primitive that powers autonomous research in the Catalyst lab — applied to defending your network.
Kefal speaks two protocols designed for AI: MCP for inline tool-use from chat-style assistants, and A2A for autonomous agents that need to delegate security checks.
Connect Kefal to Claude, Cursor, or any MCP-compatible AI assistant. Ask about your servers in natural language.
{
"mcpServers": {
"kefal": {
"url": "https://kefal.dev/mcp/",
"headers": {
"Authorization": "Bearer kfl_your_key"
}
}
}
}list_agents — enrolled hostsget_agent_status — latest snapshotlist_incidents — filter by status / severityget_incident — full record + causal chainacknowledge_incident — mark as seenget_topology — graph of nodes & edgesKefal is discoverable as an autonomous security agent via Google's A2A protocol. Your DevOps agents can delegate security checks before deployments — no human in the loop.
GET https://kefal.dev/.well-known/agent.jsonPOST https://kefal.dev/a2a
Authorization: Bearer kfl_your_key
{
"jsonrpc": "2.0",
"id": "1",
"method": "a2a.task.send",
"params": {
"task_id": "pre-deploy-check",
"message": {
"role": "user",
"content": "list open incidents"
}
}
}"Before merging, my CI agent asks Kefal for any open high-severity incident on the deploy target. If anything's open, the merge is held until a human acknowledges."
$49/mo
For a single server or small office setup.
$149/mo
The right fit for growing teams with AI in production.
$399/mo
When you need SLA, dedicated support, and unlimited scale.
All plans include a 7-day free trial. No credit card required. Cancel anytime.
Hostnames, running processes, listening ports, and logged-in usernames. No file contents, no network payloads, no keystrokes, no disk contents. The agent is ~6 MB, statically linked, and sends one snapshot every 60 seconds over HTTPS.
Full schema in the documentation.
No. Your graph, incidents, and snapshots are tenant-isolated at every database query. No other customer can see your infrastructure.
What does cross tenants: the detection rules themselves. When a customer contributes a new invariant and it survives adversarial verification, every other customer gains the detection. You never share data — only defensive intelligence.
Nothing breaks. Your dashboard, graph, and incident history stay visible. Ingest pauses until you subscribe — your agents keep trying and resume automatically once your plan is active. No data deletion. No surprise charges.
Yes. Install the agent on each server with the same credentials — each appears as a distinct host in your graph. Plan limits: 3 agents on Starter, 15 on Professional, unlimited on Enterprise.
Sign up in 10 seconds, generate an API key from the dashboard, then run one curl command on each server. The dashboard is visual — graph view by default, no queries to write. Remediations come with exact commands, labeled by risk. If you can follow copy-paste instructions, you can run Kefal.
More answers in the full FAQ.
Start monitoring your infrastructure today. It takes less time than reading this page.
Start your free trial →7-day trial. No credit card. Cancel anytime.