How It Works
How brin scores external context for AI agents. 3-tier scanning pipeline (static, AST, LLM), four scoring dimensions, trust graph, and sub-50ms cached responses.
agents get hacked through the context they consume — a poisoned package, a web page with hidden instructions, a compromised MCP server. brin scores that context before the agent acts on it. you get a risk verdict and can block, warn, or proceed.
##request flow
when you query brin, results come back instantly from cache. if the artifact hasn't been scanned yet, brin returns a preliminary score and kicks off a full scan in the background.
cache hits return in under 50ms. new artifacts get a preliminary score immediately with pending_deep_scan: true in the response.
##tiered scanning pipeline
every artifact goes through up to three tiers. most never touch an LLM — static checks catch the obvious cases cheaply.
| Tier | What it does | Speed |
|---|---|---|
| Tier 1 | Registry metadata, publisher identity, typosquatting checks, blocklists | ~2s |
| Tier 2 | Static analysis — install scripts, dangerous patterns, obfuscation, secrets, agent config files | ~3–5s |
| Tier 3 | LLM-powered semantic analysis — prompt injection, social engineering, hidden malicious intent | ~20–30s |
MCP servers and skills always run Tier 3 — they have direct access to agent behavior and the risk is too high to skip.
##scoring dimensions
every artifact is scored across four dimensions:
| Dimension | What it measures |
|---|---|
| Identity | Publisher legitimacy, account age, verification, typosquatting |
| Behavior | Runtime patterns, install-time actions, side effects |
| Content | Source code, docs, type stubs — anything the agent reads or executes |
| Graph | Transitive trust from connected artifacts in the knowledge graph |
weights vary by artifact type. for packages, content is heaviest (35%) because install scripts and credential harvesting are the primary threat. for web pages, content is also dominant (40%) because prompt injection happens in what the agent reads.
the final composite score is 0–100. this maps to a verdict based on your tolerance setting.
##graph scoring
after each scan, brin syncs the artifact into a knowledge graph — linking packages to their publishers, repos to their orgs, domains to their TLS issuers. the graph score reflects transitive trust: a package whose publisher also maintains flagged packages scores lower, even if the package itself looks clean.
for newly scanned artifacts with no graph connections yet, confidence is capped at medium until graph data is available.
##availability
if brin is unreachable, your agent keeps working as normal — zero downtime risk. every integration fails open by default so brin never becomes a single point of failure in your stack.
On this page