How It Works
How brin scores external context for AI agents
brin scores every piece of external context an agent might touch — packages, web pages, repositories, MCP servers, and skills — before the agent acts on it.
##Request flow
When you query brin, results come back instantly from cache. If the artifact hasn't been scanned yet, brin returns a preliminary score and kicks off a full scan in the background.
Cache hits return in under 10ms. New artifacts get a preliminary score immediately with pending_deep_scan: true in the response.
##Tiered scanning pipeline
Every artifact goes through up to three tiers. Most never need the LLM — static checks catch the obvious cases cheaply.
| Tier | What it does | Speed |
|---|---|---|
| Tier 1 | Registry metadata, publisher identity, typosquatting checks, blocklists | ~2s |
| Tier 2 | Static analysis — install scripts, dangerous patterns, obfuscation, secrets, agent config files | ~3–5s |
| Tier 3 | LLM-powered semantic analysis — prompt injection, social engineering, hidden malicious intent | ~20–30s |
MCP servers and skills always run Tier 3 — they have direct access to agent behavior and the risk is too high to skip.
##Scoring dimensions
Every artifact is scored across four dimensions:
| Dimension | What it measures |
|---|---|
| Identity | Publisher legitimacy, account age, verification, typosquatting |
| Behavior | Runtime patterns, install-time actions, side effects |
| Content | Source code, docs, type stubs — anything the agent reads or executes |
| Graph | Transitive trust from connected artifacts in the knowledge graph |
Dimension weights vary by artifact type. For packages, content is heaviest (35%) because install scripts and credential harvesting are the primary threat. For web pages, content is also dominant (40%) because prompt injection happens in what the agent reads.
The final composite score is 0–100. This maps to a verdict based on your tolerance setting.
##Graph scoring
After each scan, brin syncs the artifact into a knowledge graph — linking packages to their publishers, repos to their orgs, domains to their TLS issuers. The graph score reflects transitive trust: a package whose publisher also maintains flagged packages will score lower, even if the package itself looks clean.
For newly scanned artifacts with no graph connections yet, confidence is capped at medium until graph data is available.
On this page