Koi Supply Chain Gateway™
A new architectural layer that acts as a single, proactive network-based gate — curating every package, extension, AI model, and MCP before it reaches your endpoints
Overview:
The Supply Chain Gateway is a new architectural layer that sits between your endpoints and every software marketplace — acting as a single, proactive network-based gate. Where traditional security tools govern software after it executes, the Gateway governs software before it ever arrives, sitting at the network layer between your endpoints and the world's software marketplaces.
Powered by the Wings™ risk engine, every install request is intercepted, scored, and matched against your policy in milliseconds. Safe software passes through immediately. Risky software is blocked. Gray-area requests are routed for scoped, time-bound approvals with a full audit trail — no manual intervention required.
- Intercepts every software install request at the network layer before it reaches a marketplace or registry.
- Real-time Wings™ risk scoring on every request — code behaviour, publisher trust, network egress, and CVE exposure.
- Automated allow, block, or approval routing based on org-wide policies and group rules.
- Covers all software types: binary apps, browser extensions, npm/pip packages, AI models, and MCP tools.
- Monitors approved software continuously — re-scoring on every version update, ownership change, or update channel shift.
- Scoped, time-bound exceptions with full justification and audit trail for every decision.
- Can change the install button to "request approval" so users can still discover software without bypassing security.
- Removes risky search results over the network before employees ever see them.
Software Inventory Management
Every install, update, and removal tracked centrally across all endpoints, operating systems, and software types. No blind spots, no manual cataloguing — the Gateway maintains a complete, real-time inventory of everything entering your environment.
- Full inventory across binary apps, browser extensions, npm/pip packages, AI models, and MCPs.
- Every install, update, and removal logged automatically.
- Covers all major operating systems and endpoint types.
- No manual cataloguing or agent scripting required.
Real-Time Risk Analysis
Every incoming software request is scored by Wings™ before it reaches an endpoint. Risk is assessed on code behaviour, publisher reputation, version history, and network egress — not just a blocklist. Per-version scoring means a safe package today is re-evaluated on every update.
- Wings™-powered risk scoring on every request in real time.
- Multi-factor assessment: code behaviour, publisher trust, network egress, CVE exposure.
- Per-version scoring — updated automatically on every new release.
- LLM-powered code analysis included in the scoring pipeline.
Automated Policy Enforcement
Define rules by user, group, or asset sensitivity. The Gateway automatically allows safe software, blocks dangerous installs, and routes gray-area items for approval — without a single manual intervention per decision.
- Allow/block lists configurable by user, group, or software category.
- Group-level policies for different risk tolerances across teams.
- Time-bound cooldown periods for newly released software.
- Scoped, time-bound exceptions with full justification and audit trail.
Proactive Blocking
Instead of reacting after a breach, the Gateway stops dangerous code before it executes. Updates to previously-approved software are re-scored — catching malicious version changes, ownership takeovers, and update channel shifts that would otherwise go undetected.
- Pre-execution blocking at the network layer before any endpoint is reached.
- Continuous re-scoring of already-approved software on every update.
- Ownership change and account takeover alerts.
- Update channel shift detection for version drift and policy violations.
Governance without the Bottleneck
Most security tools force a choice: block everything and frustrate developers, or allow everything and accept risk. The Gateway gives you a third path — granular, automated governance that stays out of the way of your team.
- Change the install button to "request approval" so users can discover software without bypassing security.
- Remove risky search results over the network before employees see them.
- Approval workflows routed to the right owner with full context and risk score attached.
- Every allow, block, and approval decision logged for compliance reporting.
From Install Request to Safe Delivery in Milliseconds
The Supply Chain Gateway intercepts software requests at the network layer, analyses risk with Wings™, and enforces your policies automatically — all without slowing down your team.
Step 01 — Request Intercepted
An employee attempts to install software. The Gateway intercepts the request at the network layer before it reaches the marketplace or registry.
Step 02 — Wings™ Risk Scoring
The requested software is scored by Wings™ in real time — assessing code behaviour, publisher reputation, network egress, and version history.
Step 03 — Policy Matched
The risk score is matched against your org-wide policies — rules defined by user, group, asset sensitivity, or software category.
Step 04 — Allow, Block, or Route for Approval
Safe software passes through immediately. High-risk software is blocked. Gray areas are routed for scoped, time-bound approvals with a full audit trail.
Step 05 — Update Monitoring
Already-approved software continues to be monitored. Malicious updates, ownership changes, or version drift trigger immediate re-scoring and alerts.
Step 06 — Full Audit Trail
Every decision — allow, block, or approval — is logged with justification, user context, and risk data. Full compliance reporting built in.
Use Cases
Control Software Intake
Instead of blanket blocks, the Gateway lets your team discover and request software while keeping security in control of what actually gets installed. Users see an approval request flow rather than a hard block — reducing shadow IT without frustrating developers.
Prevent Supply Chain Attacks
Typosquatting, hijacked packages, malicious updates — the Gateway catches them all at the network layer, before execution. Re-scoring on every version change means a safe package yesterday is not automatically trusted today.
Audit & Compliance
Every allow, block, approval, and exception is logged with user context, risk score, and justification — ready for audit at any time. No manual reporting or log aggregation required.
Block Before Install
Gateway policies powered by Wings™ automatically block software above your defined risk threshold before employees can install it. Up to 70% of marketplace risk can be blocked in a few clicks without writing a single script.
Continuous Monitoring
The Gateway re-scores software on every version update, so teams are automatically notified if a previously approved package changes ownership, injects malicious code, or shifts update channels in a way that violates existing policy.
Automated Remediation Triggers
When a risk score crosses a defined threshold, the Gateway can automatically trigger removal, quarantine, or IT review workflows across the entire endpoint fleet — no manual intervention required, regardless of fleet size.
Koi Supply Chain Gateway™ Specifications:
Table 1. Supply Chain Gateway Coverage and Capabilities |
||
|---|---|---|
| Cloud (Managed) | Self-Hosted (Enterprise) | |
| Deployment model | Managed cloud | On-premises and private cloud |
| Interception layer | Network layer — intercepts all software install requests before they reach a marketplace or registry | |
| Software types governed | Binary apps, browser extensions, npm/pip packages, AI models, MCP tools, OS packages | |
| Marketplaces covered | Chrome Web Store, npm, PyPI, VS Code Marketplace, HuggingFace, MCP Marketplace, and more | |
| Risk scoring engine | Wings™ — code behaviour, publisher trust, network egress, supply chain integrity, CVE exposure | |
| Policy actions | Allow, Block, Route for approval (scoped, time-bound), Remove risky search results, Change install button to approval request | |
| Approval workflow | Scoped, time-bound exceptions with full justification, user context, and risk score attached | |
| Continuous monitoring | Re-scores approved software on every version update, ownership change, update channel shift, or new CVE | |
| Audit & compliance | Every allow, block, approval, and exception logged with user context, risk score, and justification | |
| Integration | REST API; powers Koi Endpoint preventive policies, monitoring alerts, and automated remediation triggers | |
| Table 2. Gateway Enforcement Pipeline |
|---|
| Step 1 – Request Interception |
| Install request intercepted at the network layer before it reaches the target marketplace or registry. |
| Step 2 – Wings™ Risk Scoring |
| Real-time multi-factor scoring covering code behaviour, publisher reputation, network egress, and CVE exposure. |
| Step 3 – Policy Matching |
| Risk score matched against org-wide policies defined by user, group, asset sensitivity, or software category. |
| Step 4 – Enforcement Decision |
| Allow (safe), Block (high-risk), or route for scoped time-bound approval (gray area) — automatically, no manual intervention. |
| Steps 5 & 6 – Monitoring & Audit |
| Approved software continuously re-scored. Every decision logged with full justification for compliance reporting. |
| Table 3. Gateway vs. Traditional Security Tools |
|---|
| Network-Layer Software Interception |
| Gateway: Full coverage. EDR/AV: Not available. SWG/Proxy: Partial (URL only). MDM: Not available. |
| Pre-Execution Policy Enforcement |
| Gateway: Full coverage. EDR/AV: Post-execution only. SWG/Proxy: Not available. MDM: Not available. |
| Approval Workflow & Exceptions |
| Gateway: Scoped, time-bound, full audit trail. EDR/AV, SWG/Proxy, MDM: Not available. |
| AI Model & MCP Governance |
| Gateway: Full coverage. EDR/AV, SWG/Proxy, MDM: Not available in any traditional endpoint category. |
| Continuous Re-scoring on Updates |
| Gateway: Automatic on every version/ownership change. EDR/AV, SWG/Proxy, MDM: Not available. |