Global Options
These options are available on most commands:
| Option | Description |
|---|
--quiet | Suppress banners and decorative output |
--no-color | Disable colored/rich output (also auto-detected when piping) |
--json | Output as JSON (available on enterprise commands) |
When piping output (e.g., raxe scan "text" --format json | jq .), ANSI color codes are automatically suppressed.
raxe scan
Scan text for threats.
Options
| Option | Description |
|---|
--format | Output format: text, json, yaml, table |
--ci | CI mode (JSON + exit code 1 on threats) |
--explain | Show detailed explanations |
--rule | Test specific rule only |
--tenant | Tenant ID for multi-tenant scanning |
--app | App ID within tenant |
--policy | Override policy for this scan |
--quiet | Suppress banners and decorative output |
--no-color | Disable colored output |
Examples
# Basic scan
raxe scan "Ignore all previous instructions"
# JSON output
raxe scan "text" --format json
# Table output (summary view)
raxe scan "text" --format table
# YAML output
raxe scan "text" --format yaml
# CI mode
raxe scan "text" --ci
# With explanations
raxe scan "text" --explain
# Quiet mode (minimal output)
raxe scan "text" --quiet
# Multi-tenant scanning
raxe scan "text" --tenant acme --app chatbot
# Override policy
raxe scan "text" --tenant acme --policy strict
raxe batch
Scan multiple prompts from file.
Options
| Option | Description |
|---|
--format | Output format: text, json, csv |
--output | Write results to file |
Examples
# Scan from file
raxe batch prompts.txt
# Output to JSON file
raxe batch prompts.txt --format json --output results.json
# From stdin
cat prompts.txt | raxe batch -
raxe repl
Interactive scanning mode.
REPL Commands
| Command | Description |
|---|
scan <text> | Scan text |
rules | List loaded rules |
stats | Show session stats |
clear | Clear screen |
help | Show help |
quit | Exit REPL |
raxe rules
Manage detection rules.
raxe rules list
raxe rules show <rule-id>
Subcommands
| Command | Description |
|---|
list | List all rules |
show <id> | Show rule details |
search <query> | Search rules |
Examples
# List all rules
raxe rules list
# Filter by family
raxe rules list --family PI
# Show specific rule
raxe rules show pi-001
# Search rules
raxe rules search "injection"
raxe doctor
System health check.
Output
RAXE Health Check
Configuration file exists
Rules loaded successfully (515 rules)
Database initialized
ML model available
Telemetry endpoint reachable
System ready!
raxe stats
View scan statistics.
Options
| Option | Description |
|---|
--period | Time period: today, week, month, all |
Output
RAXE Statistics (This Week)
Scans: 1,234
Threats Detected: 56
Detection Rate: 4.5%
Top Rules:
1. pi-001 (23 detections)
2. jb-003 (12 detections)
3. pii-042 (8 detections)
raxe config
Manage configuration.
raxe config show
raxe config set <key> <value>
Subcommands
| Command | Description |
|---|
show | Show current config |
set <key> <value> | Set config value |
reset | Reset to defaults |
Examples
# Show config
raxe config show
# Set log level
raxe config set log_level DEBUG
# Reset config
raxe config reset
raxe init
Initialize RAXE configuration.
Creates:
~/.raxe/config.yaml~/.raxe/raxe.db
raxe mcp
MCP (Model Context Protocol) integration commands.
raxe mcp status
Check MCP integration status including SDK availability, server modules, and Claude Desktop configuration.
raxe mcp status
raxe mcp status --json
Options
| Option | Description |
|---|
--output | Output format: table, json |
--json | Shorthand for --output json |
Example Output
MCP Integration Status
┌──────────────────┬────────────────┐
│ RAXE Version │ 0.10.2 │
│ MCP SDK │ Installed │
│ MCP SDK Version │ 1.16.0 │
│ Server Module │ Available │
│ Gateway Config │ Not found │
│ Claude Desktop │ Not configured │
└──────────────────┴────────────────┘
raxe mcp gateway
Start the MCP Security Gateway to protect MCP servers.
raxe mcp gateway -u "npx @modelcontextprotocol/server-filesystem /tmp"
Options
| Option | Description |
|---|
-u, --upstream | Upstream MCP server command (required unless using —config) |
-c, --config | Path to gateway configuration file |
--on-threat | Action on threat: log, block, warn (default: log) |
--severity-threshold | Minimum severity: LOW, MEDIUM, HIGH, CRITICAL (default: HIGH) |
--no-l2 | Disable ML detection for faster scanning |
-v, --verbose | Enable verbose logging |
Examples
# Protect a filesystem server
raxe mcp gateway -u "npx @modelcontextprotocol/server-filesystem /tmp"
# With blocking enabled
raxe mcp gateway -u "npx @modelcontextprotocol/server-filesystem /tmp" --on-threat block
# From config file
raxe mcp gateway --config mcp-security.yaml
# Fast mode (L1 only)
raxe mcp gateway -u "npx @modelcontextprotocol/server-filesystem /tmp" --no-l2
raxe mcp serve
Start the MCP server (RAXE as a tool provider).
Options
| Option | Description |
|---|
--transport | Transport protocol: stdio (default: stdio) |
--log-level | Log level: debug, info, warn, error (default: info) |
-q, --quiet | Suppress startup banner |
raxe mcp audit
Audit an MCP configuration file for security issues.
raxe mcp audit ~/.config/claude/claude_desktop_config.json
Options
| Option | Description |
|---|
--json | Output results as JSON |
Example Output
MCP Configuration Audit
┌──────────┬────────────┬──────────────────────────────────────┬──────────────────────────────────┐
│ Severity │ Server │ Issue │ Recommendation │
├──────────┼────────────┼──────────────────────────────────────┼──────────────────────────────────┤
│ CRITICAL │ shell │ Server has shell execution capabili… │ Use RAXE gateway to monitor │
│ HIGH │ filesystem │ Filesystem server has access to se… │ Restrict to specific directories │
└──────────┴────────────┴──────────────────────────────────────┴──────────────────────────────────┘
raxe mcp generate-config
Generate a sample gateway configuration file.
Options
| Option | Description |
|---|
-o, --output | Output file path (default: mcp-security.yaml) |
raxe completion
Generate shell completion scripts for bash, zsh, or fish.
raxe completion bash
raxe completion zsh
raxe completion fish
Installation
# Bash
raxe completion bash >> ~/.bashrc
# Zsh
raxe completion zsh >> ~/.zshrc
# Fish
raxe completion fish > ~/.config/fish/completions/raxe.fish
raxe models
Manage and inspect ML models.
raxe models list
raxe models compare
Subcommands
| Command | Description |
|---|
list | List available ML models |
compare | Compare model performance |
~/.raxe/models/ directory. RAXE ships with a default compact Gemma-based classifier.
raxe export
Export scan history.
raxe export --format json --output history.json
Options
| Option | Description |
|---|
--format | Output format: json, csv |
--output | Output file path |
--since | Export from date |
raxe tenant
Manage tenants for multi-customer deployments.
Subcommands
| Command | Description |
|---|
create | Create a new tenant |
list | List all tenants |
show <id> | Show tenant details |
delete <id> | Delete a tenant |
Examples
# Create a tenant
raxe tenant create --name "Acme Corp" --id acme
# Create with strict policy
raxe tenant create --name "Security Team" --id security --policy strict
# List tenants
raxe tenant list
raxe tenant list --json
# Delete tenant
raxe tenant delete acme --force
raxe app
Manage applications within tenants.
Subcommands
| Command | Description |
|---|
create | Create a new app |
list | List apps for a tenant |
show <id> | Show app details |
delete <id> | Delete an app |
Examples
# Create an app
raxe app create --tenant acme --name "Chatbot" --id chatbot
# Create with strict policy
raxe app create --tenant acme --name "Trading" --id trading --policy strict
# List apps
raxe app list --tenant acme
# Show details
raxe app show chatbot --tenant acme
raxe policy
Manage security policies for tenants.
Subcommands
| Command | Description |
|---|
list | List available policies |
set <policy> | Set default policy |
explain | Show policy resolution |
create | Create custom policy |
Examples
# List policies (presets + custom)
raxe policy list --tenant acme
raxe policy list --tenant acme --json
# Set tenant default
raxe policy set balanced --tenant acme
# Set app-specific policy
raxe policy set strict --tenant acme --app trading
# Explain resolution chain
raxe policy explain --tenant acme --app trading
Policy Modes
| Mode | Behavior |
|---|
monitor | Never blocks, logs everything |
balanced | Blocks CRITICAL, HIGH with confidence ≥ 0.85 |
strict | Blocks CRITICAL, HIGH, and MEDIUM |
raxe suppress
Manage suppression rules for false positives.
raxe suppress <subcommand>
Subcommands
| Command | Description |
|---|
list | List all active suppressions |
add <pattern> | Add a new suppression |
remove <pattern> | Remove a suppression |
audit | View suppression audit log |
Examples
# List all suppressions
raxe suppress list
# Add a suppression with reason
raxe suppress add pi-001 --reason "Known false positive in auth flow"
# Add with expiration
raxe suppress add "jb-*" --reason "Test suite" --expires 2027-06-01
# Tenant-scoped suppression
raxe suppress add pi-001 --tenant acme --reason "Tenant-specific false positive"
raxe suppress list --tenant acme
# Remove a suppression
raxe suppress remove pi-001
# View audit log
raxe suppress audit
Options for add
| Option | Description |
|---|
--reason | Required reason for the suppression |
--expires | Expiration date (ISO 8601 format) |
--action | Override action: SUPPRESS, FLAG, LOG |
--tenant | Tenant ID for tenant-scoped suppression |
raxe validate-rule
Validate a custom rule file.
raxe validate-rule path/to/rule.yaml
Output
Validating rule.yaml...
YAML syntax valid
Schema compliance OK
Pattern compiles successfully
No catastrophic backtracking
Examples pass
Rule is valid!
raxe mssp
Manage MSSPs for partner deployments.
Subcommands
| Command | Description |
|---|
create | Create a new MSSP |
list | List all MSSPs |
show <id> | Show MSSP details |
test-webhook <id> | Test webhook connectivity |
delete <id> | Delete an MSSP |
cleanup | Clean up old audit logs |
Create Options
| Option | Description |
|---|
--id | MSSP identifier (must start with mssp_) |
--name | Human-readable MSSP name |
--webhook-url | Webhook endpoint URL (HTTPS required) |
--webhook-secret | Shared secret for HMAC signing |
--tier | Subscription tier: starter, professional, enterprise (default: starter) |
--max-customers | Maximum customers allowed (default: 10) |
Examples
# Create MSSP with webhook
raxe mssp create --id mssp_yourcompany \
--name "Your Security Services" \
--webhook-url https://soc.company.com/raxe/alerts \
--webhook-secret your_secret_here \
--tier starter \
--max-customers 10
# List MSSPs
raxe mssp list
raxe mssp list --json
# Show details
raxe mssp show mssp_yourcompany
# Test webhook
raxe mssp test-webhook mssp_yourcompany
# Delete MSSP
raxe mssp delete mssp_yourcompany --force
raxe customer
Manage customers within an MSSP.
raxe customer <subcommand>
Subcommands
| Command | Description |
|---|
create | Create a new customer |
list | List customers for an MSSP |
show <id> | Show customer details |
configure <id> | Update customer settings |
delete <id> | Delete a customer |
Examples
# Create customer with full data mode
raxe customer create --mssp mssp_yourcompany --id cust_acme \
--name "Acme Corporation" \
--data-mode full \
--retention-days 60
# Create privacy-safe customer
raxe customer create --mssp mssp_yourcompany --id cust_privacy \
--name "Privacy Corp" \
--data-mode privacy_safe
# List customers
raxe customer list --mssp mssp_yourcompany
raxe customer list --mssp mssp_yourcompany --json
# Show details
raxe customer show --mssp mssp_yourcompany cust_acme
# Update configuration
raxe customer configure cust_acme --mssp mssp_yourcompany \
--data-mode privacy_safe \
--retention-days 90
# Delete customer
raxe customer delete --mssp mssp_yourcompany cust_acme --force
Configuration Options
| Option | Description |
|---|
--data-mode | full or privacy_safe |
--retention-days | Data retention (0-90 days) |
--heartbeat-threshold | Seconds before agent marked offline |
SIEM Subcommands
raxe customer siem configure <id> --mssp <mssp_id> --type <type> --url <url> --token <token>
raxe customer siem show <id> --mssp <mssp_id>
raxe customer siem test <id> --mssp <mssp_id>
raxe customer siem disable <id> --mssp <mssp_id>
SIEM Configuration Examples
# Splunk HEC
raxe customer siem configure cust_acme --mssp mssp_yourcompany \
--type splunk \
--url https://splunk.company.com:8088/services/collector/event \
--token "hec-token"
# CEF over HTTP
raxe customer siem configure cust_acme --mssp mssp_yourcompany \
--type cef \
--url https://collector.company.com/cef \
--token "bearer-token"
# CEF over Syslog UDP
raxe customer siem configure cust_acme --mssp mssp_yourcompany \
--type cef \
--url syslog://siem.company.com \
--transport udp --port 514
# CEF over Syslog TCP with TLS
raxe customer siem configure cust_acme --mssp mssp_yourcompany \
--type cef \
--url syslog://siem.company.com \
--transport tcp --port 6514 --tls
# ArcSight SmartConnector
raxe customer siem configure cust_acme --mssp mssp_yourcompany \
--type arcsight \
--url https://arcsight.company.com/receiver/v1/events \
--token "connector-token" \
--smart-connector-id sc-001
SIEM Types
| Type | Description |
|---|
splunk | Splunk HTTP Event Collector |
crowdstrike | CrowdStrike Falcon LogScale |
sentinel | Microsoft Sentinel |
cef | Generic CEF (HTTP or Syslog) |
arcsight | ArcSight SmartConnector |
raxe agent
Manage agents deployed at customer sites.
Subcommands
| Command | Description |
|---|
register | Register a new agent |
list | List agents for an MSSP |
status <id> | Show agent status |
heartbeat <id> | Send agent heartbeat |
unregister <id> | Unregister an agent |
Examples
# Register agent
raxe agent register --mssp mssp_yourcompany --customer cust_acme \
--version 0.10.0 agent_prod_001
# List agents
raxe agent list --mssp mssp_yourcompany
raxe agent list --mssp mssp_yourcompany --json
raxe agent list --mssp mssp_yourcompany --customer cust_acme
# Show agent status
raxe agent status --mssp mssp_yourcompany --customer cust_acme agent_prod_001
# Send heartbeat
raxe agent heartbeat agent_prod_001
# Unregister agent
raxe agent unregister agent_prod_001 --force
Status Output
Agent Status: agent_prod_001
┌────────────────┬─────────────────────┐
│ Agent ID │ agent_prod_001 │
│ Status │ online │
│ MSSP │ mssp_yourcompany │
│ Customer │ cust_acme │
│ Version │ 0.10.0 │
│ Platform │ darwin │
│ Last Heartbeat │ 2026-01-30T11:30:00 │
│ Total Scans │ 1250 │
│ Total Threats │ 23 │
└────────────────┴─────────────────────┘
