How does the coding-agent guard update itself?

In the background the guard checks the published artifact channel for a newer version, downloads it and verifies its checksum against a signed manifest before trusting it, then applies the update atomically — it either fully succeeds or leaves the previous working binary untouched, so an update can never wedge a developer.

How fast can a fix reach the whole fleet?

Hours. A new detection rule or fix auto-applies across every device with no IT ticket and no developer action, and the rollout is confirmed through the Console fleet view, which also surfaces any device left behind.

Capability · Distribution

A guard that
updates itself

Checksum-verified, atomic updates that auto-apply and never break the binary. A new rule or fix reaches the entire fleet in hours — with zero developer effort and no IT ticket.

Fixes to the whole fleet in hours

Book a demo All capabilities →

cdxai · background self-update

cdxai self-update     channel: stable

current   v1.6.0
latest    v1.7.0     update available

↓ downloading cdxai_1.7.0_darwin_arm64.tar.gz
✓ checksum verified (sha256)
✓ applied atomically · previous binary preserved
✓ now running v1.7.0

reported to console · fleet view updated
no restart · no developer action

The risk

A security tool is only as current as its slowest device

Detection rules improve constantly. If updating the guard depends on developers or manual rollouts, the fleet fragments and your newest protection never arrives where it's needed.

Slow rollouts

Manual or IT-driven updates take weeks — long enough that a known gap stays open across most of the fleet.

Version fragmentation

When every device updates on its own schedule, the policy you think is enforced isn't the one actually running everywhere.

Risky updates

A botched update that breaks the binary is worse than no update — it can wedge a developer's whole workflow.

Mechanics

How self-update works

Check for a release

In the background the guard checks the published artifact channel for a newer version — no developer action required.

Verify the checksum

The new binary is downloaded and its checksum verified against the signed manifest before anything is swapped in.

Apply atomically

The update is applied atomically — it either fully succeeds or leaves the working binary untouched. It never half-installs.

Confirm in the fleet view

The new version reports up, so fleet observability shows the rollout landing and flags any device left behind.

Inside the capability

How it stays safe

Auto-update is only acceptable if it can never make things worse — so safety is built into every step.

Auto-applying

Updates roll out in the background and apply themselves — the fleet converges without anyone chasing it.

Checksum-verified

Every artifact is verified against a signed checksum before it's trusted — no unverified binary ever runs.

Atomic swaps

An update fully succeeds or not at all; a failure leaves the previous working binary in place, untouched.

Auditable channel

Binaries are served from a public, checksummed artifact repo behind a one-line installer you can read before you trust it.

Hours, not weeks

A new rule or fix reaches the whole fleet in hours — the gap between “we shipped a fix” and “the fleet has it” collapses.

Visible rollout

Version distribution in the fleet view confirms the update landed and surfaces any lagging device.

Outcomes

What you get

New detection and fixes across the whole fleet in hours
Zero developer effort and no IT ticket per update
Checksum-verified, atomic updates that never break the binary
A convergent fleet — far less version fragmentation
An auditable, public distribution channel
Rollout confirmation through fleet observability

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo

PLATFORM

AI Agents

CNAPP

Access

Roles

Use Cases

Industries

Frameworks

A guard thatupdates itself