CAUSAL ANSWER-INFLUENCE RETRIEVAL NETWORK
a cairn marks the path that is safe to take.

Your agents repeat themselves. Most caches would get it wrong. We measured.

CAIRN audits your agent's tool-call traces and certifies which repeated work is provably safe to reuse — then prices what it saves, honestly, net of provider prompt caching. Read-only. Local. Open source.

MEASURED
CAIRN AUDIT · PUBLIC CODING-AGENT CORPORA2026-07-03
tool commands audited4,152,027
agent sessions97,274
re-reads of prior work437,013
"safe-looking" hits that were stale64.4%
  of which real content changes97%
reuse certified by output identity50,632
tokens avoidable (point / carried)88.9M / 2.15B
Kwai SWE-smith 66k + NVIDIA SWE-Hero OpenHands · engine v0.2.0 · method and raw JSON receipts in the repository. Carried figure is an upper-bound model, labeled as such.
The problem

Agent spend is exploding, and the obvious fix is unsafe

Agentic workflows fire 10–20 model calls per task and re-read the same files, scans and tool outputs all day; inference now eats double-digit shares of revenue at agent companies. The obvious fix is caching. But when we measured 4.15M real agent commands, 64% of the re-reads a cache would have served had actually changed — tests flipped, files moved, state drifted. And 97% of those changes were real content, not timestamps. A cache without proof doesn't save money; it silently corrupts your agent.

Semantic caches

Match by similarity, invalidate by TTL guesswork. No output verification — the 64% ships straight to your users.

Provider prompt caching

Safe but prefix-bound, minutes of TTL. Can't reuse work across runs, sessions or users. CAIRN's numbers already assume you use it.

CAIRN

Certifies reuse by provenance and output identity. Never claims what it can't prove — and reports its false-hit rate on your trace.

How it decides

Every repeated call gets one of three verdicts — with a receipt

CERTIFIED

Provably identical — reuse it

Provenance matched and the output hash is identical. Serving the stored result is byte-for-byte correct.

50,632 certified on the public corpora
DELTA

Changed — serve the diff

Same work, output moved. The agent gets a compact delta against what it already saw instead of re-ingesting everything.

42% of re-read tokens avoidable
BLOCKED

Unprovable — re-run live

Output unobservable or state drifted. CAIRN refuses to claim savings it can't prove. The refusal is the product.

294,824 stale-risk events caught

The pink bar is the point: that's the work every other cache would have served stale.

Shadow mode · demo

See your own number — nothing leaves your machine

One hook records your agent's tool calls locally (read-only, never blocks the agent). Use your agent normally for a day, then print your receipt. Works with Claude Code today; MCP gateway next.

# install pip install cairn-security-agent-audit cairn-shadow install --write # ...code with your agent for a day... cairn-shadow report --model claude-sonnet-4.5
# example receipt (illustrative day) CAIRN shadow receipt — 1 day, 1,204 tool calls re-reads: 214 (17.8%) certified exact-cache: 38 false hits blocked: 61 (36.1% of decidable) tokens avoidable: 412,806 point / 3.1M carried est. savings: $2.17 net of provider prompt cache ($10.55 upper bound)
Who it's for

Anyone whose agents own a token bill

Agent products

Coding, support and research agents on flat pricing — token COGS is your gross margin. Certified recycling is margin you can bank without risking correctness.

Security agents

Pentest and SOC agents where a stale result isn't a cost bug, it's a miss. CAIRN's provenance lane blocks unsafe replay and proves it.

Platform & FinOps teams

Fleets of internal agents, one bill, no trace-level visibility. Per-user, per-team recyclable-spend receipts your CFO can read.

The console

See spend per user. Then control it.

At fleet scale — thousands of agents, hundreds of seats, one bill — nobody can say who burns what or which spend is recoverable. CAIRN rolls every decision up by user, team and agent: visibility today (ships in the open-source audit), then the runtime adds the control plane — per-user budgets, caps and alerts, certified recycling enforced by policy, receipts for finance.

CAIRN CONSOLE · SHADOW MODE · NIGHTLY FLEET (ILLUSTRATIVE)
UserTool callsTokensCertified reuseRecyclableSaved / night
nightly-fleet-0488,20441.2M1,4129.8%$24.10
nightly-fleet-0171,53033.9M1,1878.9%$19.80
pr-review-bot64,11825.1M9487.4%$15.20
monorepo-sweeper52,37722.6M7626.1%$12.40
nightly-fleet-0249,84619.8M5314.9%$9.90
(6 more users)86,73331.7M1942.2%$9.60
fleet total / night412,808174.3M5,034$91.00
TODAY · OSS

Visibility

Per-user / per-team spend and recyclable share, from your own traces. Ships in the audit now.

RUNTIME

Budgets & alerts

Caps per user, team or fleet; alerts when an agent's burn or false-hit rate drifts.

RUNTIME

Policy enforcement

Certified reuse served automatically under policy — spend control that never trades away correctness.

Illustrative fleet built from the measured corpus ratios; dollars are net of provider prompt caching at claude-sonnet-4.5 prices. The per-user rollup ships in the open-source audit today (traces with user_id fields get it automatically).

The bill at scale

This is not a $100-a-month problem

What large companies actually spend on agent tokens, from public reporting this year:

Meta

73.7 trillion tokens in ~30 days of internal AI use — costs approaching billions per year. They built an internal per-user leaderboard ("Claudeonomics") and spending caps. That window is this product.

Uber

$500–2,000 per engineer per month; blew its 2026 AI budget in four months; now caps spend at $1,500 per engineer per tool.

Microsoft & Salesforce

Microsoft pulled agent licenses at ~$2,000/engineer/month. Salesforce's Anthropic bill: ~$300M/year. One enterprise hit $500M in a single month with no caps.

YOUR FLEET, ROUGHLY
annual agent bill$2,400,000
certified-recyclable floor · ~4% measured intra-session, net of provider caching$96,000
with cross-run recycling · measured 6.6× the intra-session pool$633,600
upper bound · no provider caching$600,000

Percentages are estimates derived from measured public corpora (10.5% repeated commands, 42% of re-read tokens avoidable) — labeled so; the honest way to replace them with your number is a one-day shadow audit. Cross-run recycling is now measured: regrouping the same corpus by repository instead of session multiplies certified-recyclable point tokens 6.6× (15.2M → 100.2M) at the same measured safety rate — reuse across nightly runs is what provider prompt caches structurally cannot do.

The honest math

Two prices, both defensible — we quote the floor

Most savings claims assume you pay full price for every repeated token. You don't — providers already discount cached prefixes. CAIRN prints both numbers and tells you which to believe.

Upper bound — no provider prompt caching$6,710 / corpus
Floor — carried context at cache-read rates$911 / corpus
False-hit rate, measured per tracealways visible

Per-model price tables, tiktoken token counts, upper-bound models labeled as upper bounds, refusal to claim unverifiable savings — the caveats aren't fine print, they're the product.

Design partners

Bring one night of traces. Keep the receipt either way.

The audit is MIT-licensed and runs on your side — no integration, no data leaves your machine. If the number is big, we talk about the runtime that banks it. If it isn't, you've lost fifteen minutes and gained a measurement.