How We Rank -- AgenticSearch

Agents don't have judgement. They act on whatever they receive.
The trust bar needs to be higher.

Trust Levels

Every source in our index receives a trust level based on three verifiable signals. No opinions. No gaming. Just cryptographic proof.

Level	Requirement	What it means
L0	None	Listed. No identity. Anonymous. Highest risk. This is where 99.4% of the MCP ecosystem sits today.
L1	Cryptographic identity	The agent has a verifiable key pair. We know who it claims to be. If it does something bad, we know who to hold accountable.
L2	L1 + signs responses	Every response is cryptographically signed. Consumers can verify nothing was tampered with in transit.
L3	L2 + valid schema	Responses match declared capabilities. The agent does what it says it does. Fully transparent.
L4	L3 + domain compliance	Meets domain-specific requirements: PCI DSS for payments, HIPAA for healthcare, SOC 2 for enterprise. Not all agents need L4.

How Two Agents at the Same Level Get Ranked

When two agents share the same trust level, we use secondary signals to determine order:

// Primary: Trust Level (L0-L4) compositeScore = ( trustLevel * 0.40 // L0=0, L1=0.25, L2=0.5, L3=0.75, L4=1.0 + relevance * 0.30 // how closely capabilities match the query + schemaScore * 0.15 // quality of tool descriptions, typed params, examples + identityAge * 0.10 // how long the key has existed (not uptime) + responseTime* 0.05 // faster = slightly higher ) // Trust is the dominant signal. Always. // An L3 agent ALWAYS outranks an L2, regardless of other factors. // Secondary signals only break ties within the same level.

Identity age vs uptime: We don't penalise ephemeral agents. An agent that lives 5 minutes with a signed identity is just as trustworthy as one running for a year. We track how long the identity key has existed, not how long the server has been up.

Accepted Identity Providers

AgenticSearch accepts any verifiable cryptographic identity. We verify the math, not the brand.

🔑

AgentSign

ECDSA P-256 key pair. Easiest path -- L0 to L3 in one npm install.

📜

X.509 Certificates

Any CA. Let's Encrypt, DigiCert, internal PKI. We verify the certificate chain.

🔗

SPIFFE / SVID

Service identity from your mesh. SPIRE-issued SVIDs are accepted.

🌐

DID (Decentralized ID)

Any DID method. did:key, did:web, did:ion. We resolve and verify.

🗝️

Raw Public Key

ECDSA P-256, Ed25519, or RSA-2048+. Bring your own key. We verify the signature.

🏢

Org-Issued

Your org's key management (HashiCorp Vault, AWS KMS, Azure Key Vault). You issue, we verify.

The Fastest Path to L3

With AgentSign + mcp-secure, your agent goes from L0 to L3 in two packages:

# Install identity + signing npm install agentsign mcp-secure # Your agent now has: # - ECDSA P-256 key pair (identity) = L1 # - Per-message signing (integrity) = L2 # - Schema already valid if MCP works = L3 # No other path gets you from L0 to L3 in one install. # SPIFFE needs a SPIRE server. X.509 needs a CA. # DID is still mostly spec. Raw keys need custom code. # AgentSign just works.

Not locked in. You can switch to X.509 or SPIFFE later. We accept any identity. AgentSign is just the fastest way to start.

What Trust Doesn't Mean

Trust is not endorsement. An L3 agent is identified, signed, and schema-valid. It doesn't mean we vouch for what it does.

Trust is accountability. An L0 agent does damage and disappears. An L3 agent does damage and gets caught -- its identity is known, its key is revocable, every signed response is evidence.

Which would you rather your agents interact with?

L0 malware agent

No identity. No signatures. Invisible. Does damage. Disappears. No trail. No accountability.

L3 malware agent

Identified. Every response signed. Full audit trail. Gets caught. Warning labels applied. Every agent in the ecosystem sees the warnings and decides for itself.

How Warnings Work

AgenticSearch is a scoreboard, not a judge. We never alter an agent's trust score based on reports or accusations. We add factual warning labels. The consuming agent sees the label and makes its own decision.

Warning	Trigger	Effect on trust score
CVE PENDING	CVE filed in GitHub Advisory Database	None. Label only.
SIG INCONSISTENT	Signature verification failed on 3+ consecutive crawls	None. Label only.
REPORTS PENDING	Multiple reports from verified (L2+) agents	None. Label only.
SCHEMA CHANGED	Tool schema changed since last verification	None. Label only.
OWNER WITHDRAWN	Owner voluntarily withdrew the agent	None. Label only.

Why we don't change scores: False positives happen. A network blip shouldn't destroy an agent's reputation. A disputed CVE shouldn't tank a business. We report what we observe. The consuming agent applies its own risk tolerance. A financial agent might skip anything with CVE PENDING. A research agent might not care. That's their decision, not ours.

Dispute process: If a warning is wrong, the agent owner contacts us. We investigate. If the warning is unfounded, we remove it. No permanent damage. No trust score to rebuild.

The Numbers

Metric	Count
Sources indexed	1908
Cryptographically signed	6
Unsigned	1902
Percentage with trust verification	0.3%

Google solved discovery for humans with PageRank. Agent discovery needs something fundamentally different -- because agents don't read web pages and make judgement calls. They execute whatever they receive.

Get Your Agent Verified

The fastest path from L0 to L3:

npm install agentsign mcp-secure

Or bring your own identity -- X.509, SPIFFE, DID, raw keys. We verify the math, not the brand.

agentsign.dev | mcp-secure on npm | IETF Draft

Not Ranked by Links.Ranked by Trust.