TL;DR
Browser extension: prompt-level visibility on ChatGPT, Claude, Gemini, Perplexity, and similar in Chrome, Edge, Brave, Arc. Catches what gets typed.
Desktop app (Mac, PC): visit-level visibility on every AI host the laptop talks to, plus every recognized AI desktop app and CLI coding agent that runs. Catches what gets opened.
MCP Gateway (bundled in the desktop app, Sentinel and Fleet only): in-path proxy for the MCP servers Claude Desktop, Cursor, and Claude Code call. Catches what your agents reach for.
One install path is rarely enough in 2026. Browser-only is fine for a non-engineering team in Q1; engineering-heavy teams should install both on day one and keep the MCP Gateway on.
The four surfaces in 60 seconds
01 · Browser
Northbeams browser extension
Manifest V3 extension for Chrome, Edge, Brave, Arc. Classifies prompts on supported AI tool sites. Sees the prompt before it leaves the page. Does not see anything outside the browser.
02 · Desktop
Northbeams for Mac and PC
Native menu-bar (Mac) and system-tray (PC) app. Watches outbound connection metadata and recognized-process events. Does not read connection contents. Signed .pkg and .msi, MDM-deployable.
03 · CLI
Same desktop app
Catches CLI coding agents (Claude Code, Aider, similar) running on the same laptop, by matching against the recognized-tools list. No separate install.
04 · MCP
MCP Gateway, in the desktop app
Local stdio proxy that wraps the MCP servers configured in Claude Desktop, Cursor, and Claude Code. Classifies arguments on-device. Allow / warn / block per tool. Sentinel and Fleet only. No separate install.
What each surface catches
The simplest way to read this table is "if my employee is using X, will Northbeams see it with surface Y?"
| Use case | Browser extension | Desktop app (Mac, PC) | MCP Gateway (Sentinel) |
|---|---|---|---|
| Pasting source code into ChatGPT in Chrome | Prompt-level finding | Connection event only | Not visible |
| Pasting source code into ChatGPT Desktop (native app) | Not visible | Process + connection event | Not visible (ChatGPT Desktop has no MCP) |
Running claude at the terminal |
Not visible | Process + connection event | Per-tool MCP call audit |
| Cursor editing a repo locally | Not visible | Process + connection event | Per-tool MCP call audit |
| Cursor calling the GitHub MCP to delete a file | Not visible | Process event, not the action | Tool name + action + block decision |
| Claude Desktop calling the Postgres MCP against prod | Not visible | Process event, not the query | Tool name + warn + sha256 of args |
| Claude Code calling the Stripe MCP to create a refund | Not visible | Process event, not the action | Tool name + block + audit log |
| Granola summarizing a Zoom call | Not visible | Process + connection event | Not visible (Granola has no MCP) |
| Claude.ai chat in Safari or Firefox | Not visible (Chromium-only extension) | Connection event | Not visible |
| Notion AI feature inside Notion in the browser | Prompt-level if input is recognized | Connection to api.notion.com only | Not visible |
| Personal Gemini account, in Chrome, on the company laptop | Prompt-level finding | Connection event only | Not visible |
| Personal Gemini account, in Chrome, on a personal laptop | Not visible (no install) | Not visible (no install) | Not visible (no install) |
Two patterns to notice. First, the browser extension is the only surface that gives you prompt-level visibility, but it only does so on Chromium-family browsers and only for sites in the supported list. Second, the desktop app sees more shapes of AI activity (every desktop app, every CLI tool, every browser including Safari and Firefox) but only at the visit and connection level.
When to start with the browser extension only
The browser extension alone is enough for these cases:
- Non-technical teams where the AI surface is mostly ChatGPT, Claude, Gemini, and Perplexity in the browser. Sales, marketing, ops, finance, customer success.
- BYOD setups where the company cannot push a desktop app to laptops it does not own. The browser extension self-installs from the Chrome Web Store and pairs to the workspace with one paste of a workspace key.
- Quarter-one quick win. The extension is a 30-second install per laptop. The desktop app needs MDM or a manual run-through. If you need numbers in a board meeting Friday, the extension is the right Tuesday-morning move.
Caveat: in 2026, "non-technical" is shrinking. A marketer who runs Cursor to edit a landing page is now common. A finance lead who runs Claude Desktop to summarize a board pack is now common. If you are in doubt, start with both.
When to start with the desktop app only
The desktop app alone is enough for these cases:
- Engineering-only teams where the AI surface is dominated by CLI coding agents, IDE-embedded agents, and desktop apps. Most of the shadow AI in a 20-engineer Series-A is not in the browser; it is in the terminal and in Cursor.
- Audits where the question is "do you have visibility into AI desktop apps?" The browser extension cannot honestly answer this question. The desktop app can.
- Mixed-browser teams. If half the company uses Safari or Firefox, the browser extension is going to miss half the team. The desktop app does not care which browser is open.
Caveat: the desktop app does not give you prompt-level findings, only connection-level events. If your auditor or your security team wants to see "what was actually pasted into the AI," you need the browser extension on top.
Both, side by side
The two surfaces overlap on browser-based AI tools (the desktop app catches the connection, the extension catches the prompt) and complement each other everywhere else. Running both on the same laptop is the configuration most paying Northbeams customers end up at within 30 days. The dashboard de-duplicates events that come from both surfaces, so you do not get double-counted findings.
Both-installed coverage in numbers, from Northbeams 2026 customer-base data:
- 92% of the top-100 browser AI tools are caught by the extension.
- 4 recognized desktop AI apps are caught by Mac and PC: Claude Desktop, ChatGPT Desktop, Cursor, Granola.
- 2 CLI coding agents are caught: Claude Code, Aider.
- 21 AI service hosts have outbound-connection signatures in the bundled catalogue.
The desktop and CLI catalogues are smaller than the browser catalogue because the universe is smaller; we add to all three each quarter. The full live count, refreshed quarterly, is at /coverage.
What about employees on personal laptops?
The honest answer is "neither surface catches that." Northbeams runs on the device. If the device is personal and you have not installed Northbeams on it, you do not see what happens there. There are two reasonable responses to that gap:
Block-list at the SSO and SaaS layer. If your sanctioned-AI policy says "only the company-paid Claude account," you can require SSO sign-in to all sanctioned AI accounts and treat any other AI activity as out-of-policy. Northbeams will catch the personal-laptop activity if it touches a paired device, and your SSO logs catch the company-laptop activity that should be going through sanctioned accounts.
Accept the gap and document it. For non-regulated SMBs, the marginal value of catching the last 10% of personal-laptop AI activity is usually not worth the privacy and morale cost of mandating Northbeams on personal devices. Document the gap in your AI policy. Most auditors accept "we cover company-managed devices" as a defensible posture.
Recommendation matrix
A short rule of thumb based on what we see Northbeams customers actually do:
| Team profile | Start with | Add by Q2 |
|---|---|---|
| 15-person agency, no engineers | Browser extension | Desktop app if Granola or similar shows up |
| 50-person SaaS, mixed roles | Both, day one | SSO integration for tier upgrade |
| 20-engineer Series-A | Desktop app | Browser extension when product/marketing hires |
| Regulated SMB (HIPAA, SOC 2) | Both, day one | MDM rollout in week two |
| Remote-only with BYOD | Browser extension | Desktop app on company-owned laptops only |
FAQ
Do I need to install all three Northbeams surfaces?
No. Each surface works on its own. Most companies start with the browser extension, because it covers the largest single category of shadow AI. Engineering-heavy companies should add the desktop app on day one.
Does the browser extension catch ChatGPT Desktop?
No. ChatGPT Desktop is a native app, not a browser tab. Install the Northbeams desktop app for Mac or PC to catch it.
Does the desktop app catch ChatGPT in the browser?
Partially. It sees the connection to chat.openai.com but not the prompt content. For prompt-level browser visibility, install the extension.
Do I need a separate install for CLI coding agents?
No. The desktop app already watches CLI tools on the same laptop.
What if my team uses multiple browsers?
Install the extension in each Chromium browser. For Firefox or Safari, the desktop app is the right answer.
Is one install enough for the audit?
It depends on what you are claiming. The defensible 2026 answer is all three.
Pick your install path.
The Chrome Web Store listing for the browser extension and the signed Mac and PC installers are all on one page.