The deepest AI / LLM security coverage in the industry. Inside your SIEM, not beside it.
Copilot, ChatGPT, Claude, Bedrock, and the agents you build: to a legacy SIEM it is all just HTTPS. Caver gives you three ways in. Pull provider audit logs (metadata only), drop an inline proxy that runs threat detection on every live exchange (verdict-only: prompt and completion content is never persisted), or emit first-party events from your own agents. Everything lands in one ai_observability index, where 200+ CAVERN rules and 24 AI content packs run beside the rest of your security data.
Three ingest modes. One index.
Every environment is different: locked-down provider suites, gateways in the middle, homegrown agents. AI Observatory meets the traffic where it is, and every mode lands in the same ai_observability index, so the rules and dashboards never care how an event arrived.
Pull provider audit logs
Connect the provider admin APIs and Caver pulls usage and audit logs on a schedule: who called which model, when, token counts, spend, and configuration changes. Metadata only, and nothing sits in the request path.
- ✓ Zero footprint: no proxy, no agent, no SDK change.
- ✓ The fastest route to a shadow-AI and governance baseline.
- ✓ Covers managed suites, like Microsoft Copilot, that you cannot proxy.
Inline LLM proxy
Point your SDK base URL at the proxy and it forwards traffic to the provider while inspecting every exchange in flight. Inline threat detection runs on each prompt and completion as it passes, and what lands in the lake is the verdict: rule results, scores, model, token counts, caller identity. Prompt and completion content is never persisted.
- ✓ Inline detection on every live exchange, not on yesterday’s logs.
- ✓ Verdict-only by design: the lake stores judgments, never conversations.
- ✓ One base-URL change; works with any OpenAI-compatible endpoint or gateway.
First-party emitter
Your own agents and applications emit structured AI events straight into the lake: model calls, tool invocations, MCP bridge activity, agent decisions. The deepest mode, with custody in your hands: you decide exactly what each event includes.
- ✓ Full agent context: tool calls, chains, MCP activity.
- ✓ You choose the payload, from verdict-grade minimal to full detail.
- ✓ Instruments the agents no proxy can see inside.
Mix modes freely. A Copilot estate on audit pulls, engineering traffic through the proxy, and your own agents emitting first-party events: one index, one rule corpus, one entity risk model. An event is an event, whichever door it came through.
200+ CAVERN rules. Built for AI threats.
Purpose-built detections across the AI threat surface, shipped in 24 AI content packs and tuned per source. Each rule carries a severity, an ATT&CK mapping where a technique applies, and a risk contribution, so AI detections score entities the same way everything else in CAVERN does. A sample of the corpus:
Prompt injection
Direct, indirect, and leak-back: the front door of the AI threat surface.
Role-override phrasing, “ignore previous”, and base64 blobs smuggled into completion requests.
Injection payloads riding document chunks through the RAG pipeline: the attack surface is the knowledge base, not the prompt.
A sentinel string planted in the system prompt appears in a completion: a confirmed jailbreak, not a guess.
Credential & data leakage
What your people paste in, and what the model hands back.
AWS, GitHub, Anthropic, OpenAI, Stripe, and Slack token shapes caught in prompt text.
SSNs, card numbers, phone runs, and email patterns in the response stream.
Shadow AI
The tools nobody approved, and the usage nobody expected.
One user touching five or more distinct models inside an hour: guardrail probing or cost evasion.
Usage spiking to 5x a user’s 30-day median between 22:00 and 06:00: scraper, or compromised identity.
Per-user token cost past the operator threshold: abuse, or a stolen key at work.
Agent-framework abuse
Agents with tools are attack surface. Watch what they actually do.
An agent invoking tools outside its established baseline set.
Recursion depth and spend escaping an agent’s normal envelope.
Vector-DB exfiltration
The knowledge base is data. Attackers treat it that way.
Large-volume structured queries shaped like dataset extraction, not conversation.
Systematic scans walking the embedding store section by section.
Supply-chain compromise
The model itself is a dependency. Verify it like one.
Model name or hash matching the threat-intel feed of compromised, backdoored, or policy-violating artifacts.
A model pulled from a registry or endpoint outside the approved set.
Every MCP tool call, on the record.
The LLM-to-MCP bridge is instrumented end to end: every tool call an assistant makes lands as a structured event with the server, the tool, argument metadata, the caller identity, and the outcome. Rules watch for tool-call anomalies and unsanctioned MCP servers, and the whole trail is queryable like any other index.
event.class mcp_tool_call mcp.server internal-finance mcp.tool query_ledger actor.user j.doe@corp.example verdict anomalous: outside baseline tool set
24 AI content packs. The tools you actually run.
Each pack bundles the detection rules, dashboards, and response hooks for one AI surface, OCSF-normalised like everything else in the lake. And because the proxy speaks OpenAI-compatible, self-hosted inference is covered the day you stand it up.
Managed providers
audit-log pull + proxyGateways
proxy-nativeLocal inference
OpenAI-compatibleAgent surfaces
first-party emitterRunning an AI tool not named here? Anything that emits structured telemetry, or speaks an OpenAI-compatible API, lands in the same index. Ask about a source →
Point AI-security tools stop at the AI. Caver correlates.
Standalone AI-security products watch model traffic in isolation and hand your SOC one more console. AI Observatory is part of the SIEM: the same lake, the same rules engine, the same response layer as the rest of your security data.
One lake, not a silo
AI telemetry lands beside identity, endpoint, and network data. Context is a join away, not an export away.
Correlation point tools cannot make
A prompt-injection hit joins against the same user’s sign-in history, endpoint alerts, and network flows in a single query.
Risk accrues to the entity
AI detections feed the same per-entity risk timelines as everything else, so guardrail probing plus quiet exfiltration surfaces as one story, not two alerts in two tools.
No separate console
Same five query languages, same dashboards, same SLAM playbooks and oncall. Your analysts already know how to work an AI notable.
And it stays agentless: no endpoint agent to roll out, no DLP-style TLS break at the perimeter. Detection works from structured events, not raw payload capture.
Questions.
Probably what you came here to know.
If your question is not here, the answer is almost always in the docs.
AI security visibility that ships today. Inside the SIEM you already wanted.
Three ingest modes, 200+ rules, 24 packs, one index, and every AI detection correlated with the identity, endpoint, and network data next to it.