new A next-generation Go + Rust engine see why ↓
3 ingest modes · 200+ CAVERN rules · agentless

The deepest AI / LLM security coverage in the industry. Inside your SIEM, not beside it.

Copilot, ChatGPT, Claude, Bedrock, and the agents you build: to a legacy SIEM it is all just HTTPS. Caver gives you three ways in. Pull provider audit logs (metadata only), drop an inline proxy that runs threat detection on every live exchange (verdict-only: prompt and completion content is never persisted), or emit first-party events from your own agents. Everything lands in one ai_observability index, where 200+ CAVERN rules and 24 AI content packs run beside the rest of your security data.

how it works pull · proxy · emit → one index
AI TRAFFIC
Microsoft Copilot
OpenAI / ChatGPT
Anthropic / Claude
Azure OpenAI
Amazon Bedrock
Google Vertex AI
LiteLLM / gateways
AI Observatory
index=ai_observability
pull · proxy · emit
200+ CAVERN rules · verdict-only · content never persisted
SOC RESPONSE
CAVERN rule fires
Entity risk timeline
SLAM playbook
Oncall alert
AI dashboards
Identity + endpoint join
Compliance export
ingest modes
3
pull · proxy · emit
detection rules
200+
CAVERN · ATT&CK-tagged
AI content packs
24
rules · dashboards · response
agents required
0
agentless · no DLP payload capture
three ways in

Three ingest modes. One index.

Every environment is different: locked-down provider suites, gateways in the middle, homegrown agents. AI Observatory meets the traffic where it is, and every mode lands in the same ai_observability index, so the rules and dashboards never care how an event arrived.

1
pull metadata only

Pull provider audit logs

Connect the provider admin APIs and Caver pulls usage and audit logs on a schedule: who called which model, when, token counts, spend, and configuration changes. Metadata only, and nothing sits in the request path.

  • Zero footprint: no proxy, no agent, no SDK change.
  • The fastest route to a shadow-AI and governance baseline.
  • Covers managed suites, like Microsoft Copilot, that you cannot proxy.
provider audit API → index=ai_observability
2
proxy verdict-only

Inline LLM proxy

Point your SDK base URL at the proxy and it forwards traffic to the provider while inspecting every exchange in flight. Inline threat detection runs on each prompt and completion as it passes, and what lands in the lake is the verdict: rule results, scores, model, token counts, caller identity. Prompt and completion content is never persisted.

  • Inline detection on every live exchange, not on yesterday’s logs.
  • Verdict-only by design: the lake stores judgments, never conversations.
  • One base-URL change; works with any OpenAI-compatible endpoint or gateway.
base_url → caver proxy → provider · verdicts → index=ai_observability
3
emit richest context

First-party emitter

Your own agents and applications emit structured AI events straight into the lake: model calls, tool invocations, MCP bridge activity, agent decisions. The deepest mode, with custody in your hands: you decide exactly what each event includes.

  • Full agent context: tool calls, chains, MCP activity.
  • You choose the payload, from verdict-grade minimal to full detail.
  • Instruments the agents no proxy can see inside.
your agent → emit(event) → index=ai_observability

Mix modes freely. A Copilot estate on audit pulls, engineering traffic through the proxy, and your own agents emitting first-party events: one index, one rule corpus, one entity risk model. An event is an event, whichever door it came through.

detection corpus

200+ CAVERN rules. Built for AI threats.

Purpose-built detections across the AI threat surface, shipped in 24 AI content packs and tuned per source. Each rule carries a severity, an ATT&CK mapping where a technique applies, and a risk contribution, so AI detections score entities the same way everything else in CAVERN does. A sample of the corpus:

Prompt injection

Direct, indirect, and leak-back: the front door of the AI threat surface.

Direct injection high T1059

Role-override phrasing, “ignore previous”, and base64 blobs smuggled into completion requests.

RAG indirect injection high T1059

Injection payloads riding document chunks through the RAG pipeline: the attack surface is the knowledge base, not the prompt.

System prompt leak-back critical T1213

A sentinel string planted in the system prompt appears in a completion: a confirmed jailbreak, not a guess.

Credential & data leakage

What your people paste in, and what the model hands back.

API key in prompt critical T1552

AWS, GitHub, Anthropic, OpenAI, Stripe, and Slack token shapes caught in prompt text.

PII in completion high T1567

SSNs, card numbers, phone runs, and email patterns in the response stream.

Shadow AI

The tools nobody approved, and the usage nobody expected.

Model shopping medium T1190

One user touching five or more distinct models inside an hour: guardrail probing or cost evasion.

Off-hours token burst medium T1078

Usage spiking to 5x a user’s 30-day median between 22:00 and 06:00: scraper, or compromised identity.

AI spend spike medium T1496

Per-user token cost past the operator threshold: abuse, or a stolen key at work.

Agent-framework abuse

Agents with tools are attack surface. Watch what they actually do.

Tool-call anomaly high

An agent invoking tools outside its established baseline set.

Runaway loop medium

Recursion depth and spend escaping an agent’s normal envelope.

Vector-DB exfiltration

The knowledge base is data. Attackers treat it that way.

Training-data extraction high T1567

Large-volume structured queries shaped like dataset extraction, not conversation.

Bulk similarity sweep high

Systematic scans walking the embedding store section by section.

Supply-chain compromise

The model itself is a dependency. Verify it like one.

Known-malicious model critical T1195

Model name or hash matching the threat-intel feed of compromised, backdoored, or policy-violating artifacts.

Unsanctioned model source high

A model pulled from a registry or endpoint outside the approved set.

mcp instrumentation

Every MCP tool call, on the record.

The LLM-to-MCP bridge is instrumented end to end: every tool call an assistant makes lands as a structured event with the server, the tool, argument metadata, the caller identity, and the outcome. Rules watch for tool-call anomalies and unsanctioned MCP servers, and the whole trail is queryable like any other index.

LLM-to-MCP bridge tool-call audit unsanctioned-server detection
event.class   mcp_tool_call
mcp.server    internal-finance
mcp.tool      query_ledger
actor.user    j.doe@corp.example
verdict       anomalous: outside baseline tool set
coverage

24 AI content packs. The tools you actually run.

Each pack bundles the detection rules, dashboards, and response hooks for one AI surface, OCSF-normalised like everything else in the lake. And because the proxy speaks OpenAI-compatible, self-hosted inference is covered the day you stand it up.

Managed providers

audit-log pull + proxy
OpenAIAnthropicAzure OpenAIAmazon BedrockGoogle Vertex AIMicrosoft CopilotHugging Face

Gateways

proxy-native
LiteLLMPortkey

Local inference

OpenAI-compatible
OllamaLM Studiollama.cpp

Agent surfaces

first-party emitter
MCP tool-call bridgeLangFlowyour own agents

Running an AI tool not named here? Anything that emits structured telemetry, or speaks an OpenAI-compatible API, lands in the same index. Ask about a source →

why it wins

Point AI-security tools stop at the AI. Caver correlates.

Standalone AI-security products watch model traffic in isolation and hand your SOC one more console. AI Observatory is part of the SIEM: the same lake, the same rules engine, the same response layer as the rest of your security data.

One lake, not a silo

AI telemetry lands beside identity, endpoint, and network data. Context is a join away, not an export away.

Correlation point tools cannot make

A prompt-injection hit joins against the same user’s sign-in history, endpoint alerts, and network flows in a single query.

Risk accrues to the entity

AI detections feed the same per-entity risk timelines as everything else, so guardrail probing plus quiet exfiltration surfaces as one story, not two alerts in two tools.

No separate console

Same five query languages, same dashboards, same SLAM playbooks and oncall. Your analysts already know how to work an AI notable.

And it stays agentless: no endpoint agent to roll out, no DLP-style TLS break at the perimeter. Detection works from structured events, not raw payload capture.

Questions.
Probably what you came here to know.

If your question is not here, the answer is almost always in the docs.

Provider audit-log pulls cover the managed platforms: Microsoft Copilot for M365, OpenAI, Anthropic, Azure OpenAI, Amazon Bedrock, and Google Vertex AI. The inline proxy covers anything that speaks an OpenAI-compatible API, including LiteLLM and Portkey gateways and local inference servers like Ollama, LM Studio, and llama.cpp. The first-party emitter covers the agents and applications you build yourself, including MCP tool-call activity.

No. The proxy inspects each exchange in flight and runs inline threat detection while the request passes through, but what it persists is the verdict: which rules evaluated, what fired, scores, model, token counts, and caller identity. Prompt and completion content is never persisted to the lake. If you want fuller detail for your own agents, that is an explicit choice you make with the first-party emitter.

Most teams start with audit-log pulls: zero footprint, and a shadow-AI baseline in an afternoon. Add the inline proxy where you want live, per-exchange detection depth, and the first-party emitter for agents you build yourself. The modes mix freely and all land in the same ai_observability index, so starting narrow costs nothing later.

DLP inspects raw HTTP payloads at the network layer, which means TLS termination at the perimeter, a large false-positive blast radius, and blind spots for AI-specific threat patterns like prompt injection, jailbreak sequences, and model supply chain. AI Observatory works from structured events: provider audit logs, inline proxy verdicts, and first-party telemetry, with purpose-built detection logic per AI threat class and the same CAVERN risk scoring and SLAM playbook integration as the rest of your security data.

Point tools watch model traffic in isolation and give your SOC one more console to check. AI Observatory is part of the SIEM: AI telemetry lands in the same lake as identity, endpoint, and network data, a prompt-injection hit correlates with the same user’s sign-in history and endpoint alerts in one query, risk accrues to one entity timeline, and response runs through the SLAM playbooks you already operate.

The detection lands as a CAVERN notable with a risk contribution on the entity involved, ATT&CK-tagged where a technique applies. The standard AI Observatory playbook routes it to a queue, enriches it with the user’s identity context, and posts to your oncall channel; critical severities open a SLAM case automatically. Playbooks are operator-editable, so the response is yours to shape.

Yes. The three ingest modes are the reference paths, but anything shaped as OCSF events landed in the lake works: the CAVERN rules query by OCSF fields, not by collector origin. If you already run an AI gateway that emits structured logs, point it in.

It is included in the per-deployment Caver commercial license: not a separate SKU, not metered separately. Pricing is custom per deployment; contact matt@redeyesecurity.com, and see the pricing page for the general Caver structure.

caver ai observatory

AI security visibility that ships today. Inside the SIEM you already wanted.

Three ingest modes, 200+ rules, 24 packs, one index, and every AI detection correlated with the identity, endpoint, and network data next to it.