Caver
← All docs
caver-aisec · AI Observatory Security telemetry for every LLM, agent, and MCP tool call

The AI Observatory watches production AI usage three ways: it pulls provider audit logs, proxies live LLM traffic for inline threat detection, and ingests first-party events from your own agents. Every exchange lands in the same OCSF lake as the rest of your security data, with CAVERN detection rules on top. No separate silo, no point-tool sprawl.

3
Ingest modes
200+
CAVERN AI rules
OCSF 6005
Application Activity
1 lake
No separate silo

Three ingest modes

Run any one of these, or all three together. Whatever the mode, telemetry normalizes to OCSF Application Activity (class 6005) and lands in the ai_observability index, where CAVERN rules evaluate it next to your identity, endpoint, network, and cloud data.

1 · Pull audit logs
Poll provider audit logs for usage metadata: OpenAI, Anthropic, Azure OpenAI, Amazon Bedrock, GitHub Copilot, and the gateways. Zero inline footprint. Ideal for coverage, shadow-AI discovery, and cost governance. Metadata only: model, tokens, cost, org events, never prompt or completion bodies.
2 · Inline proxy
A zero-dependency reverse proxy sits in front of the model API, reconstructs each exchange including SSE streaming, and runs threat detection in-line. Verdict-only by default: it scores and flags each request, it does not persist prompt or completion content. The client is reconfigured, not intercepted, so there is no CA install and no TLS break.
3 · First-party emitter
Your own agents emit structured AI-usage events directly. Full-fidelity telemetry from the applications you build, carrying exactly the fields you choose to include. The cleanest signal, because you own the source and the schema.

What it detects

The bundled content targets the AI attack surface that traditional SIEM rules never see. Every detection runs against OCSF fields, not raw HTTP, so nothing depends on inspecting a payload the proxy chose not to keep.

Prompt injection & jailbreak
Direct and indirect injection: ignore-previous, developer-mode, role-swap, urgency appeals, base64 and translation smuggling, plus indirect injection carried in through a retrieved document or RAG corpus.
Data exfiltration via LLM
Credentials leaked into a prompt (AWS keys, GitHub and Slack tokens, PEM private keys), system-prompt extraction, and PII / PHI / PCI shape detection in prompt or completion. The LLM channel becomes a monitored egress path.
Tool-call abuse
Runaway agent loops, unsanctioned action chains, model-variance bursts that signal jailbreak shopping or cost evasion, and off-hours token spikes measured per user against a rolling baseline.
MCP tool-call audit
LLM-to-MCP bridge instrumentation: every Model Context Protocol tool call is logged and scored. Catches SSRF through tool calls, prompt injection returned inside an MCP response, and privilege escalation across a tool chain.

Core CAVERN rules

api_key_leak_in_promptT1552 · credential access
system_prompt_exfil_suspectT1213 · collection
model_supply_chain_matchT1195 · supply chain
prompt_injection_candidateT1059 · initial access
output_pii_leakT1567 · exfiltration
model_variance_burstT1190 · exploit public app
off_hours_token_spikeT1078 · valid accounts
cost_anomaly_per_userT1496 · resource hijack

Supported AI tools and providers

Foundation models: OpenAI (GPT-4 / GPT-4o / GPT-5) · Anthropic (Claude 4 / 5) · Google (Gemini · Vertex AI) · Microsoft Copilot · Amazon Bedrock · Azure OpenAI · Mistral · Cohere · AI21 · Hugging Face

Gateways: LiteLLM · Portkey · Cloudflare AI Gateway · Helicone · LangSmith Proxy · Kong AI Gateway

Agents & orchestration: LangChain · LangGraph · AutoGen · CrewAI · LlamaIndex · LangFlow · MCP servers

Coding assistants: GitHub Copilot · Cursor · Codeium · Tabnine · Continue.dev · Amazon Q · Sourcegraph Cody · Windsurf

Browser / computer-use: Claude Computer Use · Browser-Use · Skyvern · Multi-On · OpenInterpreter

Voice / image / multimodal: ElevenLabs · OpenAI Realtime · Bland AI · DALL-E · Midjourney · Stable Diffusion · Flux · Replicate · Runway

Vector DBs: Pinecone · Weaviate · Qdrant · Chroma · pgvector · Milvus · LanceDB

On-prem inference: Ollama · LM Studio · llama.cpp · vLLM · TGI · TensorRT-LLM · any OpenAI-compatible endpoint

Ingest normalizes to OCSF Application Activity via the caver-collector ai_usage_normalize source. Rules operate on OCSF fields only, so there is no raw HTTP inspection and no perimeter TLS break.

Part of the lakehouse, not a bolt-on

Point AI-security products stand up their own dashboard, their own alert store, and their own copy of your identity graph. The AI Observatory does the opposite. Because every AI event is OCSF Application Activity in the same Parquet lake as your firewall, EDR, and identity logs, a prompt-injection attempt is one query away from the IP that sent it, the identity behind that IP, the endpoint it ran on, and the tool calls that followed.

There is no export step, no second console, and no reconciliation between an AI silo and the SIEM. It is the SIEM. The same CAVERN content ships standalone for teams not yet on Caver and deep-integrated when Caver and caver-collector are present, so a detection you tune in one place behaves identically in the other.

Why it beats point AI-security tools

Inline guards and red-team platforms each solve one slice. They live outside your SOC, so a finding is an island. The AI Observatory is detection plus correlation on the same operator surface as the rest of your telemetry. Two well-known point tools show the contrast.

DimensionPoint tools (Lakera, Mindgard)Caver AI Observatory
Where it sitsLakera guards the prompt boundary; Mindgard red-teams before deploy.Runtime detection on live and historical AI traffic.
SOC correlationNone native, AI-side only.Native: AI events sit next to identity, endpoint, network, and cloud.
DeploymentSaaS-first.Self-hosted: on-prem, air-gapped, or cloud.
Spend and usage visibilityLimited.Per-tenant LLM spend and usage tracking with budget alerts.
MCP tool-call auditNot a focus.First-class LLM-to-MCP bridge instrumentation.

These are complementary, not mutually exclusive. Pair an inline guard that blocks at the prompt boundary with the Observatory that investigates what was blocked and what correlates with it, the same way a WAF pairs with a SIEM. The difference with Caver is that the SIEM half is already in place.

One stack, one query surface

AI security should not be the one telemetry source that lives outside your SIEM. The AI Observatory runs standalone for teams not yet on Caver and deep-integrates when Caver and caver-collector are present, using identical CAVERN content on both sides.

See how the lakehouse works, or return to the Caver overview.