The AI Observatory watches production AI usage three ways: it pulls provider audit logs, proxies live LLM traffic for inline threat detection, and ingests first-party events from your own agents. Every exchange lands in the same OCSF lake as the rest of your security data, with CAVERN detection rules on top. No separate silo, no point-tool sprawl.
Three ingest modes
Run any one of these, or all three together. Whatever the mode, telemetry normalizes to OCSF Application Activity (class 6005) and lands in the ai_observability index, where CAVERN rules evaluate it next to your identity, endpoint, network, and cloud data.
What it detects
The bundled content targets the AI attack surface that traditional SIEM rules never see. Every detection runs against OCSF fields, not raw HTTP, so nothing depends on inspecting a payload the proxy chose not to keep.
Core CAVERN rules
api_key_leak_in_promptT1552 · credential accesssystem_prompt_exfil_suspectT1213 · collectionmodel_supply_chain_matchT1195 · supply chainprompt_injection_candidateT1059 · initial accessoutput_pii_leakT1567 · exfiltrationmodel_variance_burstT1190 · exploit public appoff_hours_token_spikeT1078 · valid accountscost_anomaly_per_userT1496 · resource hijackSupported AI tools and providers
Gateways: LiteLLM · Portkey · Cloudflare AI Gateway · Helicone · LangSmith Proxy · Kong AI Gateway
Agents & orchestration: LangChain · LangGraph · AutoGen · CrewAI · LlamaIndex · LangFlow · MCP servers
Coding assistants: GitHub Copilot · Cursor · Codeium · Tabnine · Continue.dev · Amazon Q · Sourcegraph Cody · Windsurf
Browser / computer-use: Claude Computer Use · Browser-Use · Skyvern · Multi-On · OpenInterpreter
Voice / image / multimodal: ElevenLabs · OpenAI Realtime · Bland AI · DALL-E · Midjourney · Stable Diffusion · Flux · Replicate · Runway
Vector DBs: Pinecone · Weaviate · Qdrant · Chroma · pgvector · Milvus · LanceDB
On-prem inference: Ollama · LM Studio · llama.cpp · vLLM · TGI · TensorRT-LLM · any OpenAI-compatible endpoint
Ingest normalizes to OCSF Application Activity via the caver-collector ai_usage_normalize source. Rules operate on OCSF fields only, so there is no raw HTTP inspection and no perimeter TLS break.
Part of the lakehouse, not a bolt-on
Point AI-security products stand up their own dashboard, their own alert store, and their own copy of your identity graph. The AI Observatory does the opposite. Because every AI event is OCSF Application Activity in the same Parquet lake as your firewall, EDR, and identity logs, a prompt-injection attempt is one query away from the IP that sent it, the identity behind that IP, the endpoint it ran on, and the tool calls that followed.
There is no export step, no second console, and no reconciliation between an AI silo and the SIEM. It is the SIEM. The same CAVERN content ships standalone for teams not yet on Caver and deep-integrated when Caver and caver-collector are present, so a detection you tune in one place behaves identically in the other.
Why it beats point AI-security tools
Inline guards and red-team platforms each solve one slice. They live outside your SOC, so a finding is an island. The AI Observatory is detection plus correlation on the same operator surface as the rest of your telemetry. Two well-known point tools show the contrast.
| Dimension | Point tools (Lakera, Mindgard) | Caver AI Observatory |
|---|---|---|
| Where it sits | Lakera guards the prompt boundary; Mindgard red-teams before deploy. | Runtime detection on live and historical AI traffic. |
| SOC correlation | None native, AI-side only. | Native: AI events sit next to identity, endpoint, network, and cloud. |
| Deployment | SaaS-first. | Self-hosted: on-prem, air-gapped, or cloud. |
| Spend and usage visibility | Limited. | Per-tenant LLM spend and usage tracking with budget alerts. |
| MCP tool-call audit | Not a focus. | First-class LLM-to-MCP bridge instrumentation. |
These are complementary, not mutually exclusive. Pair an inline guard that blocks at the prompt boundary with the Observatory that investigates what was blocked and what correlates with it, the same way a WAF pairs with a SIEM. The difference with Caver is that the SIEM half is already in place.
AI security should not be the one telemetry source that lives outside your SIEM. The AI Observatory runs standalone for teams not yet on Caver and deep-integrates when Caver and caver-collector are present, using identical CAVERN content on both sides.
See how the lakehouse works, or return to the Caver overview.