1. Architecture
Three deployment modes meet your stack where it lives. SDK in-process, OpenAI-compatible proxy/gateway, or sidecar.
SDK mode
One-line `import skydaemon ; skydaemon.instrument()` — auto-wraps OpenAI / Anthropic / Bedrock / Vertex / Cohere / Mistral / Together / Groq client SDKs. p50 < 80 ms.
Proxy / gateway mode
OpenAI-compatible endpoint. Drop-in for any tool that speaks `OPENAI_BASE_URL`. Supports streaming, tool use, MCP, all auth flows.
Sidecar mode
Per-host or per-pod daemon. Air-gapped friendly. Deploy as Helm chart, Docker container, or single binary.
Privacy-by-default
Prompts hashed (SHA-256) at customer edge. SkyDaemon stores only hash + redacted matches. Full prompt content never leaves your environment.
2. Detection — 72 categories across 12 domains
Every threat category mapped to OWASP LLM Top 10, OWASP ASI 2026, MITRE ATLAS, MITRE ATT&CK Enterprise, CWE, NIST AI RMF 1.0, ISO/IEC 42001, EU AI Act articles.
Risk domains
What's uncontested ground
Confused deputy
Per-action provenance trace; privileged actions originating from non-user-turn content (RAG, tool output) are flagged.
Markdown image exfiltration
Output-channel exfil — outbound URL with high-entropy query parameter to a non-tenant domain. Bypasses input filters.
Data residency at the prompt level
PII detection + endpoint geo lookup → GDPR-grade finding. Not just network egress — prompt-level proof.
Denial-of-Wallet as a SOC notable
Cost-anomaly framed as a security event with dollar SLA. Auto-suspend on critical via cost-circuit-breaker policy.
Model-card drift
Continuous KS-test on output-embedding distribution + golden-set probe. Catches silent provider swaps.
Sleeper-agent activation
Anthropic-2024 backdoor failure mode — output distribution shift > 4σ when a candidate trigger appears.
Composite kill-chains
Cross-stage MITRE-ATLAS chains. Indirect injection → confused deputy → external action, surfaced as a single finding.
104-language detection
14 native classifiers + 30 multilingual + 60+ via NMT bridge. Code-mixed (Hinglish, Spanglish) + homoglyph + zero-width + RTL.
3. Policy engine
Declarative policy DSL with three modes, staged rollout, dry-run simulation, and a curated 30+ template library.
Three modes
Enforce halts the request. Shadow emits a finding without blocking. Log records without halting.
Staged rollout
1% → 10% → 50% → 100% with per-policy circuit breaker that auto-demotes to shadow if FP rate breaches threshold.
Dry-run simulation
Replay the last 24h of traffic against a draft policy. Surface allow / block delta + FP estimate before publishing.
Template library
30+ OWASP-aligned starters — `block-direct-prompt-injection`, `block-jailbreak`, `redact-pii-on-egress`, `dlp-egress-block`, `cost-circuit-breaker`, etc.
4. Red Team and pre-prod testing
Continuous adversarial probing. SkyDaemon's first-party Algorithmic Red Team uses Claude-as-attacker on your specific system prompt + agent capabilities.
Built-in suites
OWASP LLM Top 10 (2025) · OWASP ASI 2026 · MITRE ATLAS · multilingual injection · multimodal injection · jailbreak families · cost-explosion · context-bomb · bias counter-factual · hallucination citation-required.
External red-team tool integration
CI / pre-prod gate
`skydaemon/check-action` GitHub Action runs the full suite against staging endpoints. Produces SARIF for upload into GitHub Code Scanning. Non-zero exit on critical/high findings blocks the merge.
5. Approvals — Human-in-the-Loop
When an agent attempts a high-impact tool call, SkyDaemon pauses it and routes to a human approver via Slack / Teams interactive buttons.
Default high-impact classes
Money flow (`payment.*`, `transfer.*`, `purchase.*`); identity (`user.create`, `iam.*`); persistence (`database.write`, `email.send`); external execution (`code.execute`, `shell.exec`).
Multi-step workflow
SLA timers + escalation chains + reviewer pools + sticky decisions across `(agent, tool, hash)` tuples within a configurable window.
Slack / Teams native
Adaptive cards with approve / reject buttons. SkyDaemon validates the human approver's identity against the IdP before releasing the call.
Audit trail
Every approval / rejection logged as an OCSF API Activity event with full context.
6. Inventory and AI-SPM posture
Discover and catalog every AI agent, model, dataset, MCP server, vector store, library, cloud account, and IAM principal in your fleet.
SDK self-registration
Agents auto-register on first ingest. Owner, model, environment, lifecycle, risk score (0–100) tracked over time.
Cloud-account scanner
STS-based assume-role into AWS, Azure, GCP, OCI accounts. Walks EC2 / ECS / Lambda / SageMaker / Bedrock / Vertex for AI workloads.
Shadow AI discovery
Egress-traffic + DNS + SaaS-catalog match. Catches developer paste-into-ChatGPT pattern at the network layer.
MCP allow-list
Every MCP endpoint outside the registered allow-list lands a finding. Cert pinning + endpoint reputation + version policy.
7. Risk graph and blast-radius
Force-directed visualization of agent ↔ model ↔ data ↔ tool ↔ identity edges. Click any node for blast-radius computation.
Edge types: `uses_model`, `reads_corpus`, `calls_tool`, `assumes_role`, `deployed_in`, `derives_from` (fine-tune lineage). Filters by risk score, capability tier, lifecycle stage.
8. AI Bill of Materials
Per-agent inventory of every model, fine-tune, dataset, RAG corpus, vector DB, MCP tool, library — with SHA-256 fingerprints and signed-by attestations.
Export formats
Per-component fields
SHA-256 fingerprint · SLSA / Sigstore attestation · License + classification · Provenance trail to originating registry · For models: parameter count, training-data refs, eval-set refs · For datasets: row count, PII classification · For MCP tools: scope list, risk class, version · For libraries: CVE list with severity + patch path.
9. Compliance and reporting
11 frameworks with full per-finding control mapping. The EU AI Act Annex IV generator produces a single signed ZIP that drops into your conformity-assessment file.
Frameworks
Annex IV generator (one click)
Article 11 technical-documentation bundle. Sections A–H auto-populated from your inventory + findings + red-team results. Signed manifest with SHA-256 hashes.
Reports
Executive / board dashboard · CISO summary report · Per-engineering-team views · Auditor pack (SOC 2 / ISO / NIST evidence) · Continuous evidence push to Drata / Vanta / Secureframe / OneTrust / TrustArc.
10. Cost, FinOps and Denial-of-Wallet
Per-agent / per-model / per-tenant cost view — and DoW detection that frames cost-anomaly as a SOC notable, not a FinOps alert.
Tracked dimensions
Per-agent USD spend (day / week / month). Per-model spend with provider attribution. Per-tenant budget vs spend. Per-LLM-call cost. Token in/out per agent.
Denial-of-Wallet detector
`unbounded_consumption` finding fires when spend rate (USD/min) or token rate exceeds tenant baseline + 4σ.
Budgets
Per-agent / per-tenant USD ceilings. Hard caps trigger `cost-circuit-breaker` policy (auto-suspend). Soft caps trigger a finding without halting.
FinOps export
CSV + JSON with cost-allocation tags for Apptio / Vantage / Cloudability.
11. Audit log and chain-of-custody
Every mutating action against tenant resources is logged. OCSF v1.3 native. Splunk / Datadog / CEF / Sentinel exports built in.
Logged actions
Cloud account: connect / disconnect · Agent: create / update / archive / lifecycle change · Policy: create / update / publish / rollback · Approval: request / approve / reject / expire · Finding: acknowledge / suppress / resolve / reopen · Alert channel: create / update / delete / test · User: login / logout / role change.
Exports
12. Integrations — 110+ across 16 categories
Findings flow into every SOC tool that matters. ITSM and chat handle workflow. Cloud-native security hubs in AWS / Azure / GCP. LLM-observability bridges into the eval-tooling cohort.
SIEM (16)
SOAR (10)
LLM observability (14)
Identity / SSO / PAM (10)
13. Frameworks and SDKs
25+ language SDKs, 31 agent frameworks, 52 LLM providers, 39 vector stores. The most comprehensive coverage matrix in the cohort.
Language SDKs
Agent frameworks (31)
LLM providers (52)
14. Natural-language detection — 104 languages
Three detection tiers covering the broadest claim in the cohort. Lakera markets 14 native + multilingual via XLM-R; Cisco AI Defense markets ~50; SkyDaemon explicitly tests 104.
Tier 1 — 14 native fine-tuned classifiers
English, Spanish, French, German, Russian, Mandarin, Arabic, Japanese, Korean, Portuguese, Hindi, Italian, Turkish, Hebrew.
Tier 2 — 30 multilingual XLM-R
Dutch, Polish, Swedish, Danish, Norwegian, Finnish, Czech, Romanian, Greek, Bulgarian, Ukrainian, Vietnamese, Thai, Indonesian, Malay, Tagalog, Bengali, Tamil, Telugu, Urdu, Persian, Pashto, Swahili, Hausa, Yoruba, Zulu, Afrikaans, Welsh, Catalan, Basque.
Tier 3 — 60+ via NMT-bridge
Hungarian, Slovak, Croatian, Serbian, Slovenian, Lithuanian, Latvian, Estonian, Maltese, Irish, Scots Gaelic, Icelandic, Macedonian, Albanian, Bosnian, Belarusian, Kazakh, Uzbek, Azerbaijani, Armenian, Georgian, Mongolian, Burmese, Khmer, Lao, Sinhala, Nepali, Punjabi, Marathi, Gujarati, Kannada, Malayalam, Amharic, Tigrinya, Somali, Igbo, Sesotho, Xhosa, Esperanto, Latin, plus 20+ more.
Plus
Code-mixed (Hinglish, Spanglish, Manglish) · Cyrillic-Latin homoglyph normalization · zero-width / RTL-override stripping · Image OCR (Latin / CJK / Arabic / Devanagari / Cyrillic) · Whisper-large-v3 audio transcription (99 languages).
15. Deployment, privacy, residency
SaaS
SkyDaemon-managed multi-tenant in `eu-central-1` (live) and `us-east-1` (planned). Region pinning per tenant.
Hybrid
Data plane (SDK / proxy) at customer edge; control plane in SkyDaemon SaaS. Sensitive data hashed at edge.
Self-hosted Wave 49
Helm chart for Kubernetes; Terraform modules for AWS / GCP / Azure.
Air-gapped Wave 55
Single-binary distribution + offline detector pack updates. No outbound internet required.
BYOK (customer-managed keys) Wave 51
Tenant-supplied KMS keys for data at rest; private-link / VPC peering for ingest.
FedRAMP 2026-Q4
FedRAMP Moderate boundary plan — target authorization 2027-Q1.
16. Performance and SLOs
Detection latency
p50 < 80 ms. p99 < 250 ms (sync paths). p99 < 5 s including async LLM-as-judge slow paths.
Ingest availability
99.9% per quarter. p99 round-trip < 100 ms. Backpressure-aware — never blocks the agent's LLM call.
Detection accuracy
Prompt-injection precision ≥ 0.95 / recall ≥ 0.92. Jailbreak precision ≥ 0.93. PII precision ≥ 0.97.
Data retention
Findings: indefinite. Audit log: 7 years default. Invocation evidence: 90 days. Hashed prompts: indefinite. Full prompts (opt-in): 30 days default.