See every AI call
Decrypted inspection of OpenAI, Anthropic, Copilot, Gemini, Bedrock, Ollama and 30+ endpoints — classified on the fly, including ones not yet named.
Kilasec inspects every AI call leaving your network — discovers shadow models, redacts secrets and PII before they cross the wire, and holds runaway agents for approval. Agentless by default — no endpoint agent required. It lives where you already enforce policy.
The current crop asks you to integrate an SDK, run a sidecar, or rewrite your agents — which works right up until someone pastes an API key into ChatGPT, or a vendor tool you've never heard of starts calling a model from a finance laptop.
Decrypted inspection of OpenAI, Anthropic, Copilot, Gemini, Bedrock, Ollama and 30+ endpoints — classified on the fly, including ones not yet named.
Secrets, credentials, customer PII and card numbers in outbound requests are masked before they cross the wire — not when an SDK politely asks.
Map each request to a user and directory group — from AD or CSV. Write allow group:eng → api.anthropic.com.
Every admin change and blocked request, retained 30 days to 7 years. Export for SOC 2, HIPAA, or your own change control.
Built for the sysadmin who has to live with it. No endpoint agent required, no application changes, no new box to rack — a single hardened container on hardware you already have. (Optional lightweight sensor/SDK only if you need to tell co-located agents apart.)
Runs read-only, non-root, --cap-drop=ALL, no-new-privileges. amd64 or arm64 — a mini-PC, a VM, or a spare NUC is plenty.
Browsers and fleets follow the collector's auto-generated PAC; agent hosts run a one-line config script that sets the proxy and trusts the CA — configuration only, no resident software. Roll back with --uninstall or by pointing clients away.
Only the model endpoints you scope get decrypted and inspected. Everything else routes direct, untouched — so the vast majority of traffic sees zero added hops. Inspected calls stream through a single in-line TLS-terminating proxy.
Keeps enforcing locally if the cloud blips, drains cleanly on shutdown, and writes every decision to an audit log on disk that you own.
# the entire deployment — one service services: collector: image: ghcr.io/kilasec/collector:latest network_mode: host # sees the edge read_only: true cap_drop: [ALL] security_opt: ["no-new-privileges"] environment: KILASEC_ENROLL: ${ENROLLMENT_CODE} restart: unless-stopped # bring it up $ docker compose up -d # … and to remove it entirely $ docker compose down
No logos to show yet — we're in closed beta. So here's the thing itself: an engineer sends a prompt with a live cloud credential in it, and Kilasec masks the secret at the wire, out of the box — the request goes through, the credential never does. Prefer a hard block? That's a one-line rule.
Illustrative replay of a real policy decision.
The exact event patterns Kilasec's policy engine detects and acts on — the everyday ways sensitive data, shadow AI, and runaway cost leave a network through model APIs.
An engineer asked for help debugging a script with a hardcoded access key and secret. Both would have left the network in the prompt body.
A support team's AI agent received raw transcripts containing SSNs and card numbers. None of it should have reached the provider.
A new vendor tool started reaching api.deepseek.com from a finance laptop. Nobody in IT had heard of it.
A misconfigured QA agent kept re-running evals on a frontier model. At that rate, tens of thousands by morning.
Drop the logs you already have — DNS, proxy, or a packet capture — and see every AI service on your network, which machines are calling it, and the private LLM gateways nobody registered. The analysis runs entirely in your browser; nothing is uploaded.
We're onboarding a small number of networks each week. Drop your work email and we'll reach out with an invite.
Not sure what's on your network yet? Run the free shadow-AI audit → It analyses logs you already have, entirely in your browser — nothing uploaded.