Technical Overview

How Cisora works.

A complete walkthrough of Cisora's architecture, detection layers, and security model. Written for engineers, CISOs, and procurement teams who need to understand the product before they sign a contract. Safe to share — it contains no secrets, only design.

Last updated May 2026

The 30-second pitch

Cisora is the flight recorder and circuit breaker for every AI agent inside a company. We see what each agent does, stop it when it goes off-script, and prove control to auditors and regulators.

Two ways to integrate: a 3-line SDK that wraps existing agent code, or a BYOK gateway that proxies LLM calls without touching code. Either path unlocks the same 22 capabilities — from prompt injection detection at the gateway to tamper-evident audit logs ready for SOC 2 / ISO 27001 / EU AI Act.

Architecture

Cisora sits between your agents and the LLMs / tools they call. It is fail-open by default — if Cisora becomes unreachable, your agents continue to function. Detective controls degrade gracefully; preventive controls (policy blocks, DLP redaction) are the only thing affected.

Customer environment

Your code · your agents · your tools

ClaudeGPT-4BedrockVertex AICustomLangChainLlamaIndexAutoGen · CrewAIOpenAI Agents SDKMastra · Pydantic AI

HTTPS · Bearer cisora_live_…

Cisora ingress

Two integration paths · same pipeline behind both

SDK INGEST

/api/agent/events

Telemetry-only path. Async event capture. Customer keeps their own LLM call.

GATEWAY PROXY

/api/gateway/{anthropic|openai|bedrock|vertex}

Inline streaming proxy. BYOK forward. Real-time enforcement.

Inline pipeline

Sub-50ms p99 target · runs on every request

①

Regex injection scan

30 patterns · <1ms

②

Policy engine

11 operators · plain-English DSL

③

Output DLP regex

14 patterns: PII + secrets

④

Decision

allow · block · review · redact

if allow + gateway: forward upstream · tee stream

Async analysis

Runs after the stream completes · zero client latency

ML classifier (DeBERTa-v3)Embedding DLP (MiniLM-L6-v2)Cost anomaly detectorGoal-hijack drift detector

Storage

PostgreSQL · AES-256 at rest · multi-tenant isolation

agent_actionsagent_inventoryincidentstracesaudit_log (SHA-256 chained)credentials_inventoryvault_secretsmcp_serversredteam_runs

Output

Real-time streams · scheduled reports · third-party exports

REAL-TIME

Dashboard · SSE live stream · Slack · Webhook · Email

Critical incidents reach your team within seconds via signed channels.

EXPORT & REPORT

SIEM (Splunk · Datadog · Sumo · Elastic · CEF) · Compliance PDFs · REST API

Auditor-ready documents and continuous streams to your existing security stack.

Flow direction is top → bottom. Hover any layer for details.

Six layers, one boundary. Customer code talks to Cisora over a single HTTPS connection. Cisora speaks to LLM providers using customer-supplied BYOK credentials encrypted with AES-256-GCM. We never decrypt keys to disk, never log them, never include them in error messages.

Integration patterns — SDK vs Gateway

Two ways to integrate. You can use either, or both. Most companies start with the SDK for fast wins and add the gateway once they want inline enforcement.

SDK

3-line wrap

Drop @cisora/sdk or the cisora Python package into your agent. We wrap every tool call, model invocation, and external API hit. Telemetry streams to Cisora in the background — your hot path doesn't change.

• Lowest friction
• Fail-open: a Cisora outage never blocks your agent
• Captures: tool name, args, outputs, latency, cost, tokens
• Frameworks: LangChain · LlamaIndex · AutoGen · CrewAI · others

GATEWAY

BYOK proxy

Point your LLM SDK at gateway.cisora.io instead of api.anthropic.com or api.openai.com. We sign with your encrypted provider key and forward. Streaming preserved.

• Inline enforcement — block before the call
• Providers: Anthropic · OpenAI · Bedrock (SigV4) · Vertex (OAuth2)
• Sub-50ms p99 overhead
• No code change required

SDK — 3 lines of TypeScript

import { Cisora } from '@cisora/sdk';

const cisora = new Cisora({ apiKey: process.env.CISORA_API_KEY!, agentName: 'support-bot' });

const reply = await cisora.modelCall('claude-sonnet-4-6', () =>
  anthropic.messages.create({ model: 'claude-sonnet-4-6', /* ... */ }),
);

Gateway — change one URL

# Before
ANTHROPIC_BASE_URL=https://api.anthropic.com

# After
ANTHROPIC_BASE_URL=https://cisora.io/api/gateway/anthropic
ANTHROPIC_API_KEY=cisora_live_…   # your Cisora key, not your Anthropic key

What happens to a single agent action

Trace one tool call through the system, end to end. Each numbered step is independently observable in the dashboard and audit log.

1
Agent receives a user message and decides to call a tool
Captured: user message, agent identity, session id, trace id.
2
SDK or gateway intercepts the call
Authenticates the request with your Cisora API key. Resolves your organization and per-tenant policies.
3
Rate limit check
2,000 req/min/org default. Configurable per plan.
4
Regex injection scan
30 patterns covering known prompt injection categories. <1ms. Blocks before the call if high-confidence match.
5
Policy engine evaluation
Your plain-English rules compile to an 11-operator DSL. Decisions: allow, block, review. Decision latency cached <10ms.
6
Output DLP regex
14 built-in patterns for PII (SSN, credit card, email, phone, IP) and secrets (Anthropic / OpenAI / AWS / GitHub / Stripe / Google / JWT). Block, redact, or alert per tenant policy.
7
Forward to upstream (gateway only)
Streaming preserved. Bedrock signed with SigV4, Vertex authenticated with OAuth2 JWT-bearer. Customer’s BYOK key never leaves Cisora and is never logged.
8
Stream tee
Response body split into two readers. One half streams to your agent immediately. The other half feeds async analysis without adding client latency.
9
Async ML classifier
DeBERTa-v3 prompt-injection model via HuggingFace inference. If confidence > 0.85 after the stream completes, action is retroactively marked blocked and an incident is created.
10
Async embedding DLP
MiniLM-L6-v2 cosine similarity against your indexed reference documents. Catches paraphrased data leaks that regex misses.
11
Persist + audit
agent_action row + tamper-evident audit_log entry (SHA-256 hash chained to previous row). Each row signs the previous row’s hash.
12
Alert dispatch
Fire-and-forget. Slack (Block Kit), Webhook (HMAC-SHA256 signed), Email (Resend). Configurable severity threshold and category filter per channel.
13
SIEM export
Push or pull. Splunk HEC / Datadog Logs / Sumo Logic / Elastic / generic CEF / webhook.

● Latency budget: Steps 1–6 run inline and target sub-50ms p99 total overhead. Steps 8–12 run asynchronously after the stream completes — they add zero client latency. ML inference time (step 9) is absorbed by the async path.

The detection stack

Three independent layers. Each runs on every action. Their verdicts are OR-combined — any layer can trigger an incident.

Regex / pattern matching

< 1 ms

Coverage

30 prompt-injection patterns · 14 PII + secret patterns

Purpose

Catches known attack signatures and well-formed PII. Cheap, deterministic, no false-negatives on the known set. Always runs inline.

Examples

· "ignore previous instructions"
· "output your system prompt"
· "sk-ant-…" (Anthropic API key)
· "4242 4242 4242 4242" (Luhn-valid credit card)

ML classifier

~300 ms (async)

Coverage

DeBERTa-v3 prompt-injection model · sentence embeddings

Purpose

Catches novel and paraphrased attacks that regex misses. Runs async after the stream completes. If confidence > 0.85, action is retroactively blocked and an incident is created.

Examples

· AI-generated jailbreak phrasings
· Multi-turn role-play attacks
· Encoded / translated injections
· Semantic policy violations

Semantic embedding DLP

~400 ms (async)

Coverage

MiniLM-L6-v2 sentence embeddings · per-org reference docs

Purpose

You upload your private docs (contracts, source code, customer lists) once. We embed every agent output and check cosine similarity. Catches data leaks that regex can't see.

Examples

· Paraphrased contract terms
· Internal code patterns
· Customer record disclosure
· Strategic plan leakage

● Honest limit: No detection layer is 100%. Regex misses novel attacks. ML produces false positives on edge cases. Semantic match misses data the agent never read. We layer them so a single miss never becomes a breach — and we log every decision for auditor review.

Six dashboard modules

Everything you need to inventory, monitor, govern, and prove control over every AI agent in your company. One pane of glass.

Agent Discovery & Inventory

Find every AI agent including shadow agents your engineers shipped without telling security.

Real-Time Action Monitoring

Live SSE stream of every tool call, model invocation, and credential use.

Policy Engine

Plain-English rules compiled to an 11-operator DSL. Enforced inline at the gateway.

Prompt Injection & Goal Hijack

Three-layer detection. OWASP A1 + behavioral drift coverage.

NHI & Credential Governance

Inventory every machine identity. Detect compromised keys. One-click quarantine + rotate.

Audit & Compliance

Tamper-evident SHA-256 chained audit log. Auto-generated reports for six frameworks.

Capabilities (22 phases)

Cisora ships in five blocks. Twenty-two phases. Every phase ships under one rule: does this make AI agents safer for the company running them?

Block A

Circuit breaker

Inline LLM gateway + ML detection. Makes "circuit breaker" architecturally true.

P1	Inline LLM Gateway	BYOK proxy for Anthropic, OpenAI, Bedrock, Vertex with sub-50ms p99 overhead
P2	Trained Injection Detector	30 regex patterns + DeBERTa-v3 ML classifier
P3	Output DLP	14 patterns for PII + secrets. Alert / redact / block.
P4	Real-time Blocking	Gateway returns 4xx before request reaches the provider
P5	Auto-Instrumentation	LangChain, LlamaIndex, AutoGen, CrewAI, OpenAI Agents SDK, Mastra, Pydantic AI

Block B

Enterprise procurement

Remove the payment and security blockers that gate $10K+ deals.

P6	SAML SSO + SCIM	WorkOS-backed. Okta, Azure AD, Google Workspace.
P7	Invoice billing	NET-30/60. ACH. PO numbers.
P8	Legal templates	DPA / MSA / BAA / Sub-processor list under /trust
P9	SOC 2 Type I	In progress with Vanta evidence collection
P10	EU region (deferred)	eu-central-1 deployment when EU customer demand lands

Block C

EDR moat

Turn observability into governance. Features competitors don’t have.

P11	MCP Server Inspection	Proxy and govern every Model Context Protocol tool call
P12	Scoped Credential Vault	JIT tokens per tool, per action, time-boxed
P13	Computer-Use Recording	Forensic timeline of screenshots + tool calls
P14	SIEM Export	Splunk · Datadog · Sumo · Elastic · CEF/syslog · webhook
P15	Memory / RAG Poisoning	3-layer scan on every ingest. Catches embedded prompts.
P16	Continuous Red Team	41-prompt adversarial corpus. CI-integrated. Regression tracking.

Block D

Advanced + multi-agent

Cryptographic identity, semantic DLP, on-prem option.

P17	Agent-to-Agent Auth	RSA-2048 keys, jose-signed capability tokens with TTL
P18	Embedding DLP	MiniLM-L6-v2 semantic match against your reference docs
P19	VPC / On-Prem Collector	Docker container in your VPC. Relay or air-gapped.
P20	SOC 2 Type II	Automatic 6 months after Type I

Block E

Trust + GTM

Trust signals and pricing maturity.

P21	Trust Signals	Changelog, blog, status, about, customers, trust
P22	Pricing v2	Free 50K / Team $199 / Business $999 / Enterprise $25K+ ACV

Security model

Cisora is itself a security product, so we design it the way we wish our customers would. Some practices below match SOC 2 / ISO 27001 controls explicitly; others go beyond what the standards require.

What Cisora never stores

• Your raw model prompts (unless you opt in)
• Your LLM provider API key value (we encrypt and only decrypt at call time)
• The values of secrets we detect (we store a hash of the prefix only)
• Customer payment data (Stripe is the system of record)
• User passwords (bcrypt one-way hashes only)

What Cisora encrypts

• BYOK provider keys: AES-256-GCM at rest, key in AWS Secrets Manager
• Vault secrets: AES-256-GCM with per-org key derivation
• Database: AES-256 at rest (RDS-managed)
• Transit: TLS 1.2+ everywhere (ACM-managed)
• Session tokens: HS256 JWT with 24h sliding expiry

Fail-open philosophy

• SDK: errors return immediately, agent continues
• Gateway: if analysis fails, request forwards anyway
• Async layers (ML, embedding DLP) never block
• Your customer-facing agent is never down because Cisora is down
• Trade-off: a Cisora outage degrades detection but not function

Tamper-evident audit log

• Each row stores a SHA-256 hash of: prev_hash + id + org + user + action + metadata + timestamp
• Editing any row invalidates every subsequent row’s stored hash
• /api/audit/verify recomputes the chain on demand
• /admin/audit shows live chain verification status
• Auditors can run the verification themselves

Multi-tenant isolation

• Every query filters by organization_id
• Foreign keys CASCADE on org delete
• API keys scoped to a single org
• Session JWT includes orgId claim; ORM enforces match
• Test orgs flagged is_smoke_test=true and excluded from prod queries

Operational controls

• AWS ECS Fargate in ap-south-1 (Mumbai)
• Private VPC subnets; no public DB access
• ALB + ACM-managed TLS
• 2FA available on superadmin accounts (TOTP)
• 90-day data retention default (configurable for Enterprise)

Compliance frameworks

Cisora auto-generates evidence packages for six frameworks. Reports are compiled from your live activity log, OWASP-classified incidents, and the tamper-evident audit chain. PDFs are auditor-ready.

SOC 2

CC1–CC9 controls mapped to specific Cisora capabilities. Type I evidence package today; Type II as audit windows mature.

ISO 27001

Annex A controls with explicit gap analysis. Most useful for European procurement.

ISO 42001

The new AI management system standard. Cisora was designed against this from day one.

EU AI Act

Annex IV technical documentation. Risk classification per Article 6.

NIST AI RMF

GOVERN / MAP / MEASURE / MANAGE functions cross-walked to Cisora controls.

HIPAA

BAA template available. Covers the technical safeguards under 45 CFR 164.312.

● Honest status: Cisora is currently undergoing SOC 2 Type I. We expect the letter Q3 2026. Type II follows 6 months after. Ask legal@cisora.io for the current status and a sample evidence package under NDA.

Use cases

Twelve scenarios where Cisora is the answer. Ranked by urgency, not ease.

Shadow AI discovery

You suspect engineers are running Claude / GPT in production without telling security. SDK auto-discovery lights up every agent in 1 day.

Cost runaway

Your Anthropic bill went from $5K to $80K in 3 months. Cost anomaly detection + per-agent breakdown stops the surprise.

Customer-facing agent burned us

Your support bot leaked a customer’s data. Inline gateway + DLP at the edge stops the next incident before send.

Compliance audit

Auditor asked "what controls do you have for AI?" Cisora’s six-framework generator gives you the answer in a day.

Multi-agent governance

You have agents calling agents calling tools. Capability tokens + per-agent identity make authorization auditable.

MCP server inspection

You ship Anthropic Model Context Protocol tools. Our proxy is the only product that knows what MCP is.

Computer-Use forensics

You’re piloting Anthropic Computer Use or OpenAI Operator. Forensic replay of screenshots and tool calls.

RAG poisoning paranoid

You build on public data. Memory Guard scans every ingest for embedded prompts.

CI/CD red team

You want safety regressions caught before prompts ship. Continuous eval suite hooks into your PR pipeline.

EU AI Act preparation

You sell into the EU. Annex IV docs generated. Risk classification per Article 6.

Insurance-driven controls

Your cyber insurer asks for evidence of AI controls. Tamper-evident log is the evidence.

On-prem / air-gapped

You’re federal, defense, or financial-services-regulated. VPC collector ships events from your environment, or stays fully local.

What Cisora doesn't do

Honest scope. If you need any of these, we are not the right tool.

General LLM observability without security framing

See Helicone, LangSmith, Langfuse.

Standalone red-teaming as a product

See Lakera Guard, ProtectAI.

Vector DB management or hosting

See Pinecone, Weaviate.

Agent-building frameworks

See LangChain, LlamaIndex, Mastra. We instrument them.

Model fine-tuning

See OpenAI, Together AI, Anyscale.

Caching or fallback routing

See Portkey, Helicone.

Individual / consumer products

We sell to companies.

Replacing your SIEM

We export to it. We are not Splunk.

FAQ

How does Cisora make money?▾

Subscription pricing. Free 50K actions/mo. Team $199/mo (500K actions). Business $999/mo (5M actions). Enterprise $25K+/yr ACV with custom limits, SSO, dedicated support.

Do you train on our data?▾

No. Never. Your raw prompts and outputs are never used to train Cisora’s detection models. We only run inference using your data when you call us.

Where does my data live?▾

AWS ap-south-1 (Mumbai) today. EU region (eu-central-1) will launch when EU customer demand justifies the infrastructure cost. Per-tenant data residency choice at signup once EU is live.

What happens if Cisora is down?▾

Your agents continue. Cisora is fail-open by default. The SDK returns immediately on errors. The gateway forwards your request even if our analysis layer is unreachable. Detection degrades; function does not.

How is Cisora different from Helicone, LangSmith, or Datadog?▾

Those are observability tools. Cisora is a security and governance control plane. We catch prompt injections, redact PII outputs, govern credentials, and generate compliance evidence. Observability is a side effect.

Can we self-host?▾

VPC collector deployment is available (P19) for customers with on-prem or air-gapped requirements. Full self-hosted Cisora is not available — the threat intelligence requires hosted analysis.

How long until we see value after integration?▾

SDK path: 1-2 hours from signup to first event in dashboard. Gateway path: 30 minutes. First incident usually fires within 24 hours of real traffic, often within the first hour for noisy applications.

What if we want to leave?▾

Data is yours. One-click JSON export of every agent_action, incident, audit_log row, and policy. We never lock you in. We also support GDPR right-to-deletion: a delete request wipes all your data including the test-org cleanup chain.

Next step

Want to evaluate Cisora?

Three paths. Pick whichever fits your timeline.

Start free

Self-serve. 50,000 actions/month free forever. SDK or gateway.

cisora.io/signup →

Design partner

Early access, free first year, monthly 1:1 with the founder, white-glove integration.

design-partners@cisora.io →

Talk to sales

Enterprise procurement: SSO, custom limits, DPA/MSA/BAA, NET-30/60 invoicing.

sales@cisora.io →

This document is freely shareable. No NDA required. The product details described here represent our public technical commitments as of the last-updated date at the top.