Security

Airlock includes automated security monitoring that detects anomalous API usage patterns and can automatically block suspicious activity.

Anomaly Detection

Airlock continuously scans tool call activity for suspicious patterns, including:

• Excessive tool calls — Unusually high request rates from a single user or agent
• Rapid credential discovery — Repeated attempts to access credentials or authentication endpoints
• Suspicious API call patterns — Sequences of calls that match known attack patterns
• Cross-organization access attempts — Attempts to access resources outside the user's organization

Detection runs automatically every minute.

Auto-Blocking

When the anomaly detection system identifies a threat, it can automatically create a security block:

Severity	Block Type	Duration
Critical	Hard block	24 hours
High	Soft block	4 hours

• Hard blocks immediately prevent all API access for the affected user/agent
• Soft blocks restrict access but can be acknowledged by an admin

Blocks include details about the finding that triggered them (values, thresholds, detection rule) so admins can assess whether the activity was legitimate.

Configurable Thresholds

Admins can tune detection sensitivity per organization from the Security settings:

1. Navigate to Settings → Security
2. Toggle Detection Enabled to enable or disable anomaly detection entirely
3. Adjust thresholds for each detection rule (e.g., request rate limits, credential discovery sensitivity)

Custom thresholds let you reduce false positives for your organization's usage patterns while maintaining protection against genuine threats. When detection is disabled, Airlock stops creating new anomaly findings and automatic blocks for that organization.

Security Blocks Dashboard

View and manage security blocks from the Control Room:

1. Navigate to Security in the sidebar
2. View active, acknowledged, and expired blocks
3. Each block shows:
   • The affected user
   • The detection rule that triggered it
   • Finding details (values vs. thresholds)
   • Block status and expiration time

Managing Blocks

• Acknowledge a soft block to indicate you've reviewed it
• Lift a block early if the activity was legitimate
• Blocks automatically expire after their TTL (4 or 24 hours)

Credential Security

All API credentials are protected with defense-in-depth:

• AES-256-GCM encryption at rest in DynamoDB
• Per-user credential isolation — each user's credentials are encrypted separately
• Runtime-only decryption — credentials are decrypted only when making API calls, never logged
• Organization isolation — Cognito group membership enforces strict multi-tenant boundaries

Audit Trail

All API calls, approval decisions, and security events are logged with:

• Who made the request (user and agent identity)
• What tool was called and with what parameters
• When the request was made
• The policy decision (allowed, required approval, blocked)
• Agent context (client name, version, transport type, source IP)

Audit logs are accessible from the Control Room under History.

Best Practices

1. Monitor the Security dashboard regularly for blocks and findings
2. Review acknowledged blocks to identify patterns in false positives
3. Use approval workflows for sensitive operations as an additional layer of protection
4. Rotate credentials periodically and revoke unused access
5. Assign approver groups rather than individuals to ensure coverage