Airlock includes automated security monitoring that detects anomalous API usage patterns and can automatically block suspicious activity.
Anomaly Detection
Airlock continuously scans tool call activity for suspicious patterns, including:
- Request-rate spikes — unusually high request rates from a single user or agent
- Repeated policy denials — repeated denied calls, indicating unauthorized-access attempts
- Error storms — high error rates suggesting automated probing or a misconfigured client
- Tool enumeration — systematic probing of available tools (possible reconnaissance)
- Multi-IP access — one identity used from many IP addresses (possible credential compromise)
- Escalation probing — mixed allow/deny patterns indicating privilege-escalation attempts
Detection runs automatically every minute.
Auto-Blocking
When the anomaly detection system identifies a threat, it can automatically create a security block:
| Severity | Block Type | Duration |
|---|---|---|
| Critical | Hard block | 24 hours |
| High | Soft block | 4 hours |
- Hard blocks immediately prevent all API access for the affected user/agent
- Soft blocks are a lighter-touch restriction on the affected user/agent
Either type can be acknowledged by an admin (to record that it was reviewed) or lifted early if the activity was legitimate. Blocks include details about the finding that triggered them (values, thresholds, detection rule) so admins can assess whether the activity was legitimate.
Configurable Thresholds
Admins can tune detection sensitivity per organization from the Security settings:
- Navigate to Settings → Security
- Toggle Detection Enabled to enable or disable anomaly detection entirely
- Adjust thresholds for each detection rule (e.g., request-rate-spike and tool-enumeration sensitivity)
Custom thresholds let you reduce false positives for your organization's usage patterns while maintaining protection against genuine threats. When detection is disabled, Airlock stops creating new anomaly findings and automatic blocks for that organization.
Security Blocks Dashboard
View and manage security blocks from the Control Room:
- Navigate to Security in the sidebar
- View active, acknowledged, and expired blocks
- Each block shows:
- The affected user
- The detection rule that triggered it
- Finding details (values vs. thresholds)
- Block status and expiration time
Managing Blocks
- Acknowledge a block (hard or soft) to indicate you've reviewed it
- Lift a block early if the activity was legitimate
- Blocks automatically expire after their TTL (4 or 24 hours)
Credential Security
All API credentials are protected with defense-in-depth:
- AES-256-GCM encryption at rest in DynamoDB
- Per-user credential isolation — each user's credentials are encrypted separately
- Runtime-only decryption — credentials are decrypted only when making API calls, never logged
- Organization isolation — Cognito group membership enforces strict multi-tenant boundaries
Audit Trail
All API calls, approval decisions, and security events are logged with:
- Who made the request (user and agent identity)
- What tool was called and with what parameters
- When the request was made
- The policy decision (allowed, required approval, blocked)
- Agent context (client name, version, transport type, source IP)
Audit logs are accessible from the Control Room under History.
Best Practices
- Monitor the Security dashboard regularly for blocks and findings
- Review acknowledged blocks to identify patterns in false positives
- Use approval workflows for sensitive operations as an additional layer of protection
- Rotate credentials periodically and revoke unused access
- Assign approver groups rather than individuals to ensure coverage