Observability

Highflame's observability layer is powered by Observatory, the analytics service that turns runtime telemetry into searchable investigations, dashboards, and cross-product posture views. It gives developers and security teams a shared way to answer questions such as:

• what happened in this request or tool call

• why did Shield allow or deny it

• which session did the event belong to

• where was latency introduced

• which products or identities are driving risk over time

How The Pipeline Works

Shield, MCP Gateway, Code Agent Security, and Red Team emit OpenTelemetry data with Highflame-specific attributes. That telemetry flows through the collector into Database, where Observatory serves it back through read-only APIs and Studio dashboards.

The result is a consistent investigation surface across products rather than a separate dashboard for each runtime.

Core Investigation Surfaces

Observatory organizes data into a few primary views:

• Threats for security events and detector outcomes

• Sessions for agent and user activity over time

• Traces for distributed request analysis and span-level debugging

• Tools & Agents for usage analytics and tool-level behavior

• Command Center for posture, correlations, entity risk, detector drift, blast radius, cost intelligence, and coverage

Events, Sessions, And Traces

The control plane becomes much easier to operate when you can move between multiple levels of detail:

• events tell you what was detected or enforced on a single action

• sessions show how activity accumulated across turns, tools, and identities

• traces reconstruct the end-to-end execution path with service and span timing

This is especially useful for agentic systems, where a denial may be caused by earlier context, a tool sequence, or cross-service behavior rather than one isolated request.

Command Center

Command Center is the cross-product view in Studio for answering broader operational questions. It pulls together:

• posture scoring

• incident correlations

• entity risk ranking

• detector drift

• blast radius analysis

• cost intelligence

• coverage views across the attack surface

This is the part of the control plane that helps teams move from reactive debugging to ongoing security operations.

Developer Workflow

A common workflow in practice looks like this:

1. a request is blocked or flagged by Shield or the MCP Gateway

2. the event appears in Observatory with the associated signals and policy metadata

3. the investigator pivots into the session to see earlier turns and related tool calls

4. if needed, they open the trace to inspect service timing and execution details

5. the team updates policy or runtime configuration in Studio and validates the change

That loop is what makes observability part of the control plane rather than just a reporting add-on.

Why It Matters

Without this layer, runtime security decisions become hard to explain and even harder to improve. Observatory gives teams durable evidence for debugging, governance, and operational review, while still staying close to the developer workflows needed to ship agent systems safely.