Command Center
The Command Center is the top-level view in Observatory. It gives security teams a real-time snapshot of their organization's security posture across all Highflame products.
Navigate to Highflame Studio → Observatory → Command Center.
Security posture score
The posture score summarizes your organization's security coverage across four pillars:
Detection
Coverage of active threat detectors — what fraction of your agent and browser traffic is evaluated by at least one detection signal
Enforcement
Active blocking coverage — how many guardrail categories and browser policy categories are in Block mode (vs. Monitor-only)
Coverage
Observability coverage — sessions, traces, and tool calls being captured across deployed agents and browser endpoints
Velocity
Response time posture — how quickly detections are triaged, policies updated, and enforcement gaps closed after a signal fires
Each pillar contributes to an overall score (0–100). The score is recalculated continuously as events arrive.
Cross-product correlations
The correlations panel surfaces events from different products that share a user, device, or session context within a configurable time window. Examples:
A browser jailbreak attempt followed by an agent session from the same user within 5 minutes
A Shield guardrail block on a tool call that originated from a browser violation session
A Red Teaming scan finding that matches a pattern seen in live production traffic
Correlations are surfaced as cards with links to the underlying events. Click through to the Threats or Sessions views for full investigation detail.
UEBA entity risk ranking
The entity risk panel ranks users, agents, and devices by behavioral risk score. The risk score is computed from anomaly signals across all event sources:
Frequency of guardrail blocks relative to baseline
Unusual tool call patterns or access to out-of-scope resources
Browser violations correlated with agent activity
Session anomalies (unusual timing, geographic shifts, new device)
High-risk entities are surfaced at the top of the list. Click any entity to see its full event history in the Threats view, filtered to that entity.
Detector drift heatmap
The drift heatmap shows whether your detection coverage is changing over time. Each cell represents a threat category and time bucket. Cells that turn red indicate that a detector is firing significantly more or less than its baseline — a signal that something in your environment (a new integration, a policy change, a new user behavior) has shifted.
Use this view to catch detection regressions before they become gaps.
Blast radius map
The blast radius map visualizes the potential impact of a compromise. It shows:
Which agents have access to which tools and resources
Which users and devices have active sessions
Which MCP servers are reachable from which agents
If a threat event is selected in the Threats view, the blast radius map updates to highlight the resources reachable from the compromised principal. This helps incident responders scope containment actions quickly.
Cost intelligence
The cost panel summarizes AI API spend across your agent fleet, broken down by model, agent, user, and time period. It pulls from the same telemetry as Traces and Sessions, so cost is always attributed to the agent workflow that incurred it.
Use this to identify runaway agents, unexpected spend spikes, and opportunities for prompt optimization.
Coverage mesh
The coverage mesh is a graph view of your Highflame deployment. Nodes represent products and integrations (Gateway, Shield SDK, Browser Security, Code Agents), and edges represent data flows and coverage relationships.
Nodes are colored by health status:
Green — product is deployed, active, and reporting
Yellow — product is deployed but has gaps (e.g., some agents not instrumented)
Red — product is not deployed or has stopped reporting
Use the coverage mesh to identify which parts of your agent infrastructure are not yet covered by Highflame.
Last updated