Overview
Observatory is Highflame's unified security intelligence console. It aggregates signals from every Highflame product — the Agent Gateway, Shield, Browser Security, Code Agents, and Red Teaming — into a single interface for security teams to investigate threats, review agent behavior, and validate coverage.
What Observatory gives you
Cross-product correlation
Threats that span browser activity, agent traffic, and API calls are linked into a single investigation context
Distributed tracing
Full OpenTelemetry-compatible trace visualization for every agent workflow
Session tracking
End-to-end session timelines that stitch together gateway events, guardrail evaluations, and tool calls
UEBA entity risk
Behavioral risk scores for users, agents, and devices based on anomaly detection across all event sources
Tool and agent analytics
Usage breakdowns by tool, MCP server, and agent across your organization
Interactive testing
Playground for running agent payloads against live policies and watching events fire in real time
Views
Observatory is organized into six views, accessible from Highflame Studio → Observatory:
Security posture, cross-product correlations, and coverage status at a glance
All threat events across products with faceted search and investigation detail
Agent session timelines with gateway events, guardrail results, and cross-links to traces
OpenTelemetry distributed trace visualization for agent workflows
Tool usage analytics, MCP server visibility, and agent behavior trends
Interactive test environment for validating policies and attack scenarios
Data sources
Observatory ingests data from all Highflame products automatically — no additional configuration is needed if you have already deployed them. Each product writes events to the shared Observatory event bus:
Agent Gateway — request/response events, guardrail evaluations, policy decisions
Shield SDK — inline guardrail evaluations, session context, tool call records
Browser Security — browser violation events, device check-ins
Code Agents — code agent activity, policy events, threat detections
Red Teaming — scan results, finding records, attack engine outputs
Events are indexed in real time and available in Observatory within seconds of occurrence.
Data retention
Threat events and session data
90 days
Distributed traces
30 days
The Threats, Sessions, and Tools & Agents views support queries up to 90 days back. The Traces view supports queries up to 30 days back. Time range pickers in each view are bounded accordingly.
Session context
Observatory's Sessions and Traces views use a shared session identifier that flows through the Agent Gateway and Shield SDK. When a Shield SDK-instrumented agent makes a call through the gateway, both the SDK-side guardrail events and the gateway-side request events are correlated under the same session ID.
If a browser violation is recorded for a user who also has an active agent session, the violation is linked into that session's timeline. This gives you a complete picture of threats that span browser activity and agent/API traffic.
See Sessions for details.
Last updated