caver normalizes AI usage events to OCSF Application Activity (class 6005) and runs 10 purpose-built CAVERN detection rules against them: prompt injection, credential leaks, output PII, shadow AI, cost anomalies, and system prompt exfiltration. No DLP agent. No raw HTTP inspection. Ships in the same OCSF Parquet lake as the rest of your security data.
Ten purpose-built CAVERN detection rules covering the full AI-usage threat surface. Every rule ships enabled: false — operators enable per-rule or per-category after tuning thresholds.
Detects "ignore previous", role-override phrases, and base64 blobs smuggled into chat completions.
AWS, GitHub, Anthropic, OpenAI, Stripe, and Slack token shapes in prompt text before the model sees them.
SSN, credit-card numbers, US/CA phone runs, and email-address patterns in the response stream.
When the operator plants a sentinel string in every system prompt, any completion echoing it marks a jailbreak.
Per-user token cost exceeds the operator-configured daily threshold (default 50 USD). Surfaces abuse and stolen API key use.
A user whose 30-day median is N suddenly consumes 5x that volume between 22:00 and 06:00. Classic scraper or compromised identity signature.
Single user touches 5+ distinct models in 60 minutes. Attacker probing for the weakest guardrail, or a token-cost-evasion scan.
Model name or hash matches the threat-intel feed of compromised, backdoored, or policy-violating model artifacts.
Document chunks routed through a RAG pipeline carry known injection payloads; the attack surface is the knowledge base, not the prompt.
Large-volume structured queries that look more like dataset extraction than normal completions.