Know When Your Agents Misbehave

Real-time anomaly detection for AI agent authorization. 10 built-in rules catch velocity spikes, scope escalation, token replay, and more. Alert to Slack, PagerDuty, or Datadog in seconds.

Read the docs → Get started free
grantex.dev/dashboard/anomalies

Anomaly Detection

Monitoring active
3
Critical
7
High
12
Medium
4
Low
Token replay detected for ag_crm_bot CRITICAL 2m ago
Velocity spike: 340 req/min for ag_data_sync HIGH 8m ago
Scope escalation attempt: email:send requested MEDIUM 14m ago
Off-hours activity for ag_billing_agent LOW 1h ago
Why it matters

AI Agents Operate Unsupervised

Agents run 24/7, make thousands of API calls, and delegate to sub-agents. Without real-time monitoring, compromised or misbehaving agents go unnoticed.

Sub-second Detection

Anomalies are detected as events flow through Grantex. No batch processing delay. Alerts fire within 1 second of the triggering event.

🔍

Pattern-based Analysis

10 built-in detection rules cover the most common agent misbehavior patterns. Each rule is battle-tested and tuned to minimize false positives.

🛠

Custom Rule DSL

Write your own rules with agent filters, scope filters, time windows, and thresholds. Deploy custom rules via the API or dashboard.

🔔

Multi-channel Alerts

Route alerts to Slack, PagerDuty, Datadog, or email. Filter by severity so critical alerts page on-call while low-severity alerts log quietly.

🔄

Alert Lifecycle

Every alert has a clear lifecycle: open, acknowledged, resolved. Track who responded, when, and what action was taken. Full audit trail.

🚫

One-click Revocation

Revoke a misbehaving agent's grant directly from the alert. Cascading revocation stops all sub-agents immediately.

Built-in rules

10 Rules, Zero Configuration

Every Grantex account ships with 10 anomaly detection rules that cover the most common agent security threats. Enable, disable, or tune them from the dashboard.

Rule ID Name Trigger Severity
velocity_spike Velocity Spike Request rate exceeds 3x the rolling 1-hour average HIGH
scope_escalation Scope Escalation Agent requests scopes beyond its registered set CRITICAL
unknown_agent Unknown Agent Token presented by an unregistered agent DID CRITICAL
token_replay Token Replay Same token JTI used from multiple IP addresses CRITICAL
off_hours_activity Off-Hours Activity Agent active outside its configured operating window LOW
high_failure_rate High Failure Rate More than 30% of requests fail in a 15-minute window HIGH
concurrent_sessions Concurrent Sessions Same grant token used from 3+ distinct IPs simultaneously HIGH
delegation_depth Delegation Depth Delegation chain exceeds configured max depth MEDIUM
budget_overspend Budget Overspend Agent consumes more than 90% of budget in a single burst HIGH
geo_anomaly Geographic Anomaly Agent makes requests from unexpected geographic regions MEDIUM
Alert lifecycle

From Detection to Resolution

Every anomaly follows a clear lifecycle with full traceability. Know who responded, when, and what action was taken.

🚨
Detected
Rule triggers, alert created
🔔
Notified
Slack, PagerDuty, email
👍
Acknowledged
Responder takes ownership
Resolved
Issue fixed, note attached
Notification channels

Alert Where Your Team Already Works

Route anomaly alerts to the tools your team uses. Filter by severity to keep noise low and signal high.

💬
Slack
Incoming webhook
🚨
PagerDuty
Events API v2
📊
Datadog
Events API
Email
SMTP / SES
🌐
Webhook
Custom HTTP POST
📡
SSE Stream
Real-time events
Custom rules

Write Rules That Match Your Threat Model

Built-in rules cover the common cases. Custom rules let you encode your organization's specific security policies.

Custom Rule — TypeScript SDK
import { Grantex } from '@grantex/sdk';

const grantex = new Grantex({ apiKey: process.env.GRANTEX_API_KEY });

// Create a custom rule that fires when any agent
// makes more than 50 email:send requests in 5 minutes
await grantex.anomalies.createRule({
  ruleId: 'email_flood',
  name: 'Email Flood Detection',
  description: 'Too many email sends in a short window',
  severity: 'critical',
  condition: {
    scopes: ['email:send'],
    timeWindow: '5m',
    threshold: 50,
  },
  channels: ['slack-incidents', 'pagerduty-oncall'],
});

// Configure a Slack notification channel
await grantex.anomalies.createChannel({
  type: 'slack',
  name: 'slack-incidents',
  config: {
    webhookUrl: 'https://hooks.slack.com/services/...',
  },
  severities: ['critical', 'high'],
});

// Stream anomaly events in real time
for await (const event of grantex.events.stream({
  types: ['anomaly.detected'],
})) {
  console.log('Alert:', event.data.ruleName, event.data.severity);
}
Observability

Metrics, SSE, and Prometheus

Query anomaly metrics via the API, stream events over SSE, or scrape Prometheus-format counters from the /metrics endpoint.

📈

Metrics API

GET /v1/anomalies/metrics returns alert counts by severity, by rule, and a 14-day activity histogram. Filter by agent or time window.

📡

SSE Stream

GET /v1/events/stream?types=anomaly.detected pushes anomaly events in real time. Use with @grantex/destinations to forward to Datadog, Splunk, or S3.

🔧

Prometheus Counters

GET /metrics exposes grantex_anomalies_total, grantex_alerts_open, and grantex_alerts_resolved counters for Grafana dashboards.

Start Monitoring Your Agents Today

Anomaly detection is available on all plans, including the free tier. 10 built-in rules. No configuration required.

Create free account → Setup guide