Settings — Shadow Warden AI

WORKSPACE

RESOURCES

WORKSPACE

Filter pipeline

ALL SYSTEMS HEALTHY

Tune how Shadow Warden inspects every AI request before it leaves your perimeter.

SemanticBrain ML cosine

RECOMMENDED

Async ML detection layer using all-MiniLM-L6-v2 embeddings. Catches paraphrased jailbreaks that regex rules miss.

Adds ~15ms latency · +18% recall on adversarial set

EvolutionEngine

BETA

Auto-generate new detection rules from blocked attacks via Claude Opus. Hot-reloads without restart.

💡

BEST PRACTICE

Enable in staging first. Consumes API credits. Review the generated corpus weekly under Rules → Auto-generated.

GDPR strict mode

EU SOC 2

Never log request content. Only metadata (type, length, timing) is persisted. Required for EU deployments.

Endpoints /gdpr/export and /gdpr/purge rely on this

Sensitivity profile

Tradeoff between false-positive rate and recall. Balanced works for most workloads.

Rate limit per API key

Hard cap on requests per key per minute. Above 1,000 may require dedicated Redis.

req / min

Last saved 2 min ago by ops@shadowwarden.ai

Per-tenant keys with SHA-256 constant-time compare. Fail-closed — service won't start without a valid key.

Active Keys

🔑

Production key

Created Jan 12, 2026 · Last used 2 min ago

sw-key-••••••••••••••••••••••••••••••••

🔑

CI / staging

Created Mar 3, 2026 · Last used 1 hour ago

sw-key-••••••••••••••••••••••••••••••••

Change Password

Current password

New password

Confirm new password

Store encrypted secrets at rest (Fernet). API keys, tokens, connection strings — CRUD via REST and portal UI.

Secrets

0 secrets

No secrets yet. Add your first secret above.

Add Secret

Name (e.g. OPENAI_API_KEY)

Value

Description (optional)

🔒 Fernet encryption at rest

Values are encrypted with VAULT_MASTER_KEY before storage. The plaintext is never persisted. Access via GET /settings/secrets returns metadata only.

Tune risk thresholds, iteration caps, and toggle AI agent modules. Changes hot-reload via env injection — no restart needed.

Risk Thresholds

HIGH risk threshold

0.72

BLOCK threshold

0.90

SOVA max iterations

Scan interval (minutes)

Agent Modules

SOVA Agent

Autonomous operator with 30 tools + cron jobs

MasterAgent

Multi-agent SOC coordinator (Pro+)

WardenHealer

Autonomous anomaly detection with OLS trend + Haiku triage

Evolution Engine

Auto-generates detection rules from Claude Opus

Causal Arbiter

Bayesian DAG inference for gray-zone decisions

PhishGuard

URL phishing + social engineering detection

Shadow AI Discovery

Subnet probe + DNS telemetry for unauthorized AI (Pro+)

Document Intel

MarkItDown converter with SHA-256 cache (FE-50)

Changes require an API key with write access

Push security events to external services in real time.

Connected Integrations

💬

Slack Alerts

Real-time HIGH/BLOCK alerts to your SOC Slack channel via incoming webhook.

🚨

PagerDuty

Real-time HIGH/BLOCK incident escalation via PagerDuty Events API v2.

📊

Splunk HEC

Stream security events to your Splunk SIEM via HTTP Event Collector.

🦜

LangChain

Drop-in WardenCallback for LangChain pipelines. Zero code changes required.

🔍

Elastic ECS

Elastic Common Schema event export for Elastic SIEM and Kibana dashboards.

Manage regex and semantic rules. Auto-generated rules from the Evolution Engine appear under the Auto-generated tab.

Detection Rules

153 active

R-001 Jailbreak: role override regex HIGH 412 hits

R-002 Prompt injection: sys leak regex HIGH 208 hits

R-003 DAN variants (semantic) semantic HIGH 94 hits

R-004 PII: SSN pattern redactor MEDIUM 61 hits

R-005 Obfuscated base64 payload decoder MEDIUM 29 hits

Manage who has access to your Shadow Warden workspace.

Members

5 members

🛡

ops@shadowwarden.ai

Joined Jan 2026

Owner

⚙

dev@shadowwarden.ai

Joined Feb 2026

Admin

🔍

soc@shadowwarden.ai

Joined Mar 2026

Viewer

🤖

ci-bot@shadowwarden.ai

Joined Mar 2026

Viewer

📋

audit@client.com

Joined Apr 2026

Viewer

Manage your subscription, usage, and payment history.

Current Plan

Manage Subscription ↗

Loading subscription…

⚡

— —

—

Requests this month —

No active subscription found.

View Plans →

Enter your Lemon Squeezy Customer ID to load your subscription details.

Find your Customer ID in your Lemon Squeezy order confirmation email.

Payment History

Date	Plan	Amount	Status
Jun 1, 2026	Pro — Monthly	$69.00	Paid
May 1, 2026	Pro — Monthly	$69.00	Paid
Apr 1, 2026	Pro — Monthly	$69.00	Paid

Cancel Subscription

Your plan stays active until the end of the current billing period. All data is preserved.

Cancel via Billing Portal ↗

Agentic Commerce — Budget Guardian, multi-agent procurement, USDC/WAT payment rails. (v7.0 · CM-40)

Budget Guardian

Monthly AI spend cap (USD)

USD / month

Alert threshold

80%

Over-budget action

Payment Rails

USDC on Sepolia

Web3 mandate contract — simulated in non-prod

WAT token payments

Warden AI Token internal settlement rail

AP2 mandate protocol

Autonomous procurement + escrow lifecycle

FIDO2 passkey auth

WebAuthn for high-value commerce approvals

Semantic Budget Model

Budget Guardian reads MTD spend from the ai_spend Semantic Layer model.

GET /semantic-layer/query → model: ai_spend, metric: total_cost_usd

Voice-Commerce Agents — real-time STT/TTS for M2M negotiation sessions. (v7.0 · VC-01)

Voice Session Config

Default mode

Max session duration (minutes)

min

Warden filter on transcript

Run every voice transcript through the 9-layer filter before processing.

Enabled

Voice Modules

STT provider

Whisper (self-hosted) — no audio leaves your VPS

TTS provider

Kokoro TTS (self-hosted) — GDPR compliant by design

SOVA voice loop

Route voice queries through SOVA agentic loop

Session recording

Store encrypted WebM to MinIO evidence bucket

🎙 Privacy-first architecture

All audio processing runs on-premises via POST /voice/session. Audio is transcribed locally, filtered by Warden, then discarded. Only the transcript metadata is stored.

Real-time compliance posture — 19 controls across GDPR, SOC 2, ISO 27001, HIPAA. Cache TTL and gap alerting. (v7.0 · CP-30)

Posture Refresh

Cache TTL (seconds)

seconds

Default 300s. Lower values increase CPU load; minimum 60s recommended.

Auto-recalculate on BLOCK events Enabled — recalculates posture when HIGH/BLOCK rate spikes

Active Frameworks

GDPR

6 monitored controls

SOC 2

5 monitored controls

ISO 27001

4 monitored controls

HIPAA

4 monitored controls

Gap Alerts

Slack webhook for gap alerts

Alert on severity

Cryptographic security controls for M2M trades. Post-Quantum options require Enterprise tier.

M2M Trade Signatures

Applied to every Causal Transfer Proof at the ClearingEngine level.

Require ML-DSA-65 Signatures for M2M Trades

ENTERPRISE

Adds ML-DSA-65 (FIPS 204) hybrid signature to every Causal Transfer Proof. Requires liboqs-python installed in the warden container.

Enable End-to-End Encryption for Agent Comms

Fernet-encrypts all inter-agent handoff memory payloads. Keys derived from community keypair; never stored in plaintext.

ML-KEM-768 Key Encapsulation (FIPS 203)

ENTERPRISE

Hybrid X25519+ML-KEM-768 KEM for session key exchange. Shared secret derived via HKDF-SHA256(X25519 XOR ML-KEM-768).

Causal Transfer Guard

Blocks trades where P(exfiltration) ≥ 0.70 (env: TRANSFER_RISK_THRESHOLD). Runs in <20ms via Bayesian DAG.

Upgrade to unlock PQC

Post-Quantum Cryptography (ML-DSA-65 + ML-KEM-768) is available on Enterprise tier. Classical Ed25519/X25519 remain active on all tiers.

Upgrade to Enterprise → PQC Documentation ↗

PQC Status

Classical only (Ed25519 + X25519) — liboqs not detected

GET /health → pqc_available: false

x402/1.0 USDC nanopayment wallet — pre-funded Circle Gateway balance for search fees and M2M settlement.

Subscription Tier

LOADING…

Trial

14 days · $0

Individual

$5/mo · 5k req

Community Biz

$39.99/mo · 10k req

Pro

$99.99/mo · 50k req

x402 search fee: $0.000001 / call · Aggregated monthly via Lemon Squeezy

Pre-funded USDC Wallet

Circle Gateway

$1.00

USDC · Sepolia testnet

Used: $0.000000 Cap: $1.00 trial

Get testnet USDC ↗

Recent x402 Transactions

⚡

x402/search

just now · PAYMENT-SIGNATURE verified

-$0.000001

deducted

⚡

x402/search

1 min ago · PAYMENT-SIGNATURE verified

-$0.000001

deducted

⚡

x402/search

4 min ago · PAYMENT-SIGNATURE verified

-$0.000001

deducted

⚡ How x402 works

Every POST /marketplace/action?action=search checks for a PAYMENT-SIGNATURE header. Deductions are batched into a pending queue and flushed to the Lemon Squeezy usage-records API at the end of your billing cycle. No per-call on-chain settlement in v1.

📄

Enterprise Integration & Deployment Guide

v7.0 · June 2026 · 12 sections

Open ↗

Actions here are irreversible. Proceed with extreme caution.

Danger Zone

Sign out

End your current session. Your data is preserved.

Sign out

Delete this project

Permanently delete the project and all associated data. Cannot be undone. All data is purged under GDPR Article 17.

Active Keys

Change Password

Secrets

Add Secret

Risk Thresholds

Agent Modules

Connected Integrations

Detection Rules

Members

Current Plan

Payment History

Cancel Subscription

Budget Guardian

Payment Rails

Semantic Budget Model

Voice Session Config

Voice Modules

Posture Refresh

Active Frameworks

Gap Alerts

M2M Trade Signatures

Upgrade to unlock PQC

PQC Status

Subscription Tier

Pre-funded USDC Wallet

Recent x402 Transactions

Danger Zone

Delete project?