Vision: Visibility and control for AI coding agents, integrated with existing security infrastructure.
Arfa provides the missing security layer for AI coding agents. As organizations adopt Claude Code, Cursor, and Copilot, security teams have zero visibility into what these agents actually do. Arfa captures every tool invocation, enforces policies, and forwards structured events to existing SIEM systems.
One-liner: "See and control every tool your AI agents use. Export to your existing SIEM."
| Challenge | Impact |
|---|---|
| AI agents execute code autonomously | Security teams can't audit actions |
| No tool-level visibility | "What did Claude do?" → "No idea" |
| Existing SIEMs blind to AI | Datadog/Splunk see nothing |
| Compliance gaps | SOC2/HIPAA require audit trails |
| Shadow AI usage | Employees use agents without oversight |
┌─────────────────────────────────────────────────────────────────┐
│ SIEM │
│ (Kibana / Splunk / Datadog / etc.) │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Dashboard: AI Agent Activity │ │
│ │ • Tool calls per hour │ │
│ │ • Blocked actions by policy │ │
│ │ • Token usage by team │ │
│ │ • Anomaly alerts │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
▲
│ OpenTelemetry / Webhook / Kafka
│
┌─────────────────────────────────────────────────────────────────┐
│ ARFA SECURITY GATEWAY │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────────┐ │
│ │ CAPTURE │ │ ENFORCE │ │ FORWARD │ │
│ │ │ │ │ │ │ │
│ │ • Tool calls │ │ • Block │ │ • Webhook │ │
│ │ • Parameters │ │ • Audit-only │ │ • Kafka │ │
│ │ • Results │ │ • Conditional │ │ • OpenTelemetry │ │
│ │ • Token usage │ │ • Alert │ │ • S3/GCS │ │
│ │ • Session ctx │ │ • Approve │ │ • Syslog │ │
│ └───────────────┘ └───────────────┘ └───────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ POLICY ENGINE │ │
│ │ • Per-org policies • Conditional rules │ │
│ │ • Per-team overrides • Time-based policies │ │
│ │ • Per-employee • Approval workflows │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
▲
│ HTTPS Proxy (transparent)
│
┌─────────────────────────────────────────────────────────────────┐
│ AI AGENTS │
│ │
│ Claude Code Cursor Windsurf GitHub Copilot │
│ │
└─────────────────────────────────────────────────────────────────┘
Status: ✅ Implemented
What we capture for every tool invocation:
{
"event_type": "tool_call",
"timestamp": "2025-01-15T10:30:00Z",
"employee_id": "ae848cb1-7c8a-41eb-b164-bd176dd934e4",
"org_id": "8b58e482-737e-4145-b0e8-69162a6b5db1",
"session_id": "c704df8e-0126-4814-a07f-334de83c017f",
"agent_id": "claude-code",
"payload": {
"tool_name": "Bash",
"tool_id": "toolu_01ABC123",
"tool_input": {
"command": "rm -rf /tmp/test"
},
"blocked": true,
"block_reason": "Destructive commands blocked by policy"
}
}Unique data points:
- Exact tool name (Bash, Read, Write, Edit, Glob, Grep, etc.)
- Full input parameters
- Block status and reason
- Employee/team attribution
- Session context for replay
Status: 🟡 Partial (unconditional + conditional blocking works)
- Block tools by name (exact match)
- Block tools by glob pattern (
mcp__*) - Conditional blocking (parameter-based rules)
- Audit-only mode (log without blocking)
- Policy inheritance (org → team → employee)
- Time-based policies (block after hours)
- Approval workflows (request access to blocked tool)
- Policy versioning and rollback
- Policy testing/dry-run mode
# Block destructive commands
- tool: Bash
action: block
conditions:
- param: command
operator: matches
value: "rm -rf|mkfs|dd if="
reason: "Destructive commands require approval"
# Audit all file writes (don't block, just log)
- tool: Write
action: audit
alert: slack
# Block external network access after hours
- tool: Bash
action: block
conditions:
- param: command
operator: contains
value: "curl|wget|nc"
schedule:
deny: "18:00-09:00"
reason: "External network access blocked outside business hours"Status: ❌ Not implemented
Priority: HIGH - This is the key differentiator
| Method | Use Case | Complexity |
|---|---|---|
| Webhook | Real-time, any endpoint | Low |
| Kafka | High-volume, streaming | Medium |
| OpenTelemetry | Standard observability | Medium |
| S3/GCS | Batch, compliance archive | Low |
| Syslog | Legacy SIEM integration | Low |
# Admin configuration
destinations:
- name: security-siem
type: webhook
url: https://siem.company.com/api/events
headers:
Authorization: "Bearer ${SIEM_TOKEN}"
events:
- tool_call
- policy_violation
format: json
retry:
max_attempts: 3
backoff: exponential{
"resourceLogs": [{
"resource": {
"attributes": [
{"key": "service.name", "value": {"stringValue": "arfa-gateway"}},
{"key": "org.id", "value": {"stringValue": "8b58e482-..."}},
{"key": "employee.id", "value": {"stringValue": "ae848cb1-..."}}
]
},
"scopeLogs": [{
"logRecords": [{
"timeUnixNano": "1705312200000000000",
"severityText": "INFO",
"body": {"stringValue": "tool_call:Bash blocked"},
"attributes": [
{"key": "tool.name", "value": {"stringValue": "Bash"}},
{"key": "tool.blocked", "value": {"boolValue": true}},
{"key": "policy.rule", "value": {"stringValue": "no-destructive-commands"}}
]
}]
}]
}]
}Status: ❌ Not implemented
Real-time alerts for security events:
| Event | Alert Channel | Example |
|---|---|---|
| Policy violation | Slack/PagerDuty | "Employee X attempted blocked command" |
| Anomaly detected | Email/Webhook | "Unusual tool usage pattern" |
| New tool first use | Slack | "Employee X used Bash for first time" |
| High token usage | "Team Y exceeded daily token budget" |
alerts:
- name: policy-violation
trigger:
event: tool_call
condition: blocked == true
channels:
- slack: "#security-alerts"
- pagerduty: P1
throttle: 5m # Max 1 alert per 5 minutes per employee
- name: destructive-command-attempt
trigger:
event: tool_call
condition: |
tool_name == "Bash" &&
tool_input.command matches "rm -rf|drop table|truncate"
channels:
- slack: "#security-critical"
- email: security@company.com
severity: criticalStatus: 🟡 Basic (employee-focused, limited management)
Design principle: No "admin" namespace. Commands check user role at runtime.
arfa login/logout # Authentication
arfa start/stop # Proxy control
arfa status # Component status
arfa logs view/stream # View activity logs
arfa policies list # View policies
arfa env # Proxy environment variables# Webhook destinations (admin/manager only for write ops)
arfa webhooks list
arfa webhooks add -f webhook.yaml
arfa webhooks test <name>
arfa webhooks delete <name>
# Policy management (admin/manager only for write ops)
arfa policies list
arfa policies create -f policy.yaml
arfa policies test --dry-run
arfa policies enable/disable <id>
# Employee management (admin only)
arfa employees list
arfa employees logs <email>
arfa employees revoke <email>
# Audit (admin/manager only)
arfa audit export --since 30d --format csv
arfa audit report --type compliancePermission model:
| Role | Read (list) | Write (add/delete) |
|---|---|---|
| admin | ✅ | ✅ |
| manager | ✅ | ✅ |
| developer | ✅ | ❌ |
Status: 🟡 Basic logs page exists
- View logs (flat list)
- Basic filtering
- Real-time dashboard with metrics
- Policy management UI
- Destination configuration UI
- Employee activity overview
- Anomaly visualization
- Compliance reports
Note: Dashboard is secondary. Organizations will use their SIEM. Our dashboard is for:
- Initial setup/configuration
- Quick debugging
- Companies without existing SIEM
| Feature | Arfa | Datadog | Snyk | Lakera |
|---|---|---|---|---|
| AI tool-level visibility | ✅ | ❌ | ❌ | ❌ |
| Real-time policy blocking | ✅ | ❌ | ❌ | 🟡 (input only) |
| SIEM integration | ✅ | N/A | ❌ | ❌ |
| Multi-agent support | ✅ | ❌ | ❌ | ❌ |
| On-prem option | 🔜 | ❌ | ❌ | ❌ |
Our unique position: We sit between AI agents and LLM APIs, capturing data no one else can see.
Goal: Prove core capture and blocking works
- HTTPS proxy intercepts LLM traffic
- Tool call extraction from SSE streams
- Basic policy blocking (unconditional)
- Conditional policy blocking
- Log storage in PostgreSQL
- Basic CLI for employees
Goal: Connect to existing security infrastructure
- Webhook destination support
- Configurable event forwarding
- Admin CLI commands
- Slack/PagerDuty alerting
- OpenTelemetry export format
- Kibana dashboard template
Goal: Sophisticated policy engine
- Policy inheritance (org → team → employee)
- Time-based policies
- Approval workflows
- Policy versioning
- Anomaly detection rules
Goal: Production-ready deployment
- High-availability deployment
- On-premises option
- SOC2 compliance documentation
- SSO/SAML integration
- Audit log retention policies
- Data residency options
- <100ms latency overhead from proxy
- 99.9% uptime for proxy service
- <5s event delivery to SIEM
- 3 pilot customers with SIEM integration
- Security team approval (not just dev team)
- Compliance checkbox for AI agent usage
"Watch what happens when Claude tries to run a dangerous command"
- Show Kibana dashboard (empty)
- Employee runs:
arfa→ asks Claude to "clean up temp files" - Claude attempts:
rm -rf /tmp/* - Arfa blocks it, shows policy message to employee
- Kibana dashboard updates in real-time:
- Event:
tool_call:Bash BLOCKED - Employee:
sarah.cto@acme.com - Reason:
Destructive commands blocked
- Event:
- Slack alert fires: "Policy violation detected"
Time: 30 seconds. Impact: Visceral understanding of value.
Three value propositions:
| Value | Buyer Pain | Our Solution |
|---|---|---|
| Visibility | "What is AI doing?" | Tool calls, parameters, attribution |
| Control | "Stop bad things" | Policy blocking, approvals, alerts |
| Compliance | "Prove it to auditors" | Audit trail, SIEM export, reports |
| Persona | Pain Point | What They Buy |
|---|---|---|
| CISO | "I can't audit AI usage" | Compliance + SIEM integration |
| Security Engineer | "I need to see what AI does" | Visibility + Alerts |
| Engineering Manager | "Devs use AI without guardrails" | Control + Policies |
| Compliance Officer | "SOC2 requires audit trails" | Export + Reports |
Per-Seat SaaS (Recommended)
| Tier | Price | Includes |
|---|---|---|
| Starter | $15/user/month | 5 users, basic policies |
| Team | $30/user/month | Unlimited users, SIEM export |
| Professional | Custom | On-prem, SSO, SLA, support |
Goal: 10 paying customers
Q1: Foundation ← CURRENT
├── Webhook export to SIEM
├── Kibana dashboard template
├── 3 pilot customers
└── Basic alerting (Slack)
Q2: Production Ready
├── SSO/SAML integration
├── Policy management UI
├── On-prem deployment option
└── SOC2 Type 1
Q3: Scale
├── Multi-agent support (Cursor, Copilot)
├── Advanced policies (time-based, approvals)
├── 10 paying customers
└── Series A fundraise
Q4: Expand
├── Anomaly detection
├── Cost management features
├── SOC2 Type 2
└── Partner integrations (ServiceNow, Jira)
- AI Agent marketplace (curated, secure agents)
- Industry compliance packs (HIPAA, PCI, FedRAMP)
- Developer SDK (embed Arfa in custom agents)
- "Arfa Runtime" - Secure execution environment
- Multi-agent orchestration with guardrails
- Expand beyond coding agents
| Timeline | Moat |
|---|---|
| Today | Proxy captures unique tool-level data |
| Year 1 | Integrations + policy library + customer lock-in |
| Year 2+ | Network effects + platform + largest AI behavior dataset |
| Acquirer | Strategic Rationale |
|---|---|
| Datadog | Add AI observability to platform |
| CrowdStrike | Endpoint security + AI security |
| Palo Alto | Expand security portfolio |
| Microsoft | Secure Copilot ecosystem |
| Anthropic/OpenAI | Trust layer |
IPO path: $50M+ ARR, category leader in AI security
| # | Action | Why | Status |
|---|---|---|---|
| 1 | Webhook export | Prove SIEM integration story | Not started |
| 2 | Kibana template | Tangible demo artifact | Not started |
| 3 | Slack alerting | Real-time policy violation alerts | Not started |
| 4 | 3 pilot customers | Validate with real customers | Not started |
Last updated: 2025-12-22