AxioRankZero-Trust for AI Agents
Open the console

SIEM & streaming

Your audit log, in the tools you already run.

Every governed event is a structured record. Pull it on demand as NDJSON or CSV, or push it live into Splunk, Datadog, and any OTLP collector. The secrets stay redacted, so your SIEM gets the evidence without the credential.

Open the consoleRead the docs

NDJSON and CSV · Splunk · Datadog · OTLP

audit.ndjson
{"ts":"2026-06-13T18:04Z",
 "agent":"agent_7f3c",
 "tool":"send_email",
 "decision":"hold",
 "risk":78,
 "secret":"«redacted»"}
one line per governed event, secrets masked
NDJSON
Or CSV, on demand
Live
Push to Splunk and Datadog
OTLP
Any OpenTelemetry collector
Pro
Available from Pro up

Two ways to get the data

Pull it, or have it pushed to you.

Some teams pull a window of events for an investigation. Others want every event in their SIEM the moment it happens. Both work from the same governed record.

Pull on demand

Export a time range as NDJSON or CSV from the API or the dashboard, ready for an investigation or a backfill.

Stream live

Forward every governed event to Splunk over HEC or to Datadog as it happens, with retries.

OpenTelemetry native

Emit events to any OTLP collector, so the audit log lands in whatever backend your observability stack uses.

Redaction preserved

Secrets and PII are masked in the record, so streaming the log never ships a live credential downstream.

Wire it up

Point it at your collector.

Configure a target once and every governed event flows to it. Pull the same data with a single call when you need a window on demand.

target   splunk
endpoint https://splunk.acme.com:8088/services/collector
token    $SPLUNK_HEC_TOKEN
format   ndjson
Pro and above

One schema

A stable, structured record per event.

Every governed event is the same shape, whether you pull it or stream it: the agent, the tool, the decision, the risk, and a redaction marker wherever a secret was.

{
  "ts": "2026-06-13T18:04:11Z",
  "workspace": "ws_acme",
  "agent": "agent_7f3c",
  "tool": "send_email",
  "decision": "hold",
  "risk": 78,
  "signals": ["injection", "egress"],
  "matchedPolicyId": "no-untrusted-egress",
  "secret": "«redacted:secret.stripe_live»"
}

Evidence, not exposure

The export carries proof a secret was present and caught, never the secret itself.

Keep exploring

Continue across the control plane.

Automated response

Quarantine, revoke, or alert. Watch in monitor mode, then arm it when you trust it.

Open

Approvals

Hold risky calls for a person, with dual control, escalation, and a signed decision.

Open

Incidents & SOAR

Correlate alerts into incidents and open a Jira or ServiceNow ticket the moment risk spikes.

Open

Agent identity

Short-lived signed tokens that verify locally and cannot be replayed.

Open

Incidents & SOAR

Open tickets and fire signed webhooks alongside the raw stream.

Open

Audit export docs

Pull formats, streaming targets, and the event schema.

Open

Get every governed event where your team already looks.

Pull a window for an investigation, or stream the whole log live into Splunk, Datadog, or your OTLP backend.

Open the consoleCompare plans