Back

Daylight for Claude Enterprise

Runtime Security for Claude Enterprise

Daylight extends managed detection and response (MDR) into Claude Enterprise.

Using Claude Enterprise telemetry, Daylight detects, investigates, and responds to AI-native threats including prompt injection attempts, unauthorized MCPs, sensitive data exposure, risky tool usage, suspicious agent behavior, and many others.

As organizations adopt Claude across engineering, product, and business teams, security teams need visibility into how AI and agents are being used and the ability to investigate activity that may introduce risk.

Daylight brings the same operational model used for cloud, identity, endpoint, SaaS, and email security into Claude Enterprise.

Unlike traditional MDR offerings, which do not provide dedicated detection and response coverage for Claude Enterprise activity, Daylight continuously monitors Claude telemetry, develops detection content for emerging AI threats, and investigates suspicious activity through the same MDR workflows used across the rest of the environment.

To deliver this visibility, Daylight integrates with both telemetry layers exposed by Claude Enterprise: the Compliance API and OpenTelemetry. Together, these telemetry sources provide visibility into governance activity, runtime agent behavior, tool execution, MCP usage, file access, workflow execution, and AI-driven actions occurring across Claude Chat, Claude Code, and Claude Cowork.

Together, these telemetry sources provide visibility into governance activity, runtime agent behavior, tool execution, MCP usage, file access, workflow execution, and AI-driven actions occurring across Claude Chat, Claude Code, and Claude Cowork.

Why  Claude Enterprise Requires New Security Controls

Traditional security tools were not designed to monitor AI systems.

Security teams can easily answer questions about cloud infrastructure, identities, endpoints, and SaaS applications.

AI introduces a different challenge.

Organizations now need visibility into how AI systems are being used, what tools they can access, what actions they perform, and whether those actions introduce risk.

Security teams increasingly need to answer questions such as:

  • Is Claude interacting with approved tools and MCPs?
  • Are prompt injection attempts influencing agent behavior?
  • Is sensitive data being exposed through AI workflows?
  • Are developers using Claude Code in ways that create risk?
  • Are autonomous agents performing unexpected actions?

These questions cannot be answered through traditional security telemetry alone.

How Daylight Works

Daylight combines Claude Enterprise telemetry, AI-native detections, and managed investigations to identify and investigate security threats originating from AI activity.

The process consists of four stages:

1) collect Activity - Daylight collects activity from both telemetry layers exposed by Claude Enterprise.

2) Detect Threats - Daylight continuously develops detection content for AI-native threats and suspicious behavior.

3) Investigate in Context - Every detection is enriched with identity, endpoint, SaaS, cloud, and organizational context.

4) Deliver Findings - Security teams receive investigation outcomes, risk assessments, and recommended actions rather than raw telemetry.

Compliance API vs OpenTelemetry

Daylight integrates with both telemetry layers exposed by Claude Enterprise.

1) Compliance API

The Compliance API provides visibility into platform activity and governance events.

This includes:

  • User activity
  • Administrative actions
  • Organization configuration
  • MCP management
  • Skills activity
  • Files shared in chats

The Compliance API helps answer:

Who used Claude?

What was configured?

What changed?

2) Open Telemetry

OpenTelemetry provides visibility into runtime behavior across Claude Chat, Claude Code, and Claude Cowork.

This includes:

  • Prompts
  • Tool calls
  • Agent workflows
  • MCP execution
  • File access
  • Shell commands
  • Permission decisions
  • Skill execution

OpenTelemetry helps answer:

What did Claude actually do?

What tools were used?

What actions were performed?

Did the AI behave as expected?

A useful way to think about the difference is:

Compliance API shows how Claude Enterprise is configured and managed.

OpenTelemetry shows how Claude is actually operating.

Effective AI security requires both.

AI-Native Threat Covered

Daylight continuously develops detection content for AI-native threats inside Claude Enterprise.

The examples below represent operational detections designed to identify meaningful security risks rather than simply surface AI activity.

1) Prompt Injection Attempts

Identify attempts to manipulate Claude's behavior through malicious instructions embedded in documents, repositories, prompts, or workflows.

Investigations reconstruct the activity chain and determine whether downstream actions, tool usage, or data access occurred.

2) Unauthorized and Shadow MCPs

Detect newly introduced MCPs, shadow integrations, and tool connections that expand Claude's access beyond approved boundaries.

By correlating governance events with runtime MCP usage, Daylight can identify MCPs that are actively being used and determine whether they align with organizational policy.

3) Risky Tool Usage and Agent Behavior

Detect unexpected tool execution, unusual workflow activity, and behaviors that deviate from established patterns.

This includes scenarios where agents access capabilities they should not be using or perform actions outside expected workflows.

4) Sensetive Data Exposure

Monitor unusual file access, uploads, downloads, and movement of sensitive data through Claude workflows.

Investigations determine what data was involved, who accessed it, and whether meaningful risk exists.

5) Claude Code Security Monitoring

Monitor developer AI workflows, repository interactions, tool usage patterns, and activity occurring inside Claude Code sessions.

This provides visibility into how AI is being used throughout software development workflows.

6) Claude Cowork Activity Monitoring

Monitor autonomous workflows, task execution, and agent-driven actions occurring through Claude Cowork.

This provides visibility into how AI systems interact with business processes and enterprise systems.

Why Detection Alone Is Not Enough

AI systems generate large volumes of activity.

A suspicious MCP, prompt injection attempt, or unusual workflow often does not provide enough information to determine whether real risk exists.

This is why Daylight investigates every detection.

When a detection occurs, Claude activity is correlated with:

  • Identity activity
  • Endpoint telemetry
  • SaaS activity
  • Cloud activity
  • Historical user behavior
  • Organizational context

The goal is not simply to identify unusual activity.

The goal is to determine whether the activity actually matters.

Example Investigation - Prompt Injection Attempt

A developer asks Claude to analyze a repository.

A hidden instruction embedded in the repository attempts to manipulate the model's behavior and influence downstream actions.

Daylight detects the prompt injection attempt using Claude runtime telemetry.

The investigation reconstructs the interaction, reviews tool execution, analyzes file access, and evaluates subsequent workflow activity.

Claude activity is correlated with identity, endpoint, SaaS, and cloud telemetry to determine whether the attempt resulted in unauthorized actions or sensitive data exposure.

The result is a complete investigation explaining what occurred, why it was flagged, and whether remediation is required.

Investigation Output

The output of this integration is not another stream of AI-related alerts.

The output is a managed investigation.

Each finding includes:

  • What happened
  • Users involved
  • Systems and data involved
  • Investigation evidence
  • Risk assessment
  • Recommended actions

Security teams receive conclusions rather than raw telemetry.

Part of Daylight MDR Service

Claude Enterprise activity is investigated through the same MDR workflows used across the rest of the environment.

Security teams do not need another AI security console or another investigation process.

Claude becomes another operational surface covered by Daylight MDR alongside cloud, identity, endpoint, SaaS, email, and other security domains.

As AI systems become part of enterprise infrastructure, security teams need the same detection, investigation, and response capabilities they already expect everywhere else.

Daylight brings that operational model to Claude Enterprise.

Dark space-themed interface with globe edge and labels showing 'Investigating...' and 'Live Threats: 12'.form submission image

Ready for a Modern MDR?

Stop settling for escalation factories. Get AI-native detection and response with security experts and full accountability.

Book a Demo
Cookie Notice

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies.

Got it