Back

Daylight for Claude Enterprise

Detection, Investigation, and Response for AI-Native Threats

While most security integrations focus on Compliance API events, Daylight also analyzes runtime activity from Claude Chat, Claude Code, and Claude Cowork. This provides visibility into how AI systems are actually being used, what actions they perform, what tools they access, and how users interact with them.

The result is detection and investigation coverage for AI-native threats that cannot be identified through audit logs alone.

Why Traditional Security Visibility Falls Short

Claude Enterprise now provides security teams with significantly better visibility than most AI platforms.

Through the Compliance API, organizations can monitor user activity, administrative actions, MCP management, Skills usage, and platform-level events.

This is an important first step.

But it only answers part of the security question.

The Compliance API tells you what happened inside Claude Enterprise.

It does not tell you what Claude actually did.

Security teams increasingly need to understand:

  • How developers are using Claude Code
  • What tools and MCPs agents are interacting with
  • Whether prompts are attempting to manipulate agent behavior
  • What files are being accessed
  • What actions AI systems are performing during runtime

Those questions require runtime visibility.

This is where OpenTelemetry becomes critical.

Compliance API vs OpenTelemetry

Daylight integrates with both telemetry layers exposed by Claude Enterprise.

1) Compliance API

The Compliance API provides visibility into platform activity and governance events.

This includes:

  • User activity
  • Administrative actions
  • Organization configuration
  • MCP management
  • Skills activity
  • Files shared in chats

The Compliance API helps answer:

Who used Claude?

What was configured?

What changed?

2) Open Telemetry

OpenTelemetry provides visibility into runtime behavior across Claude Chat, Claude Code, and Claude Cowork.

This includes:

  • Prompts
  • Tool calls
  • Agent workflows
  • MCP execution
  • File access
  • Shell commands
  • Permission decisions
  • Skill execution

OpenTelemetry helps answer:

What did Claude actually do?

What tools were used?

What actions were performed?

Did the AI behave as expected?

A useful way to think about the difference is:

Compliance API shows how Claude Enterprise is configured and managed.

OpenTelemetry shows how Claude is actually operating.

Effective AI security requires both.

What Daylight Detects

Most AI security products focus on visibility.

Daylight focuses on operationally meaningful detections.

The following examples are possible because Daylight combines Claude runtime telemetry, Compliance API activity, and cross-system investigation context.

1) Prompt Injection Attempts

Identify attempts to manipulate Claude's behavior through malicious instructions embedded in documents, repositories, prompts, or workflows.

Unlike simple pattern matching, investigations determine whether the prompt influenced downstream behavior, tool usage, or data access.

2) Unauthorized MCPs

Detect newly introduced MCPs, shadow integrations, and tool connections that expand Claude's access beyond approved boundaries.

Investigations determine who introduced the MCP, what permissions it provides, and whether it aligns with organizational policy.

3) Tool Abuse and Risky Agents Behavior

Monitor unexpected tool usage, unusual workflow execution, and AI behavior that deviates from expected operating patterns.

This includes scenarios where Claude gains access to capabilities it should not be using or behaves differently than expected.

4) Sensetive File Access and Data Exposure

Monitor unusual file access, uploads, downloads, and movement of sensitive data through Claude workflows.

Investigations determine what data was involved and whether the activity represents meaningful risk.

5) Developer Workflow Monitoring

Understand how Claude Code is being used across engineering teams.

Monitor repository interactions, tool usage patterns, workflow execution, and unusual activity occurring inside developer environments.

6) Claude Chat, Cluade Code and Claude Co-Work Activity

Distinguish between conversational usage, coding workflows, and autonomous agent workflows.

This provides significantly more operational context than traditional audit log monitoring.

Why Detection Alone Is Not Enough

AI systems generate large volumes of activity.

A suspicious MCP, prompt injection attempt, or unusual workflow often does not provide enough information to determine whether real risk exists.

This is why Daylight investigates every detection.

When a detection occurs, Claude activity is correlated with:

  • Identity activity
  • Endpoint telemetry
  • SaaS activity
  • Cloud activity
  • Historical user behavior
  • Organizational context

The goal is not simply to identify unusual activity.

The goal is to determine whether the activity actually matters.

Example Investigation

1) Prompt Injection Investigation

A developer asks Claude to analyze a repository.

A hidden instruction inside the repository attempts to manipulate Claude's behavior and influence downstream actions.

Daylight detects the prompt injection attempt using Claude runtime telemetry.

The investigation reconstructs:

  • The original interaction
  • The injected instructions
  • Tools accessed after the injection
  • Files accessed by the agent
  • Subsequent workflow activity

Claude activity is correlated with identity, endpoint, SaaS, and cloud telemetry to determine whether the prompt injection successfully influenced behavior and whether sensitive data was exposed.

The result is a complete investigation explaining what happened, what actions occurred, and whether remediation is required.

2) Investigation Output

The output of this integration is not another stream of AI-related alerts.

The output is a managed investigation.

Each finding includes:

  • What happened
  • The users involved
  • Systems, tools, and data involved
  • Investigation evidence
  • Risk assessment
  • Recommended actions

Security teams receive conclusions rather than raw telemetry.

Part of Daylight MDR Service

Claude Enterprise activity is investigated through the same MDR workflows used across the rest of the environment.

Security teams do not need another AI security console or another investigation process.

Claude becomes another operational surface covered by Daylight MDR alongside cloud, identity, endpoint, SaaS, email, and other security domains.

As AI systems become part of enterprise infrastructure, security teams need the same detection, investigation, and response capabilities they already expect everywhere else.

Daylight brings that operational model to Claude Enterprise.

Dark space-themed interface with globe edge and labels showing 'Investigating...' and 'Live Threats: 12'.form submission image

Ready for a Modern MDR?

Stop settling for escalation factories. Get AI-native detection and response with security experts and full accountability.

Book a Demo
Cookie Notice

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies.

Got it