Dashboard

Performance & Security Analytics

Analytics is the primary tool for long-term trend analysis and security posture assessment. Use it to understand throughput, enforcement mix, and where policy pressure is concentrating across categories.

Volume

Spot spikes and loops quickly.

Mix

Track ALLOW vs HOLD vs BLOCK balance.

Block pressure

See which categories are failing most.

Tuning

Turn insights into policy changes.

Verdict volume & distribution

Verdict volume (24h)

This chart displays hourly verdict counts (ALLOW/HOLD/BLOCK) over the last 24 hours. Use it to identify:

  • Spikes in agent activity (deploys, load tests, incident bursts).
  • Potential infinite loops (sustained high volume with repetitive patterns).
  • Quiet periods (upstream outage, stalled automation, or disabled agents).

Verdict distribution

The distribution pie is a high-level breakdown of ALLOW, HOLD, and BLOCK. A “healthy” distribution depends on your business, but as a rule:

  • Mostly ALLOW is typical when policy is well-scoped and agents act within known lanes.
  • Rising HOLD can be expected for sensitive workflows (it indicates human review is being exercised), but a growing backlog suggests operator load.
  • High BLOCK often indicates over-broad rules, compromised prompts/integrations, or agents testing boundaries.

Categorical block analysis

This is the core of the page: Block rate by category shows what percentage of events in each enforcement category resulted in BLOCK.

How it’s calculated

When aggregated data is available, the UI uses the backend-provided block_rate_pct for each category. As a fallback, it computes:

block_rate_pct = round( blocked_count / total_count * 100 )

Categories come from the enforcement engine’s category taxonomy (used across onboarding risk rules and policy views).

Enforcement categories

The dashboard tracks block pressure across these categories (names match what you’ll see in policy configuration):

CategoryWhat it represents
FinancialUnauthorized transactions, refunds/payouts, token movements, billing mutations.
CommunicationOutbound messaging (email/DM), recipients/attachments, impersonation risks.
File systemSensitive local/cloud storage access, secrets files, bulk delete/export.
Code executionArbitrary script/shell execution, privileged commands, migrations.
Network & webNew endpoints, exfiltration-sized payloads, suspicious domains/TLDs.
Accounts & identityPrivilege escalation, token scope changes, credential resets/rotation.
CalendarMeeting/invite abuse, external participants, bulk calendar operations.
Self-modificationAgent changing its own instructions, logging/audit tampering.
Cross-agentCross-tenant reads, agent-to-agent escalation, lateral movement patterns.
Behavioral anomalyDeviations from baseline persona/behavior; unexpected action families.

Actionable insights

Tuning your policy

If a specific category has a high block rate, treat it as a signal to review the active Policy Pack: rules may be too broad, thresholds too low, or the agent may be operating outside its intended lane. Start with the feed to sample real blocked actions, then adjust the pack to narrow triggers or route to HOLD when human review is acceptable.