Server-side secrets
Tenant LLM API keys stay inside BlackShield's AI Gateway. The runtime only receives a short-lived access token plus tenant policy context.
Agentic AI
Run governed blue-team automation inside your environment with tenant-scoped MCP context, tenant-owned AI provider configuration, and approval gates around every mutation.
Tenant LLM API keys stay inside BlackShield's AI Gateway. The runtime only receives a short-lived access token plus tenant policy context.
The agent starts with findings, dashboards, remediation policy, and security-review context through MCP before it attempts any local or platform-side action.
Mutating shell commands and assignment-scoped product changes require explicit approval in the `/agents` console before the run can continue.
Create an installation in the `/agents` console. BlackShield issues a dedicated bootstrap key and links a service principal to AI Gateway.
Run the `public.ecr.aws/blackshield-security/security-agent:1.0.0` container with `BLACKSHIELD_API_URL` and `BLACKSHIELD_API_KEY`.
Queue an assignment for `finding_triage`, `remediation_followup`, or `security_review_support` and monitor the run timeline, artifacts, and approval queue.
Set BLACKSHIELD_API_URL to the BlackShield API origin, such as https://api.blackshield.chaplau.com. Do not point the runtime at the dashboard URL such as https://blackshield.chaplau.com.
The runtime bootstraps from that API origin and receives tenant-scoped MCP and AI Gateway URLs from the control plane automatically.
Guides default to the stable runtime tag. Use public.ecr.aws/blackshield-security/security-agent:latest only if you want the preview channel.