> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/keeperai.md).

# KeeperAI

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F7rQtwjXJlA3ddCR7ztE5%2FKeeperAI.png?alt=media&#x26;token=53ec3b12-b6fd-451d-9cc1-c0c5da9c81a5" alt=""><figcaption></figcaption></figure>

## Overview

KeeperAI is an agentic service that provides AI-powered security features including threat detection, anomaly detection, privileged session visual summaries, and context-aware analysis. KeeperAI is embedded into the Keeper Gateway and enhances key functional areas across the Keeper platform, including privileged sessions and KeeperDB.

## Key Features

* **Automated Session Analysis**: Analyze session metadata, keystroke logs, visual interaction and command execution logs to detect unusual behavior
* **Threat Classification**: Automatically categorize detected threats and assign risk levels, generate alerts and push events to connected SIEM provider.
* **Database administration**: Assists within KeeperDB database sessions with query generation, optimization, data science workflows, human-in-the-loop query approvals, and context-aware analysis.
* **Flexible Deployment**: Support for both third-party, cloud-based, and on-premises LLM inference
* **Customizable Configuration**: Adjust risk parameters and detection rules to your environment
* **Multi-Protocol Support**: Works across all privileged access protocols with visual analysis capabilities

Video Overview:

{% embed url="<https://vimeo.com/1143898222?fe=sh&fl=pl>" %}
KeeperAI Threat Detection for Privileged Sessions
{% endembed %}

KeeperAI Product Page:

{% embed url="<https://www.keepersecurity.com/features/keeper-ai/>" %}

## Security Model

The KeeperAI agent executes on the Keeper Gateway which is hosted by the customer and communicates directly to the customer's preferred AI provider such as OpenAI, Anthropic, AWS Bedrock or any self-hosted LLM. The security model of the KeeperPAM platform preserves zero knowledge while offering oversight of all user interactions with privileged resources.

<figure><img src="/files/xzoDZa8qLcxMFK4YiYJN" alt=""><figcaption><p>KeeperAI Security Model</p></figcaption></figure>

## Supported Protocols

The KeeperAI agent operates on both visual interaction and text that the user types during a privileged session. All of the KeeperPAM connection protocols are supported, including:

* RDP
* VNC
* SSH
* Databases
* Remote Browser Isolation (RBI)
* Kubernetes
* Telnet
* KeeperDB

{% hint style="info" %}
**Vision-Enabled Model Requirement**: KeeperAI requires Large Language Models (LLMs) that support **multimodal input** (both text and images).

This vision capability is essential for analyzing visual session data from protocols like RDP, VNC, and RBI, where the system captures and analyzes screen content in addition to text-based commands.\
​\
When selecting an LLM provider and model, ensure it supports:

* Text input for command and query analysis
* Image input for visual session monitoring and screen capture analysis

Examples of vision-enabled models include:

* OpenAI GPT with Vision
* Anthropic Claude
* Google Gemini
* AWS Bedrock models with vision support (e.g., Claude, Nova 2)

Consult your LLM provider's documentation to verify vision capabilities before deployment.
{% endhint %}

### **Screenshots**

#### **RDP to a Windows Domain Controller**

<figure><img src="/files/CfqxuHfMWUbG9kzbQL6Q" alt=""><figcaption><p>KeeperAI Session Analysis</p></figcaption></figure>

#### **VNC to a Linux Server**

<figure><img src="/files/c8y7ziLB5NWoUAmWtJ6a" alt=""><figcaption></figcaption></figure>

#### **SSH to a Linux Server**

<figure><img src="/files/o2kP9iLk4EIWZZtgASe9" alt=""><figcaption></figcaption></figure>

#### RBI - Loading the AWS Console

<figure><img src="/files/DrACjLO4t5fmngJw8ioD" alt=""><figcaption></figcaption></figure>

#### **KeeperDB - MySQL Session**

<figure><img src="/files/yFvpeSF8fEYifSU6vSuL" alt=""><figcaption></figcaption></figure>

#### KeeperDB - AI Assistant

KeeperAI assists with queries and data science tasks inside KeeperDB. Read-only analysis can run directly, while queries that modify data require human approval. Responses stay grounded in the active schema and session context.

<figure><img src="/files/fel1xe4vOSaaYNFIwFgg" alt=""><figcaption></figcaption></figure>

***

## **KeeperAI Setup**

### Step 1 - Update the Keeper Gateway

The Keeper Gateway works with your AI provider. Ensure that you are running version 1.8.0 or newer. For detailed setup instructions, [follow this guide](/keeperpam/privileged-access-manager/getting-started/gateways.md).

### Step 2 - LLM Integration

KeeperAI leverages Large Language Models (LLMs) to power its threat detection capabilities. The Keeper Gateway communicates with any LLM of your choice to analyze session data and generate intelligent security insights. This integration is fundamental to KeeperAI's ability to detect suspicious patterns and provide detailed session summaries.

KeeperAI is designed to work with multiple LLM providers, giving you flexibility in your deployment. Self-hosted and cloud-based LLMs are compatible.

{% hint style="success" %}
Important: When configuring your LLM provider, you **must** select a model that supports both text and image input. Models without vision capabilities will not function correctly with KeeperAI, especially for protocols that require visual analysis (RDP, VNC, RBI). - [How do I choose a model?](#q-how-do-i-choose-a-model)

If you have any questions or would like to know more about a LLM Provider, please email us at <pam@keepersecurity.com> and we'll quickly assist you.
{% endhint %}

#### Docker Installation Method

<details>

<summary>OpenAI-Compatible API</summary>

Support for any API providers implementing that use OpenAI’s request and response formats for the `/chat/completions` endpoint.

**Configuration**

1. Ensure your Gateway has the appropriate permissions to access the LLM service
2. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "openai-generic"
  KEEPER_GATEWAY_AI_BASE_URL: "<your-base-url>"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
```

{% hint style="info" %}
The `KEEPER_GATEWAY_AI_BASE_URL` **must** include a valid protocol prefix (`http://` or `https://`). If the protocol is missing, Keeper Gateway will throw a configuration error during startup.

For example:

✅ `https://your-llm-provider.com/v1`\
❌ `your-llm-provider.com/v1`
{% endhint %}

A non-exhaustive list of providers you can use:

<table data-full-width="false"><thead><tr><th>Inference Provider</th><th>Resources</th><th>Infrastructure<select multiple><option value="rGhefSI66jVq" label="SaaS" color="blue"></option><option value="YgGEIZr9Vyx0" label="Self-Hosted" color="blue"></option></select></th></tr></thead><tbody><tr><td>Ask Sage</td><td><a href="https://www.asksage.ai/">Ask Sage</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>Azure AI Foundry</td><td><a href="https://ai.azure.com/">Azure AI Foundry</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Cohere</td><td><a href="https://docs.cohere.com/v2/docs/compatibility-api">Cohere</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>Cerebras</td><td><a href="https://inference-docs.cerebras.ai/resources/openai">Cerebras</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Fireworks AI</td><td><a href="https://docs.fireworks.ai/tools-sdks/openai-compatibility">Fireworks AI</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Featherless AI</td><td><a href="https://featherless.ai/docs/api-reference">Featherless AI</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Groq</td><td><a href="https://console.groq.com/docs/api-reference#chat">Groq</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Grok</td><td><a href="https://docs.x.ai/docs/api-reference#chat-completions">Grok</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Hyperbolic</td><td><a href="https://docs.hyperbolic.xyz/docs/inference-api">Hyperbolic</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Hugging Face</td><td><a href="https://huggingface.co/inference-endpoints/dedicated">Hugging Face</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Keywords AI</td><td><a href="https://docs.keywordsai.co/integration/development-frameworks/llm_framework/openai/openai-sdk">Keywords AI</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>LiteLLM</td><td><a href="https://www.litellm.ai/">LiteLLM</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>LM Studio</td><td><a href="https://lmstudio.ai/docs/app/api/endpoints/openai">LM Studio</a></td><td><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>Nebius</td><td><a href="https://docs.nebius.com/studio/inference/quickstart">Nebius</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Novita</td><td><a href="https://novita.ai/docs/guides/llm-api#api-integration">Novita</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>NScale</td><td><a href="https://docs.nscale.com/api-reference/inferencing/create-chat-completion">NScale</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Ollama</td><td><a href="https://docs.ollama.com/openai">Ollama</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>OpenRouter</td><td><a href="https://openrouter.ai/">OpenRouter</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>SambaNova</td><td><a href="https://docs-legacy.sambanova.ai/sambastudio/latest/open-ai-api.html">SambaNova</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Tinfoil</td><td><a href="https://docs.tinfoil.sh/sdk/overview#direct-api-access">Tinfoil</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>TogetherAI</td><td><a href="https://docs.together.ai/docs/openai-api-compatibility">TogetherAI</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>Unify AI</td><td><a href="https://docs.unify.ai/api-reference/llm_queries/chat_completions">Unify AI</a></td><td><span data-option="rGhefSI66jVq">SaaS, </span><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr><tr><td>Vercel AI Gateway</td><td><a href="https://vercel.com/docs/ai-gateway/openai-compat">Vercel AI Gateway</a></td><td><span data-option="rGhefSI66jVq">SaaS</span></td></tr><tr><td>vLLM</td><td><a href="https://docs.vllm.ai/en/latest/serving/openai_compatible_server.html">vLLM</a></td><td><span data-option="YgGEIZr9Vyx0">Self-Hosted</span></td></tr></tbody></table>

</details>

<details>

<summary>AWS Bedrock</summary>

You can get started quickly, privately customize foundation models with your own data, and easily and securely integrate and deploy them into your applications using AWS tools without having to manage any infrastructure.

**Configuration**

1. Ensure that the IAM role for the Gateway has the `AmazonBedrockFullAccess` [policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html) attached
2. [Request access](https://docs.aws.amazon.com/bedrock/latest/userguide/getting-started.html#getting-started-model-access) through AWS Console to an Amazon Bedrock foundation model
3. Select a model from the [supported list](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html) and note the corresponding model ID.
4. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

   Keeper Gateway follows standard AWS credential resolution:

   1. **Explicit credentials** in environment variables (`AWS_ACCESS_KEY_ID`, etc.)
   2. **AWS Profile** from `AWS_PROFILE` environment variable
   3. **Shared credentials file** (`~/.aws/credentials`)
   4. **IAM Instance role** (when running on AWS infrastructure)

***

Method 1: Access Keys

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  AWS_REGION: "<your-aws-region>"
  AWS_ACCESS_KEY_ID: "<your-access-key-id>"
  AWS_SECRET_ACCESS_KEY: "<your-secret-access-key>"
```

Method 2: Temporary Credentials

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  AWS_REGION: "<your-aws-region>"
  AWS_ACCESS_KEY_ID: "<your-access-key-id>"
  AWS_SECRET_ACCESS_KEY: "<your-secret-access-key>"
  AWS_SESSION_TOKEN: "<your-session-token>"
```

Method 3: AWS Profile

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  AWS_REGION: "<your-aws-region>"
  AWS_PROFILE: "<your-profile-name>"
volumes:
  - ~/.aws:/root/.aws:ro
```

Method 4: IAM Instance Role (ECS/EC2)

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  AWS_REGION: "<your-aws-region>"
```

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock"
  KEEPER_GATEWAY_AI_MODEL: "<your-model-id>"
  AWS_REGION: "<your-aws-region>"
```

</details>

<details>

<summary>Anthropic</summary>

**Configuration**

Before you begin, [create an API key in the Anthropic Console](https://console.anthropic.com/settings/keys).

1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "anthropic"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
```

</details>

<details>

<summary>Google AI: Gemini</summary>

**Configuration**

Before you begin, [create an API key in the Google AI dashboard](https://aistudio.google.com/apikey).

1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "google-ai"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
```

</details>

<details>

<summary>Google: Vertex</summary>

**Configuration Option 1 (Express Mode API Key)**

1. Get an API key from [Vertex AI Console](https://console.cloud.google.com/vertex-ai) → **Get API Key**

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "vertex-ai"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  KEEPER_GATEWAY_AI_LOCATION: "<your-location>"
  KEEPER_GATEWAY_AI_PROJECT_ID: "<your-project-id>"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
```

***

**Configuration Option 2 (Service Account Credentials)**

1. Create service account and key:

```bash
gcloud iam service-accounts keys create ~/sa-key.json \
  --iam-account=my-sa@my-project.iam.gserviceaccount.com
```

2. Configure gateway:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "vertex-ai"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
  KEEPER_GATEWAY_AI_LOCATION: "<your-location>"
  KEEPER_GATEWAY_AI_CREDENTIALS: |
    {
      "type": "service_account",
      "project_id": "...",
      "private_key": "...",
      "client_email": "...",
      "client_id": "...",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "...",
      "universe_domain": "googleapis.com"
    }    
```

`KEEPER_GATEWAY_AI_CREDENTIALS` (can be file path, JSON string, or base64-encoded JSON)

</details>

<details>

<summary>Grok</summary>

**Configuration**

Before you begin, [create an API key in the xAI console](https://console.x.ai/).

1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "openai-generic"
  KEEPER_GATEWAY_AI_BASE_URL: "https://api.x.ai"
  KEEPER_GATEWAY_AI_API_KEY: "<your-xAI-api-key>"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
```

</details>

<details>

<summary>OpenAI</summary>

**Configuration**

Before you begin, [create an API key in the Open AI Platform dashboard](https://platform.openai.com/api-keys).

1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "openai"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
  KEEPER_GATEWAY_AI_MODEL: "<your-vision-enabled-model-id>"
```

</details>

<details>

<summary>Azure OpenAI</summary>

**Configuration**

1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file:

{% hint style="info" %}
The [Azure AI Foundry target URI](https://learn.microsoft.com/en-us/azure/ai-foundry/foundry-models/concepts/endpoints?view=foundry-classic\&tabs=python#azure-openai-inference-endpoint) is the unique, regional HTTPS endpoint (`https://<resource-name>.openai.azure.com/openai/deployments/<deployment-name>/chat/completions?api-version=<api-version>`) used to invoke deployed models for inference. It is found in the "Endpoints" section of the [Deployments page](https://ai.azure.com/resource/deployments)
{% endhint %}

```yaml
environment:
  KEEPER_GATEWAY_AI_LLM_PROVIDER: "azure-openai"
  KEEPER_GATEWAY_AI_BASE_URL: "<your-target-uri>"
  KEEPER_GATEWAY_AI_API_KEY: "<your-api-key>"
```

</details>

#### Native Installation Method

<details>

<summary>Windows Installation Instructions</summary>

To configure the environment variables for the Keeper Gateway service on Windows, follow these steps:

Open PowerShell as Administrator and Set the variables at the Machine Scope

```sh
setx KEEPER_GATEWAY_AI_LLM_PROVIDER "<your_provider_name>" /M
setx KEEPER_GATEWAY_AI_BASE_URL "<your-base-url>" /M
setx KEEPER_GATEWAY_AI_API_KEY "<your-api-key>" /M
setx KEEPER_GATEWAY_AI_MODEL "<your-vision-enabled-model-id>" /M
```

Restart the Gateway service so it picks up the new environment:

```
Restart-Service -DisplayName "Keeper Gateway Service"
```

</details>

<details>

<summary>Linux Installation Instructions</summary>

To configure the environment variables for the Keeper Gateway service on Linux, follow these steps:

Edit the `systemd` service file:

```sh
sudo vi /etc/systemd/system/keeper-gateway.service
```

Extend the `Environment=` line with your required environment variables based on the supported LLM Providers above.

```sh
Environment=KEEPER_GATEWAY_AI_LLM_PROVIDER="<your_provider_name>"
Environment=KEEPER_GATEWAY_AI_BASE_URL="<your-base-url>"
Environment=KEEPER_GATEWAY_AI_API_KEY="<your-api-key>"
Environment=KEEPER_GATEWAY_AI_MODEL="<your-vision-enabled-model-id>"
```

Reload the daemon and restart the gateway service

```shell
# reload the daemon
sudo systemctl daemon-reload

# optionally you can validate the environment variables are setup properly
sudo systemctl show keeper-gateway.service | grep Environment=

# restart the keeper gateway service
sudo systemctl restart keeper-gateway.service
```

</details>

{% hint style="warning" %}
**Disclaimer**: AI predictions are inherently probabilistic and may not always be accurate. The selection of LLM providers and models is made at the user's discretion, and KeeperAI cannot guarantee that the AI will fully understand or correctly interpret tasks. Users are encouraged to exercise caution and validate AI outputs as part of their decision-making processes.
{% endhint %}

### Step 3 - PAM Configuration Settings

* Go to Secrets Manager > PAM Configuration
* Select your resource and scroll to the KeeperAI Features section.
* Toggle the setting to enable.

<figure><img src="/files/8TQpAsHHR3bF4JHdrWkP" alt=""><figcaption></figcaption></figure>

### Step 4 - Activating Threat Detection on a Resource

The PAM Machine and PAM Database records support KeeperAI capabilities.

* **Edit PAM Settings** for your selected resource.
* Go to the **Connections** tab.
* Enable all options under **Session Recording**.

<figure><img src="/files/bNTWLe8Qc04KvZCe50BJ" alt=""><figcaption></figcaption></figure>

* Navigate to the **KeeperAI** tab and switch on the **Enable KeeperAI** toggle.

<figure><img src="/files/YfrcHviDRfzfQcFofZ88" alt=""><figcaption></figcaption></figure>

By default, KeeperAI automatically classifies commands into the appropriate [**Risk Level Classifications**](#risk-level-classifications).

To enforce stronger controls, you can enable **Terminate Session** for a given risk level. When active, any command classified at that level will immediately end the session.

### KeeperAI Exceptions & Custom Rules

Use the Exceptions popup to define custom keywords or regex patterns - choose from the provided dropdown examples or enter your own plain text or regex strings. These rules apply on top of the standard KeeperAI Detection policy settings.

* **Monitor**: Allows the action through while still collecting an AI summary.
* **Terminate**: Ends the session immediately on match.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FxV680m7ZTsUBAjCMwrCX%2FScreenshot%202025-08-26%20at%2010.53.12%E2%80%AFAM.png?alt=media&#x26;token=023487e4-8f3b-4fcf-b950-451763ff7859" alt=""><figcaption></figcaption></figure>

#### Risk Level Classifications

KeeperAI will categorize commands into risk levels for threat detection:

* **Critical**: Severe security threats requiring immediate action
* **High**: Significant security concerns that should be addressed promptly
* **Medium**: Potential security issues requiring monitoring
* **Low:** Normal or benign behavior that does not require monitoring

***

### Reviewing Session Summaries

KeeperAI generates AI-powered summaries for each recorded session, helping security teams quickly review and understand user activity. To view a summary, open the options menu for the monitored resource and select **Session Activity**.

1. Access the Session Recordings section in the Vault UI
   1. Right click on the record or click on the options icon `⋮` and select "Session Activity"

Options:

* **Open Analysis**: Click on a session row to launch the Session Analysis popup, showing detailed summaries of each command executed.
* **Playback:** Click the Play button to watch the full session recording in real time.
* **Download:** Use the Download button to save session recording files locally for offline review.

{% hint style="warning" %}
When downloading session recording files locally, please note that these files will be unencrypted and may contain sensitive information. Ensure you store and handle these files securely according to your organization's data protection policies.
{% endhint %}

<figure><img src="/files/Pf8UEWr8s6Tm0Wf6sNdY" alt=""><figcaption><p>Session Activity</p></figcaption></figure>

<figure><img src="/files/zwv4mCx7RElhEDTgbLGx" alt=""><figcaption><p>KeeperAI Session Analysis</p></figcaption></figure>

<figure><img src="/files/YXH9qsbkyeILUkycy2jd" alt=""><figcaption><p>Session Playback</p></figcaption></figure>

***

### SIEM Integration

KeeperAI automatically generates [ARAM events](/keeperpam/privileged-access-manager/references/event-reporting.md) for detected threats and resource configurations, enabling integration with your existing security workflow.

We recommend the following:

* Set up Alerts to send real-time notifications upon the detection of a threat
* Send all event logs to your connected SIEM provider

***

### Review Efficiency

Privileged session review is traditionally a manual, time-intensive task: a reviewer watches session playback - often at or near real time - to identify the commands and actions that carry security or compliance significance. KeeperAI replaces full playback with a structured, per-command summary and risk classification, so reviewers read findings rather than watch footage.

The table below models the reviewer time required to assess a single recorded session, comparing manual playback against review of a KeeperAI summary.

<table><thead><tr><th>Method</th><th width="252.921875">Time to review a 30-min session</th><th>Basis</th></tr></thead><tbody><tr><td>Manual playback (real time)</td><td>~30 min</td><td>1:1 with session duration</td></tr><tr><td>Manual playback (accelerated 1.5–2×)</td><td>~15–20 min</td><td>Faster playback, with pauses to inspect commands</td></tr><tr><td>KeeperAI summary review</td><td>~1–3 min</td><td>Read per-command findings and risk levels</td></tr></tbody></table>

Under this model, KeeperAI represents an estimated **85–95% reduction in reviewer time per session** relative to accelerated manual playback, with the proportional savings increasing as session length grows.

{% hint style="info" %}
**Methodology.** These figures are an analytical estimate, not a measurement of customer environments. Consistent with Keeper's zero-knowledge architecture, Keeper does not inspect customer session contents or reviewer behavior. The model assumes (1) manual review time scales linearly with session duration, (2) accelerated playback yields a 1.5–2× speed-up net of pauses, and (3) summary review time is approximately constant per session regardless of length. Actual results vary with session length, command density, reviewer practice, and organizational policy.
{% endhint %}

#### Why the savings scale

Manual review time grows with session **duration**: a 2-hour session takes roughly four times as long to watch as a 30-minute one. KeeperAI summary review grows with the number of **significant commands**, not wall-clock length, so the longer and more idle-heavy the session, the larger the proportional time saving.

***

## FAQ

#### **Q: Can I use my own LLM model with KeeperAI?**

Yes, KeeperAI supports any provider implementing the OpenAI /chat/completions API endpoint, as long as the model supports both text and image input (multimodal/vision capabilities).

#### **Q: Does KeeperAI work in real-time?**

Yes, KeeperAI analyzes privileged sessions in real-time after each user entry and saves completed session recordings and analysis in encrypted files for later review.

#### **Q: Why do I need a vision-enabled model?**

KeeperAI sends screenshots alongside session text for GUI protocols (RDP, VNC, RBI), so the model must accept image input. SSH, Telnet, and database protocols are text-only, but a multimodal model still works fine for those. When in doubt, pick a model with vision support - it covers all cases.

#### **Q: How does KeeperAI handle sensitive information?**

KeeperAI stores session recordings and analysis in encrypted files. These files can only be decrypted by the customer who has privilege to view session recordings. In a future release, KeeperAI will include enhanced Personally Identifiable Information (PII) detection with options to remove PII before sending to the LLM or remove PII from LLM responses.

#### **Q: How does data flow between the Gateway, LLM provider, and Keeper's systems?**

1. **Gateway ↔ LLM Provider**: The Keeper Gateway communicates directly with your configured LLM provider via encrypted HTTPS to analyze session commands in real-time
2. **Gateway → Keeper**: After receiving the LLM analysis, the Gateway encrypts all session data and analysis results using a unique record key before transmitting to Keeper's endpoint for storage.

#### **Q: Can I run KeeperAI in air-gapped environments?**

Yes, using on-premises LLM deployment with a vision-enabled model, you can interact with a local service instead of third-party or internet-accessible services. Ensure your self-hosted model supports multimodal input (text and images).

#### **Q: What's the expected cost per session analysis?**

Token counts vary by protocol because each uses a different system prompt. Here are the approximate system prompt sizes:

| Protocol           | System prompt tokens |
| ------------------ | -------------------- |
| TUI / SSH / Telnet | \~3,200              |
| GUI / RDP / VNC    | \~3,200              |
| RBI                | \~2,500              |
| KeeperDB           | \~2,500              |

Each user prompt adds roughly 15–50 tokens depending on command length, so a typical per-request total runs **3,500–4,000 tokens**.

For each screenshot sent you can expect  image tokens on top of that. The formula varies by model but a rough estimate is:

<p align="center"><code>image_tokens ≈ (width × height) / 700</code></p>

For the overall session summary at the end the system prompt is around 2,000 tokens for the system message. The user prompt grows with session length - roughly 100 tokens for 10 commands, scaling up from there.

{% hint style="info" %}
Vision-enabled models may have different pricing tiers; consult your LLM provider for multimodal pricing details. Image analysis for RDP/VNC/RBI sessions will incur additional costs based on the number of screen captures analyzed.
{% endhint %}

#### Q: **How do I choose a model?**

Model choice is a tradeoff between speed, accuracy, and cost. Smaller models (4B–20B parameters) are cheaper and faster; larger ones are more accurate but slower and more expensive.

| Model size | Examples          | Tradeoff                                   |
| ---------- | ----------------- | ------------------------------------------ |
| 4B–20B     | Gemma 3 4B, Haiku | Fast, cheap, good for most sessions        |
| 20B–70B    | Haiku, Mistral 7B | Good balance; recommended starting point   |
| 70B–120B+  | Sonnet, GPT-4o    | Higher accuracy; slower and more expensive |

#### Q: How do I verify my model supports vision capabilities?

Consult your LLM provider's documentation to confirm the model supports multimodal input (text and images). Look for keywords like "vision," "multimodal," "image input," or "visual understanding" in the model specifications. If you're unsure, contact <pam@keepersecurity.com> for assistance in selecting an appropriate model.

#### **Q: What data is sent to third-party LLM providers, and how is it protected?**

Command text and reconstructed images (for visual protocols like RDP, VNC, RBI) are sent via encrypted HTTPS to your configured LLM provider. The LLM output response is then encrypted before being saved to Keeper's cloud. All traffic occurs directly from the Gateway to the LLM provider. To maintain zero-knowledge and zero-trust, no traffic is ever sent to Keeper without first being encrypted by your private key.

#### **Q: Can I export threat detection data for compliance reporting?**

Yes, session analysis data can be exported in JSON format from the Session Analysis popup for compliance reporting purposes.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/keeperai.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
