# KeeperAI

## Overview KeeperAI is an agentic service that provides AI-powered security features including threat detection, anomaly detection, privileged session visual summaries, and context-aware analysis. KeeperAI is embedded into the Keeper Gateway and enhances key functional areas across the Keeper platform, including privileged sessions and KeeperDB. ## Key Features * **Automated Session Analysis**: Analyze session metadata, keystroke logs, visual interaction and command execution logs to detect unusual behavior * **Threat Classification**: Automatically categorize detected threats and assign risk levels, generate alerts and push events to connected SIEM provider. * **Database administration**: Assists within KeeperDB database sessions with query generation, optimization, data science workflows, human-in-the-loop query approvals, and context-aware analysis. * **Flexible Deployment**: Support for both third-party, cloud-based, and on-premises LLM inference * **Customizable Configuration**: Adjust risk parameters and detection rules to your environment Video Overview: {% embed url="" %} KeeperAI Threat Detection for Privileged Sessions {% endembed %} KeeperAI Product Page: {% embed url="" %} ## Security Model The KeeperAI agent executes on the Keeper Gateway which is hosted by the customer and communicates directly to the customer's preferred AI provider such as OpenAI, Anthropic, AWS Bedrock or any self-hosted LLM. The security model of the KeeperPAM platform preserves zero knowledge while offering oversight of all user interactions with privileged resources.

## Supported Protocols The KeeperAI agent is operates on both visual interaction and text that the user types during a privileged session. All of the KeeperPAM connection protocols are supported, including: * RDP * VNC * SSH * Databases * Remote Browser Isolation (RBI) * Kubernetes * Telnet ### **Screenshots** #### **RDP to a Windows Domain Controller**

#### **VNC to a Linux Server**

#### **SSH to a Linux Server**

#### RBI - Loading the AWS Console

#### **KeeperDB - MySQL Session**

#### KeeperDB - AI Assistant KeeperAI assists with queries and data science tasks inside KeeperDB. Read-only analysis can run directly, while queries that modify data require human approval. Responses stay grounded in the active schema and session context.

*** ## **KeeperAI Setup** ### Step 1 - Update the Keeper Gateway The Keeper Gateway works with your AI provider. Ensure that you are running version 1.8.0 or newer. For detailed setup instructions, [follow this guide](/keeperpam/privileged-access-manager/getting-started/gateways.md). ### Step 2 - LLM Integration KeeperAI leverages Large Language Models (LLMs) to power its threat detection capabilities. The Keeper Gateway communicates with any LLM of your choice to analyze session data and generate intelligent security insights. This integration is fundamental to KeeperAI's ability to detect suspicious patterns and provide detailed session summaries. {% hint style="warning" %} **Disclaimer**: AI predictions are inherently probabilistic and may not always be accurate. The selection of LLM providers and models is made at the user's discretion, and KeeperAI cannot guarantee that the AI will fully understand or correctly interpret tasks. Users are encouraged to exercise caution and validate AI outputs as part of their decision-making processes. {% endhint %} KeeperAI is designed to work with multiple LLM providers, giving you flexibility in your deployment. Self-hosted and cloud-based LLMs are compatible. #### Docker Installation Method

OpenAI-Compatible API

Support for any API providers implementing that use OpenAI’s request and response formats for the `/chat/completions` endpoint. **Configuration** 1. Ensure your Gateway has the appropriate permissions to access the LLM service 2. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "openai-generic" KEEPER_GATEWAY_AI_BASE_URL: "" KEEPER_GATEWAY_AI_API_KEY: "" KEEPER_GATEWAY_AI_MODEL: "" ``` {% hint style="info" %} The `KEEPER_GATEWAY_AI_BASE_URL` **must** include a valid protocol prefix (`http://` or `https://`). If the protocol is missing, Keeper Gateway will throw a configuration error during startup. For example: ✅ `https://your-llm-provider.com/v1`\ ❌ `your-llm-provider.com/v1` {% endhint %} A non-exhaustive list of providers you can use:

Inference Provider	Resources	Infrastructure
Ask Sage	Ask Sage	SaaS, Self-Hosted
Azure AI Foundry	Azure AI Foundry	SaaS
Cohere	Cohere	SaaS, Self-Hosted
Cerebras	Cerebras	SaaS
Fireworks AI	Fireworks AI	SaaS
Featherless AI	Featherless AI	SaaS
Groq	Groq	SaaS
Grok	Grok	SaaS
Hyperbolic	Hyperbolic	SaaS
Hugging Face	Hugging Face	SaaS
Keywords AI	Keywords AI	SaaS, Self-Hosted
LiteLLM	LiteLLM	SaaS, Self-Hosted
LM Studio	LM Studio	Self-Hosted
Nebius	Nebius	SaaS
Novita	Novita	SaaS
NScale	NScale	SaaS
Ollama	Ollama	SaaS, Self-Hosted
OpenRouter	OpenRouter	SaaS
SambaNova	SambaNova	SaaS
Tinfoil	Tinfoil	SaaS
TogetherAI	TogetherAI	SaaS
Unify AI	Unify AI	SaaS, Self-Hosted
Vercel AI Gateway	Vercel AI Gateway	SaaS
vLLM	vLLM	Self-Hosted

AWS Bedrock

You can get started quickly, privately customize foundation models with your own data, and easily and securely integrate and deploy them into your applications using AWS tools without having to manage any infrastructure. **Configuration** 1. Ensure that the IAM role for the Gateway has the `AmazonBedrockFullAccess` policy attached 2. [Request access](https://docs.aws.amazon.com/bedrock/latest/userguide/getting-started.html#getting-started-model-access) through AWS Console to an Amazon Bedrock foundation model 3. Select a model from the [supported list](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html) and note the corresponding model ID. 4. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "aws-bedrock" KEEPER_GATEWAY_AI_MODEL: "" AWS_REGION: "" ```

Anthropic

**Configuration** Before you begin, [create an API key in the Anthropic Console](https://console.anthropic.com/settings/keys). 1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "anthropic" KEEPER_GATEWAY_AI_API_KEY: "" KEEPER_GATEWAY_AI_MODEL: "" ```

Google AI: Gemini

**Configuration** Before you begin, [create an API key in the Google AI dashboard](https://aistudio.google.com/apikey). 1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "google-ai" KEEPER_GATEWAY_AI_API_KEY: "" KEEPER_GATEWAY_AI_MODEL: "" ```

Google: Vertex

You need to use an account with a `ProjectID` that has been authorized to use Vertex. When administering your Google Cloud account, be sure to enable Vertex, and specify your project’s ID when authenticating with `gcloud auth`: ```sh gcloud auth application-default login --project MY_PROJECT_ID ``` * If you’re using Google Cloud [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials), you can expect authentication to work out of the box. * Setting [`options.credentials`](https://docs.boundaryml.com/ref/llm-client-providers/google-vertex#credentials) will take precedence and force `vertex-ai` to load service account credentials from that file path. **Configuration** 1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "vertex-ai" KEEPER_GATEWAY_AI_MODEL: "" KEEPER_GATEWAY_AI_LOCATION: "" ```

OpenAI

**Configuration** Before you begin, [create an API key in the Open AI Platform dashboard](https://platform.openai.com/api-keys). 1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "openai" KEEPER_GATEWAY_AI_API_KEY: "" KEEPER_GATEWAY_AI_MODEL: "" ```

Azure OpenAI

**Configuration** 1. Configure the Gateway with the following environment variables for the gateway service in your Docker Compose file: ```yaml environment: KEEPER_GATEWAY_AI_LLM_PROVIDER: "azure-openai" KEEPER_GATEWAY_AI_RESOURCE_NAME: "" KEEPER_GATEWAY_AI_DEPLOYMENT_ID: "" KEEPER_GATEWAY_AI_API_VERSION: "" KEEPER_GATEWAY_AI_API_KEY: "" ```

#### Native Installation Method

Windows Installation Instructions

To configure the environment variables for the Keeper Gateway service on Windows, follow these steps: Open PowerShell as Administrator and Set the variables at the Machine Scope ```sh setx KEEPER_GATEWAY_AI_LLM_PROVIDER "" /M setx KEEPER_GATEWAY_AI_BASE_URL "" /M setx KEEPER_GATEWAY_AI_API_KEY "" /M setx KEEPER_GATEWAY_AI_MODEL "" /M ``` Restart the Gateway service so it picks up the new environment: ``` Restart-Service -DisplayName "Keeper Gateway Service" ```

Linux Installation Instructions

To configure the environment variables for the Keeper Gateway service on Linux, follow these steps: Edit the `systemd` service file: ```sh sudo vi /etc/systemd/system/keeper-gateway.service ``` Extend the `Environment=` line with your required environment variables based on the supported LLM Providers above. ```sh Environment=KEEPER_GATEWAY_AI_LLM_PROVIDER="" Environment=KEEPER_GATEWAY_AI_BASE_URL="" Environment=KEEPER_GATEWAY_AI_API_KEY="" Environment=KEEPER_GATEWAY_AI_MODEL="" ``` Reload the daemon and restart the gateway service ```shell # reload the daemon sudo systemctl daemon-reload # optionally you can validate the environment variables are setup properly sudo systemctl show keeper-gateway.service | grep Environment= # restart the keeper gateway service sudo systemctl restart keeper-gateway.service ```

### Step 3 - PAM Configuration Settings * Go to Secrets Manager > PAM Configuration * Select your resource and scroll to the KeeperAI Features section. * Toggle the setting to enable.

### Step 4 - Activating Threat Detection on a Resource The PAM Machine and PAM Database records support KeeperAI capabilities. * **Edit PAM Settings** for your selected resource. * Go to the **Connections** tab. * Enable all options under **Session Recording**.

* Navigate to the **KeeperAI** tab and switch on the **Enable KeeperAI** toggle.

By default, KeeperAI automatically classifies commands into the appropriate **Risk Level** categories. To enforce stronger controls, you can enable **Terminate Session** for a given risk level. When active, any command classified at that level will immediately end the session. ### KeeperAI Exceptions & Custom Rules For terminal-based connections, use the **Exceptions** pop-up to customize how specific keywords or patterns are classified. Add from the provided dropdown examples, or enter your own plain text or regex strings.

*** ### Reviewing Session Summaries KeeperAI generates AI-powered summaries for each recorded session, helping security teams quickly review and understand user activity. To view a summary, open the options menu for the monitored resource and select **Session Activity**. 1. Access the Session Recordings section in the Vault UI 1. Right click on the record or click on the options icon `⋮` and select "Session Activity" 2. Click on a session row with KeeperAI analysis to open the Session Analysis popup for detailed summaries of each command executed during the session 3. Click on the play button to watch the session recording to see session playback in realtime 4. Click on the download button to save the session recording files locally {% hint style="warning" %} When downloading session recording files locally, please note that these files will be unencrypted and may contain sensitive information. Ensure you store and handle these files securely according to your organization's data protection policies. {% endhint %}

* **Open Analysis**: Click on a session row to launch the Session Analysis popup, showing detailed summaries of each command executed. * **Playback:** Click the Play button to watch the full session recording in real time. * **Download:** Use the Download button to save session recording files locally for offline review. {% hint style="warning" %} When downloading session recording files locally, please note that these files will be unencrypted and may contain sensitive information. Ensure you store and handle these files securely according to your organization's data protection policies. {% endhint %} #### Notes * By default AI will make its best effort to classify commands into proper Risk Levels categories * Enable "Terminate Session" for a risk level if you wish to allow classified commands to trigger a session termination for the selected risk level * If you have specific pattern-matching keywords you may open the Exceptions popup to customize the risk level classification and policy on detection #### Risk Classifications KeeperAI will categorize commands into risk levels for threat detection: * **Critical**: Severe security threats requiring immediate action * **High**: Significant security concerns that should be addressed promptly * **Medium**: Potential security issues requiring monitoring * **Low:** Normal or benign behavior that does not require monitoring *** ### SIEM Integration KeeperAI automatically generates [ARAM events](/keeperpam/privileged-access-manager/references/event-reporting.md) for detected threats and resource configurations, enabling integration with your existing security workflow. We recommend the following: * Set up Alerts to send realtime notifications upon the detection of a threat * Send all event logs to your connected SIEM provider *** ## FAQ **Q: Can I use my own LLM model with KeeperAI?**\ A: Yes, KeeperAI supports any provider implementing the OpenAI `/chat/completions` API endpoint **Q: Does KeeperAI work in real-time?**\ A: Yes, KeeperAI analyzes privileged sessions in real-time after each user entry and saves completed session recordings and analysis in encrypted files for later review. **Q: How does KeeperAI handle sensitive information?**\ A: KeeperAI stores session recordings and analysis in encrypted files. These files can only be decrypted by the customer who has privilege to view session recordings. In a future release, KeeperAI will include enhanced Personally Identifiable Information (PII) detection with options to remove PII before sending to the LLM or remove PII from LLM responses. **Q: How does data flow between the Gateway, LLM provider, and Keeper's systems?**\ A: KeeperAI uses a secure, multi-step communication flow to ensure data privacy and security:\ 1\. Gateway ↔ LLM Provider: The Keeper Gateway communicates directly with your configured LLM provider via encrypted HTTPS to analyze session commands in real-time\ 2\. Gateway → Keeper: After receiving the LLM analysis, the Gateway encrypts all session data and analysis results using a unique record key before transmitting to Keeper's endpoint for storage. **Q: Can I run KeeperAI in air-gapped environments?**\ A: Yes, using on-premises LLM deployment, you can interact with a local service instead of third-party or internet-accessible services. **Q: What's the expected cost per session analysis?**\ A: To help calculate costs, our risk analysis prompts used for each command are approximately 550 tokens and final summary prompts that summarize all commands are around 400 tokens, excluding user input command context. Additional tokens will be used depending on the context and length of the input commands. **Q: What data is sent to third-party LLM providers, and how is it protected?**\ A: Command text is sent via encrypted HTTPS to your configured LLM provider. The LLM response is then encrypted before being saved to Keeper's cloud. All traffic occurs directly from the Gateway to the LLM provider. To maintain zero-knowledge and zero-trust no traffic is ever sent to Keeper without first being encrypted by your private key. **Q: Can I export threat detection data for compliance reporting?**\ A: Yes, session analysis data can be exported in JSON format from the Session Analysis popup for compliance reporting purposes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/keeperai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.