Documentation

How Sablewatch works

Written for two readers. If you're a business owner or manager, start at the top — it's plain English, no jargon. If you're in IT or engineering, jump to For IT & developers for the technical details, APIs, and setup guides.

What is Sablewatch?

Think of Sablewatch as a security guard for your company's computers and online accounts — one that never sleeps, never takes a break, and works for a fraction of the cost of hiring a security team.

Most attacks happen through everyday things: someone's password gets stolen, a laptop catches a virus, or a stranger tries to break into an account. Sablewatch watches for all of that 24/7. The moment it spots something wrong, it steps in and stops it — then leaves you a clear, plain-English note explaining what happened and what it did.

Here's the important part: Sablewatch handles the routine stuff on its own, but for any big, can't-undo decision (like cutting a server off the network), it pauses and asks you first. You're always in control — it just does the heavy lifting.

You don't need to be technical to use Sablewatch. If you can sign in to Gmail, you can run it. The setup is mostly clicking "Connect."

How it keeps you safe

Sablewatch does six jobs for you, all at once:

  • Catches break-ins — if someone signs in from a strange place or steals a password, it locks things down fast.
  • Scans for viruses — it checks your computers for malware and quarantines anything dangerous.
  • Checks who can access what — it flags people who can reach things they shouldn't, and suggests the fix.
  • Acts as a firewall — it blocks bad internet traffic before it can reach you.
  • Tracks where people log in from — you see every sign-in on a map, and get warned about odd ones.
  • Stops password guessing — if an attacker tries password after password, it shuts them out.

You don't configure any of this by hand. Sablewatch learns what "normal" looks like for your company in the first few hours, then quietly watches for anything that isn't.

Get protected in 3 steps

  1. 1Create your account. Go to /start and sign up — it's free for 30 days and takes about a minute. No credit card.
  2. 2Connect one tool. In Connections, click Connect on something you already use (like Google Workspace or Microsoft 365) and approve it. That's it — nothing to install.
  3. 3Let it watch. Sablewatch starts protecting you right away. Check the Overview page now and then, and act on anything it flags. You're done.

That's genuinely all most companies need. Everything else in this guide is optional depth for when you want it.

Your console, screen by screen

When you log in, you get a menu down the left side. Here's what every screen is for, in plain English — so you always know where to look.

Overview
Your home screen. A single security score out of 100 and the day's headlines. Glance here first each morning.
Insights
The trends. Charts showing whether your security is improving — threats blocked and sign-ins over the last two weeks.
Threats
Anything suspicious it caught. Red means it needs you. Click 'Approve fix' to let it resolve, or 'Dismiss' if it's a false alarm.
Access review
Who can open what. It flags people with access they probably shouldn't have, and lets you remove it in one click.
Identity & logins
Every sign-in and where in the world it came from. It warns you about impossible travel and logins from new countries.
Assets
A simple inventory of your people and devices.
Antivirus
Virus and malware scans of your devices. 'Quarantined' means a dangerous file was caught and safely locked away.
Firewall
The bad internet traffic it blocked for you — known-bad addresses, scans, and malware phoning home.
Automations
The 'robots' that respond for you. Each one handles a type of threat. You can switch any on or off.
Policies
The rules. Choose how aggressive Sablewatch should be, and where to send you alerts (email or Slack).
Activity log
A complete history of everything Sablewatch and your team did. Nothing is hidden — great for trust and audits.
Compliance
How ready you are for standards like SOC 2. You can export a report.
Reports
A clean one-page summary you can print or send to your boss or board.
Team
Invite coworkers and see who's on your workspace.
Connections
Connect your tools (Google, Microsoft, and more) so Sablewatch can watch them. Start here on day one.
Settings
Your workspace name, your account, and developer API keys.

When you get an alert

Sablewatch emails or messages you when something matters. Don't panic — here's the simple routine:

  1. 1Open the Threats page. The alert links straight to it. The most urgent items are at the top, marked red.
  2. 2Read the plain-English summary. Each threat explains what happened, what Sablewatch already did to contain it, and what it recommends next.
  3. 3Decide. If it looks right, click 'Approve fix' and Sablewatch finishes the job. If it's harmless (say, you really were travelling), click 'Dismiss'.
  4. 4That's it. Everything you do is logged in Activity, so there's always a record.

Good news: by the time you see most alerts, Sablewatch has already contained the danger. Your click usually just confirms the cleanup or approves a bigger step.

Security terms, plain English

Threat / alert
Something suspicious Sablewatch noticed and is warning you about.
Contain / quarantine
Safely lock the dangerous thing away so it can't spread — like putting a sick patient in isolation.
Malware / virus
Harmful software that sneaks onto a device to steal data or cause damage.
Brute-force
An attacker guessing passwords over and over until one works.
Impossible travel
The same account signing in from two far-apart places too quickly to be real — a sign the password was stolen.
MFA
Multi-factor authentication — a second check (like a phone code) on top of a password.
Least privilege
Giving each person access to only what their job needs — nothing extra.
Firewall
A filter that blocks bad internet traffic from reaching you.
SOC 2
A widely-trusted security audit that large customers often ask vendors to pass.
Autonomy level
How much Sablewatch is allowed to do on its own before asking you.

How Sablewatch works

Sablewatch runs as four layers working together:

  1. 1Connect. Sablewatch reads your security telemetry through official APIs (identity, cloud, endpoint). Cloud sources need no software installed.
  2. 2Understand. It baselines what's normal for you, then runs rule-based detection (open Sigma rules), anomaly detection, and an AI analyst that triages and explains each signal.
  3. 3Respond. On a confirmed threat it contains the blast radius automatically — revoke a session, block an IP, quarantine a file — and prepares any destructive step for your approval.
  4. 4Console. You get a single pane of glass: live alerts, a global login map, access-review suggestions, and an audit trail of every action taken.

Sablewatch ships cloud-first: you start fully read-only over OAuth in minutes. When you want endpoint protection — virus scanning, firewall control, host isolation — you add the lightweight agent (see Deploying the agent below).

What the detection engine catches today

  • Brute-force — many failed sign-ins against one account
  • Password spray — one source hitting many accounts
  • Account takeover — failed sign-ins followed by a success
  • Impossible travel — one account, two countries, minutes apart
  • New-country & new-device sign-in — first-time location or device for a user (UEBA)
  • Dormant-account reactivation — a long-idle account suddenly signs in
  • Off-hours admin — a privileged account active in the small hours
  • Malware — a quarantined device; multiple hits escalate to a persistent infection or an outbreak
  • Malicious traffic — repeated blocked connections from one source

Rules run the instant telemetry arrives and respect your autonomy level: reversible containment is applied automatically (and logged); destructive steps wait for your approval. The rule set grows continuously — and you can pipe in your own via the API.

Connecting your systems

There are three ways to connect Sablewatch to your environment — use whichever fits, mix them, and add more over time.

  1. 1Cloud connectors — no install. Authorize Google Workspace, Microsoft 365, Okta, or AWS over OAuth. Sablewatch reads their sign-in and audit logs through official, read-only APIs. Live in minutes, nothing to deploy.
  2. 2Push API — your pipeline into Sablewatch. Already run a SIEM, a log shipper, or your own app? POST events straight to our ingestion endpoint with an API key. This is how you wire in a system we don't have a native connector for yet.
  3. 3Endpoint agent — for on-device actions. Install a lightweight signed agent through your MDM (Jamf, Intune, Kandji) for the parts that must run on the machine: malware scanning, host-firewall control, and network isolation.

Most teams start with a cloud connector for instant identity coverage, then add the push API for their custom apps, and the agent when they want endpoint protection.

Connector setup guides

Exact steps for each cloud connector. You create an app on the vendor side, grant a read-only audit scope, add the credentials — then click Connect.

Google Workspace

  1. 1Create OAuth credentials. Google Cloud Console → APIs & Services → Credentials → OAuth client ID (Web application).
  2. 2Enable the Admin SDK. Turn on the Admin SDK API for the project (Reports / audit activity).
  3. 3Add the redirect URI. https://sablewatch.com/api/connect/google_workspace/callback
  4. 4Grant the scope. admin.reports.audit.readonly — read-only sign-in and audit activity.
  5. 5Add credentials. Set GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET, then click Connect.

Microsoft 365 / Entra ID

  1. 1Register an app. Entra ID → App registrations → New registration.
  2. 2Add the redirect URI. https://sablewatch.com/api/connect/microsoft_365/callback
  3. 3Grant Graph permissions. AuditLog.Read.All + Directory.Read.All, then grant admin consent.
  4. 4Create a client secret. Certificates & secrets → New client secret.
  5. 5Add credentials. Set MS_CLIENT_ID + MS_CLIENT_SECRET (and MS_TENANT for single-tenant apps).

Okta

  1. 1Create an OIDC web app. Okta Admin → Applications → Create App Integration → OIDC, Web.
  2. 2Add the redirect URI. https://sablewatch.com/api/connect/okta/callback
  3. 3Grant the scope. okta.logs.read — the System Log API.
  4. 4Add credentials. Set OKTA_CLIENT_ID, OKTA_CLIENT_SECRET, and OKTA_DOMAIN (e.g. acme.okta.com).

AWS

  1. 1Create a cross-account IAM role. Trust the Sablewatch account with an external ID — no access keys to share.
  2. 2Grant read access. Read-only on CloudTrail (optionally GuardDuty findings).
  3. 3Add the role. Set AWS_ROLE_ARN + AWS_EXTERNAL_ID. Sablewatch assumes the role to read your trail.

Every connector is read-only to begin. Response actions (disable a user, block an IP) need a separate, explicit grant you can leave off.

API & ingestion

Generate a key in Console → Settings → API keys, then POST batches of events to the ingestion endpoint. Authenticate with a bearer token; every event is automatically scoped to the workspace the key belongs to.

Endpoint

POST https://sablewatch.com/api/ingest
Authorization: Bearer swk_live_xxxxxxxxxxxx
Content-Type: application/json

Ship sign-in events with curl

curl -X POST https://sablewatch.com/api/ingest \
  -H "Authorization: Bearer $SABLEWATCH_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "events": [{
      "user_email": "jane@acme.com",
      "ip": "203.0.113.10",
      "city": "Austin", "country": "United States", "country_code": "US",
      "device": "MacBook Pro",
      "status": "ok",
      "risk": "normal",
      "occurred_at": "2026-06-02T14:05:00Z"
    }]
  }'

Or from Python

import os, requests
requests.post(
    "https://sablewatch.com/api/ingest",
    headers={"Authorization": f"Bearer {os.environ['SABLEWATCH_KEY']}"},
    json={"events": [{"user_email": "jane@acme.com", "status": "ok", "risk": "normal"}]},
)

Event fields

  • user_email — who signed in (required)
  • ip, city, country, country_code — where the sign-in came from
  • device — the device or user-agent string
  • status — ok or failed
  • risk — normal, new_device, new_country, or impossible_travel
  • occurred_at — ISO-8601 timestamp

Keys are shown once and stored only as a salted hash — rotate or revoke them anytime in Settings. Ingestion activates once your workspace's service key is configured.

Deploying the agent

The optional Sablewatch agent enables the features that must run on a machine: malware scanning, host firewall control, and network isolation. It's a single signed binary, uses minimal resources, and only makes outbound connections.

Install on macOS / Linux:

curl -sSL https://get.sablewatch.com/agent | sudo sh -s -- \
  --org acme --enroll-key wdn_xxxxxxxxxxxx

Install on Windows (PowerShell, admin):

irm https://get.sablewatch.com/agent.ps1 | iex; \
Install-Sablewatch -Org acme -EnrollKey wdn_xxxxxxxxxxxx

You can push the same one-liner through your MDM (Jamf, Intune, Kandji) to roll it out fleet-wide. Agents appear in the console within seconds of enrolling.

The agent can isolate a host from the network during an active incident. Isolation is reversible from the console in one click, and by default Sablewatch asks for approval before isolating any machine you've tagged as production.

Alerts & notifications

When Sablewatch detects or contains something, it notifies your team through the channels you switch on in Console → Policies.

  • Email — a plain-English summary of every critical event, to your team.
  • Slack / Microsoft Teams — critical events posted to a channel via an incoming webhook.
  • PagerDuty — page on-call for the highest-severity incidents.
  • Webhook — the full event POSTed to your own endpoint or SIEM for custom routing.

Every alert links back to the incident in the console, where you approve or dismiss the response. Per-severity routing and quiet hours are configurable per workspace.

Branded email uses your own SMTP (Resend, SendGrid, or SES) so alerts come from your domain, not ours.

Integrations

Sablewatch reads from the tools you already run — and acts back through them to contain threats (disable an account in Okta, block an IP at the firewall, and so on).

Identity

Okta · Microsoft Entra ID · Google Workspace · Auth0

Cloud

AWS · Microsoft Azure · Google Cloud

Endpoint

Wazuh · osquery · Microsoft Defender · CrowdStrike

Threat intel

VirusTotal · AbuseIPDB · AlienVault OTX

Alerting

Slack · Microsoft Teams · PagerDuty · Email & SMS

Responses & approvals

Every detection is scored by severity and enriched with threat intelligence and an AI analyst summary. Sablewatch then takes the safe, reversible actions automatically:

  • Revoke a suspicious session and lock the account
  • Block a malicious IP or domain at the firewall
  • Quarantine a malicious file and kill its process
  • Enforce step-up MFA on a targeted account

Anything destructive or hard to reverse — isolating a production host, deleting data, disabling a privileged admin — is staged and held behind an approval gate. Your team gets the full context and a one-click Approve or Dismiss. Every action, automatic or approved, is written to an immutable audit log.

Conservative by default: when Sablewatch isn't confident, it alerts rather than acts. You tune the autonomy level per environment as your trust grows.

Automations & playbooks

Sablewatch ships with a library of response playbooks — named detect→respond automations that run on their own. You manage them in the console under Automations, where each shows its trigger, the exact steps it takes, how many times it has fired, and whether it acts fully autonomously or waits for your approval.

  • Impossible travel → revoke session, force password reset, re-enroll MFA
  • Malware detected → kill process, quarantine file, isolate host (on approval)
  • Brute-force / password spray → block source IP, lock accounts, step-up MFA
  • Outbound C2 callback → block at the firewall, flag the device, open an incident
  • Risky OAuth grant → revoke the grant and notify the owner
  • Standing over-privilege → prepare a least-privilege fix, apply on approval

Playbooks respect your global autonomy level (set in Policies): Monitor alerts only, Balanced auto-runs reversible steps and gates destructive ones, and Aggressive widens what it will do without asking. Any step marked on approval is always staged and held for a human — Sablewatch never takes an irreversible action on its own.

Pausing a playbook stops Sablewatch from acting on that trigger — you'll still be alerted, so you never lose visibility, only the automatic response.

Security & compliance

Security is the product, so the bar for our own posture is high.

  • Encryption in transit (TLS 1.2+) and at rest for all stored data.
  • Per-customer data isolation — your telemetry is never mingled with another tenant's.
  • Least-privilege by design: Sablewatch requests the minimum scopes needed, read-only until you enable response actions.
  • Revoke any connection at any time; disconnecting stops all access immediately.
  • SOC 2 Type II in progress — the report gates our enterprise rollout.

We're early and honest about it: SOC 2 Type II is underway, not yet complete. If you need the report before connecting production systems, talk to us about timeline and a scoped pilot.

Pricing & trial

Every plan starts with a 30-day free trial with full features and no credit card. Pricing is per employee per month, plus the modules you switch on:

  • Starter — $6 / employee / mo: First real protection for small teams.
  • Business — $14 / employee / mo: Autonomous detection, containment, and access review.
  • Enterprise — Custom: For regulated teams that need it all, with a human on call.

See the full pricing breakdown →

Troubleshooting

A connector says it isn't configured yet.

The provider's OAuth credentials haven't been added to the deployment. Add the env vars listed in its setup guide above, then click Connect again.

My API call returns a 'set service key' message.

Ingestion needs SUPABASE_SERVICE_ROLE_KEY configured on the deployment. Once it's set, POST /api/ingest with your bearer key works.

I get a 401 from the ingest API.

Make sure the Authorization header is your API key prefixed with "Bearer ", and that the key hasn't been revoked in Settings → API keys.

A new teammate landed in their own empty workspace.

They signed up before being invited. Invite their email in Team, then have them re-sign-up — the invite auto-joins them to your workspace instead of creating a new one.

A sign-in confirmation email never arrived.

Check spam, and confirm the auth Site URL is set to your domain. You can also disable email confirmation for instant trials.

IT & security FAQ

What permissions does Sablewatch need?

Read-only audit/log scopes to start (e.g. Google Workspace Reports, Microsoft 365 audit logs, AWS CloudTrail). Response actions — disabling an account, blocking an IP — require an additional grant you approve explicitly, and can be left off.

What data do you store?

Security-relevant metadata: sign-in events, audit logs, alerts, and the actions Sablewatch takes. We don't ingest the contents of your files, emails, or messages.

Where is our data hosted?

In an isolated, encrypted store in your selected region. Enterprise plans support specific data-residency requirements.

Will the agent slow down our machines?

No — it's a lightweight binary that scans on a schedule and on demand, designed to stay well within normal resource budgets.

How do we offboard?

Disconnect any source in one click to immediately revoke access, and request full deletion of your data at any time. Uninstalling the agent removes it cleanly.

Can we sign in with Google or SSO?

Yes — "Continue with Google" is on the login and signup screens. For enterprise single sign-on with your own identity provider (Okta, Microsoft Entra, etc.) via SAML, talk to us — it's available on Enterprise.

Ready to see it on your own data?

Start a 30-day trial, or attack the live demo first to watch Sablewatch respond.