Documentation

Deploy & run Sablewatch

Everything your team needs to connect Sablewatch, understand how it protects you, and go live — most companies are protected in under ten minutes.

Overview

Sablewatch is an autonomous security team for companies that can't staff a 24/7 Security Operations Center. It continuously watches your identity, devices, and cloud; detects threats; contains them automatically; and explains every decision in plain English.

The operating model is simple and deliberate: automation handles detection and containment, a human approves anything irreversible. Sablewatch will block traffic, lock an account, or quarantine a machine on its own — but it will never take a destructive, hard-to-undo action (like wiping or permanently isolating a production server) without one click of approval from your team.

Sablewatch is designed for IT leads and founders, not just security specialists. If you can connect a Google Workspace account, you can run it.

How Sablewatch works

Sablewatch runs as four layers working together:

1Connect. Sablewatch reads your security telemetry through official APIs (identity, cloud, endpoint). Cloud sources need no software installed.
2Understand. It baselines what's normal for you, then runs rule-based detection (open Sigma rules), anomaly detection, and an AI analyst that triages and explains each signal.
3Respond. On a confirmed threat it contains the blast radius automatically — revoke a session, block an IP, quarantine a file — and prepares any destructive step for your approval.
4Console. You get a single pane of glass: live alerts, a global login map, access-review suggestions, and an audit trail of every action taken.

Sablewatch ships cloud-first: you start fully read-only over OAuth in minutes. When you want endpoint protection — virus scanning, firewall control, host isolation — you add the lightweight agent (next section).

Getting started

From signup to protected is four steps and a few minutes. Start your trial at /start, then:

1Connect a source. Authorize Google Workspace, Microsoft 365, AWS, or your identity provider with OAuth. Sablewatch requests read-only scopes to begin.
2Let Sablewatch baseline. Within a few hours it learns who signs in from where, who can access what, and how your systems normally behave.
3Sablewatch watches. From then on it runs autonomously — detecting, scanning, and containing 24/7, with alerts to Slack, Teams, email, or SMS.
4You approve the big calls. When a response is destructive, Sablewatch stages it and waits for your one-click approval.

No software is required to get started — cloud and identity sources connect entirely over their official APIs. The agent is only needed for the endpoint features below.

Connecting your systems

There are three ways to connect Sablewatch to your environment — use whichever fits, mix them, and add more over time.

1Cloud connectors — no install. Authorize Google Workspace, Microsoft 365, Okta, or AWS over OAuth. Sablewatch reads their sign-in and audit logs through official, read-only APIs. Live in minutes, nothing to deploy.
2Push API — your pipeline into Sablewatch. Already run a SIEM, a log shipper, or your own app? POST events straight to our ingestion endpoint with an API key. This is how you wire in a system we don't have a native connector for yet.
3Endpoint agent — for on-device actions. Install a lightweight signed agent through your MDM (Jamf, Intune, Kandji) for the parts that must run on the machine: malware scanning, host-firewall control, and network isolation.

Most teams start with a cloud connector for instant identity coverage, then add the push API for their custom apps, and the agent when they want endpoint protection.

API & ingestion

Generate a key in Console → Settings → API keys, then POST batches of events to the ingestion endpoint. Authenticate with a bearer token; every event is automatically scoped to the workspace the key belongs to.

Endpoint

POST https://sablewatch.com/api/ingest
Authorization: Bearer swk_live_xxxxxxxxxxxx
Content-Type: application/json

Ship sign-in events with curl

curl -X POST https://sablewatch.com/api/ingest \
  -H "Authorization: Bearer $SABLEWATCH_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "events": [{
      "user_email": "jane@acme.com",
      "ip": "203.0.113.10",
      "city": "Austin", "country": "United States", "country_code": "US",
      "device": "MacBook Pro",
      "status": "ok",
      "risk": "normal",
      "occurred_at": "2026-06-02T14:05:00Z"
    }]
  }'

Or from Python

import os, requests
requests.post(
    "https://sablewatch.com/api/ingest",
    headers={"Authorization": f"Bearer {os.environ['SABLEWATCH_KEY']}"},
    json={"events": [{"user_email": "jane@acme.com", "status": "ok", "risk": "normal"}]},
)

Event fields

user_email — who signed in (required)
ip, city, country, country_code — where the sign-in came from
device — the device or user-agent string
status — ok or failed
risk — normal, new_device, new_country, or impossible_travel
occurred_at — ISO-8601 timestamp

Keys are shown once and stored only as a salted hash — rotate or revoke them anytime in Settings. Ingestion activates once your workspace's service key is configured.

Deploying the agent

The optional Sablewatch agent enables the features that must run on a machine: malware scanning, host firewall control, and network isolation. It's a single signed binary, uses minimal resources, and only makes outbound connections.

Install on macOS / Linux:

curl -sSL https://get.sablewatch.com/agent | sudo sh -s -- \
  --org acme --enroll-key wdn_xxxxxxxxxxxx

Install on Windows (PowerShell, admin):

irm https://get.sablewatch.com/agent.ps1 | iex; \
Install-Sablewatch -Org acme -EnrollKey wdn_xxxxxxxxxxxx

You can push the same one-liner through your MDM (Jamf, Intune, Kandji) to roll it out fleet-wide. Agents appear in the console within seconds of enrolling.

The agent can isolate a host from the network during an active incident. Isolation is reversible from the console in one click, and by default Sablewatch asks for approval before isolating any machine you've tagged as production.

Integrations

Sablewatch reads from the tools you already run — and acts back through them to contain threats (disable an account in Okta, block an IP at the firewall, and so on).

Identity

Okta · Microsoft Entra ID · Google Workspace · Auth0

Cloud

AWS · Microsoft Azure · Google Cloud

Endpoint

Wazuh · osquery · Microsoft Defender · CrowdStrike

Threat intel

VirusTotal · AbuseIPDB · AlienVault OTX

Alerting

Slack · Microsoft Teams · PagerDuty · Email & SMS

Responses & approvals

Every detection is scored by severity and enriched with threat intelligence and an AI analyst summary. Sablewatch then takes the safe, reversible actions automatically:

Revoke a suspicious session and lock the account
Block a malicious IP or domain at the firewall
Quarantine a malicious file and kill its process
Enforce step-up MFA on a targeted account

Anything destructive or hard to reverse — isolating a production host, deleting data, disabling a privileged admin — is staged and held behind an approval gate. Your team gets the full context and a one-click Approve or Dismiss. Every action, automatic or approved, is written to an immutable audit log.

Conservative by default: when Sablewatch isn't confident, it alerts rather than acts. You tune the autonomy level per environment as your trust grows.

Security & compliance

Security is the product, so the bar for our own posture is high.

Encryption in transit (TLS 1.2+) and at rest for all stored data.
Per-customer data isolation — your telemetry is never mingled with another tenant's.
Least-privilege by design: Sablewatch requests the minimum scopes needed, read-only until you enable response actions.
Revoke any connection at any time; disconnecting stops all access immediately.
SOC 2 Type II in progress — the report gates our enterprise rollout.

We're early and honest about it: SOC 2 Type II is underway, not yet complete. If you need the report before connecting production systems, talk to us about timeline and a scoped pilot.

Pricing & trial

Every plan starts with a 30-day free trial with full features and no credit card. Pricing is per employee per month, plus the modules you switch on:

Starter — $6 / employee / mo: First real protection for small teams.
Business — $14 / employee / mo: Autonomous detection, containment, and access review.
Enterprise — Custom: For regulated teams that need it all, with a human on call.

See the full pricing breakdown →

IT & security FAQ

What permissions does Sablewatch need?

Read-only audit/log scopes to start (e.g. Google Workspace Reports, Microsoft 365 audit logs, AWS CloudTrail). Response actions — disabling an account, blocking an IP — require an additional grant you approve explicitly, and can be left off.

What data do you store?

Security-relevant metadata: sign-in events, audit logs, alerts, and the actions Sablewatch takes. We don't ingest the contents of your files, emails, or messages.

Where is our data hosted?

In an isolated, encrypted store in your selected region. Enterprise plans support specific data-residency requirements.

Will the agent slow down our machines?

No — it's a lightweight binary that scans on a schedule and on demand, designed to stay well within normal resource budgets.

How do we offboard?

Disconnect any source in one click to immediately revoke access, and request full deletion of your data at any time. Uninstalling the agent removes it cleanly.

Ready to see it on your own data?

Start a 30-day trial, or attack the live demo first to watch Sablewatch respond.

Start free trial Enter the Attack Range