Platform Overview
How Zaun works, and how Reagent and Ember fit together.
Zaun is the security layer for the AI era, delivered as two products that share one connected backbone: Reagent for AI Adoption Security and Ember for Agentic Security Operations.
The Two Products
Reagent - AI Adoption Security
Reagent secures the AI your organization adopts. It discovers every AI tool, agent, and MCP server, assesses vendor risk, holds each tool to a compliant baseline, enforces policy across users and agents, and runs ABBA (Agent and Bot Behavioral Analytics) to catch misuse and compromise.
Ember - Agentic Security Operations
Ember runs your security operations across cloud, endpoint, and identity. It connects every source, unifies the signal, authors detections and runbooks, and investigates and responds at machine speed.
Architecture
+---------------------------------------------------+
| Zaun |
+----------------------+----------------------------+
| Reagent | Ember |
| AI Adoption | Agentic Security |
| Security | Operations |
+-----------+----------+----------+------------------+
| Discovery | Policy | Detection| Investigation |
| + Vendor | + ABBA | +Runbooks| Console |
+-----------+----------+----------+------------------+
| Integration Layer |
+----------+-----------+----------+------------------+
| AI tools | Identity | EDR | Cloud / SaaS |
| (Claude, | (Okta, |(CrowdSt, | (AWS, GCP, |
| ChatGPT,| Entra, | S1, | Azure, SaaS) |
| Copilot)| Google) | Defender)| |
+----------+-----------+----------+------------------+Key Concepts
Detections
Detections are the core of Ember's monitoring. Each detection:
- Maps to a specific threat or risk scenario
- Is backed by a documented runbook
- Produces structured findings with full evidence
- Is tunable per-environment to reduce noise
Runbooks
Every detection has a corresponding runbook that documents:
- What the detection looks for
- Why it matters
- How to investigate a finding
- What remediation steps to take
Runbooks are living documents that adapt as your environment evolves.
ABBA (Agent and Bot Behavioral Analytics)
Reagent baselines normal behavior for every AI identity in your org, then flags policy violations, abuse, compromise, and drift the moment they happen. It is the detection engine for the new class of actor: the agents acting on your team's behalf.
Findings
When a detection fires, it produces a finding that includes:
- Timestamp and source event data
- Investigation trail showing what was analyzed
- Severity and confidence scoring
- Recommended next steps from the runbook
Forward Deployed Engineer (FDE)
Every Zaun deployment comes with a Forward Deployed Engineer (FDE): a dedicated engineer who learns your environment and works alongside Reagent and Ember. Your FDE tunes detections, shapes policy, scopes new coverage, and turns findings into action. The platform runs at machine speed. Your FDE makes sure it runs for your team, your stack, and your threat model.
Data Flow
- Ingestion: Zaun pulls data from your connected sources via APIs and webhooks
- Normalization: Raw events are normalized into a common schema
- Detection: Reagent and Ember run against normalized data
- Enrichment: Findings are enriched with context from multiple sources
- Response: Findings route to your team, with automated containment where you allow it
- Investigation: Full evidence trail available in the investigation console
Security Model
- All data is encrypted in transit and at rest
- SOC 2 Type II compliant
- Role-based access control (RBAC) for all platform features
- Audit logging for all platform actions
- Data retention policies configurable per customer
Next Steps
- Shadow AI / SaaS - AI and SaaS discovery
- Identity + OAuth - Govern OAuth and identity signals
- Integrations - Connect your tools