Built for AI Agents
TeamSentry exposes security monitoring as MCP tools and REST APIs, so your AI agents can monitor risks, triage incidents, and protect your organization autonomously.
10+ Tools for Claude & Any LLM
Each tool returns structured data with natural-language summaries, optimized for AI agent reasoning.
Get a high-level security summary for the organization including risk distribution, open incidents, and AI usage stats.
Get detailed risk profile for a specific user including risk score, active rules, behavioral anomalies, and recent activity.
List all users above a specified risk threshold, sorted by risk score descending. Useful for triage workflows.
Search users by name, email, department, or risk level. Supports pagination and flexible filtering.
List security incidents with filtering by status, severity, and date range. Returns threat chain context.
Get full details for a specific incident including timeline, affected users, triggered rules, and recommended actions.
Update the status of an incident. Allows agents to triage and close incidents programmatically.
Get AI tool usage analytics across the organization. Track Gemini, ChatGPT, Claude, and other AI tool adoption.
List all third-party apps connected to the workspace, with risk assessment and permission scopes.
View and manage the trusted contacts list. Add or remove external domains and email addresses.
Integrate in Minutes
Connect via MCP for AI-native workflows, use the REST API for automation, or subscribe to webhooks for real-time events.
Add TeamSentry to your Claude Desktop config to give Claude access to your security data. Get your API key from app.teamsentry.ai under Agent API settings.
{
"mcpServers": {
"teamsentry": {
"url": "https://api.teamsentry.ai/mcp",
"headers": {
"Authorization": "Bearer tsk_live_your_api_key_here"
}
}
}
}
Use the REST API with your API key as a Bearer token. All endpoints return JSON with a summary field for LLM consumption.
# Get organization security overview curl -X GET https://api.teamsentry.ai/v1/overview \ -H "Authorization: Bearer tsk_live_your_api_key_here" \ -H "Content-Type: application/json" # Response { "summary": "3 high-risk users detected across 142 monitored users...", "risk_distribution": { "critical": 1, "high": 2, "medium": 8, "low": 47, "minimal": 84 }, "open_incidents": 2, "ai_usage_events_7d": 1247 }
Subscribe to security events and receive HMAC-signed payloads in real-time. Configure webhook endpoints in your dashboard.
# POST to your endpoint with HMAC signature in header # X-TeamSentry-Signature: sha256=abc123... { "event": "incident.created", "timestamp": "2025-01-15T10:30:00Z", "data": { "incident_id": "inc_8f3k2j", "severity": "high", "title": "Possible account takeover detected", "affected_user": "[email protected]", "triggered_rules": [ "impossible_travel", "new_device_login", "password_reset_anomaly" ] } }
Full API Reference
Every endpoint returns structured JSON with LLM-friendly summaries. Authenticate with a Bearer token.
Organization
- GET /v1/overview Security overview with risk distribution
- GET /v1/organization Organization settings and configuration
Users
- GET /v1/users List all monitored users
- GET /v1/users/:email/risk Get user risk profile
- GET /v1/users/high-risk List high-risk users
- GET /v1/users/search Search users by name, email, or department
Incidents
- GET /v1/incidents List security incidents
- GET /v1/incidents/:id Get incident details and timeline
- PUT /v1/incidents/:id/status Update incident status
Apps & AI Usage
- GET /v1/apps List connected third-party apps
- GET /v1/ai-usage AI tool usage analytics
Agent-Specific
- GET /v1/agent/summary LLM-optimized security summary
- POST /v1/agent/query Natural language security query
- GET /v1/agent/tools List available MCP tools and schemas
Subscribable Events
Get notified in real-time when security events occur. All payloads are HMAC-signed for verification.
| Event | Description | Severity |
|---|---|---|
| incident.created | New security incident detected | Varies |
| incident.updated | Incident status or severity changed | Varies |
| incident.resolved | Incident marked as resolved | Info |
| risk.threshold_exceeded | User risk score exceeded configured threshold | High |
| risk.score_changed | Significant change in user risk score | Medium |
| ai.shadow_usage | Unauthorized AI tool usage detected | Medium |
| ai.data_exfiltration | Sensitive data sent to AI tool | High |
| auth.impossible_travel | Login from geographically impossible location | High |
| auth.new_device | Login from unrecognized device | Medium |
| app.unauthorized | Untrusted third-party app connected | Medium |
Code Examples
Common operations in Python and curl to get you started quickly.
import requests API_KEY = "tsk_live_your_api_key_here" BASE_URL = "https://api.teamsentry.ai/v1" headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } # Get all high-risk users response = requests.get( f"{BASE_URL}/users/high-risk", headers=headers, params={"min_risk_score": 70} ) data = response.json() print(data["summary"]) # "3 users with risk score >= 70" for user in data["users"]: print(f" {user['email']}: {user['risk_score']}")
# Get risk profile for a specific user curl -s https://api.teamsentry.ai/v1/users/[email protected]/risk \ -H "Authorization: Bearer tsk_live_your_api_key_here" \ | jq . # Response { "summary": "[email protected] has a HIGH risk score of 82. 4 active risk rules triggered in the last 7 days.", "user": { "email": "[email protected]", "risk_score": 82, "risk_level": "high" }, "active_rules": [ "impossible_travel", "excessive_file_downloads", "shadow_ai_usage", "off_hours_activity" ], "mitre_tactics": [ "TA0001", "TA0010" ] }
Get Your API Key
Create a free account and start integrating TeamSentry with your AI agents in minutes.
Go to Dashboard