Module Β· Discover

Find the LLMs your employees already use

Discover shadow AI usage with zero impact on your apps and zero SDK to install. Egress capture and a Chrome/Edge extension surface every call to ChatGPT.com, Claude.ai, Gemini or Copilot β€” attributed to a user, team and department. Live in 24 hours.

Request a demo Read the docs
What it does

The control plane for shadow AI

Discover sits at the two places employees actually use AI: the corporate network egress and the browser itself. The corporate egress catches API calls and unmanaged SDKs leaving your network. The Chrome/Edge MV3 extension captures the conversations that never leave the browser β€” the ones happening on ChatGPT.com, Claude.ai, Gemini and Copilot.

No app code changes. No SDK to roll out. No proxy to wire up in agent frameworks. Within 24 hours you see who is using which LLM provider, with what data, in which team or department β€” and you can flip on Govern policies on top of the same traffic the same week.

Capabilities

What Discover surfaces

Per-user attribution

Every request mapped to a user, team and department. Stop guessing whether marketing or engineering is driving spend; see it on the dashboard.

Multi-turn conversation reconstruction

Re-assembles full ChatGPT.com, Claude.ai and Gemini conversations from streamed responses so you can audit what was actually said, not just which domain was visited.

47+ DLP detectors on shadow traffic

Credit cards, SSNs, IBANs, API keys, cloud credentials, source code, unknown secret patterns. Findings classified by severity so you can block or just alert.

Human-vs-agent fingerprinting

Behavioral signals reveal whether a user is actually a script or a registered agent calling under a personal account β€” catching shadow agents pretending to be people.

Provider allowlist with approved models

Approve OpenAI but not GPT-4 fine-tunes. Approve Claude but only Sonnet. Anything outside the allowlist surfaces as shadow even when the provider is sanctioned.

Accurate token & cost data per provider

Get accurate token and cost data per provider, even when the upstream UI does not expose it.

What we detect

Capture vectors and coverage

  • Corporate egress PAC file, transparent proxy, transparent HTTPS interception via corporate root CA Routes outbound HTTPS through a Renlayer node deployed in your network. Captures everything: API calls, unmanaged SDKs, web traffic.
  • Browser extension Chrome / Edge MV3, ChatGPT.com / Claude.ai / Gemini / Copilot Capture happens inside the page so streamed responses and conversation IDs come through, not just domain hits.
  • Attribution User, team, department, hostname, OS, request source Org structure managed in the console; CSV import and SSO group sync supported.
  • Conversations Multi-turn reconstruction with cumulative DLP scoring Detects exfiltration that builds up across turns and would slip past per-request DLP.
  • Fingerprint Human vs agent behavioral classifier Score per user computed hourly, with mismatch alerts when a 'human' looks scripted.
How it works

Three steps to your first finding

  1. Deploy the egress node

    Single Docker container in your network, PAC file or DNS rule points outbound LLM domains to it. Most teams have it running in under a day.

  2. Push the browser extension

    Distribute the Chrome/Edge MV3 extension via your existing endpoint manager (Intune, Jamf, GPO). Capture starts the moment users open ChatGPT.com or Claude.ai.

  3. Watch the discovery dashboard

    Within hours you see providers, users, departments, top conversations, DLP findings and cost β€” with drill-down to every individual request.

Frequently asked questions

Frequently asked questions

How do I find LLMs I didn't know were being used?

Discover captures at two points where every shadow LLM call must pass through: your corporate network egress and the browser itself. Within 24h of deployment you see every provider, model, user and department β€” including ChatGPT.com, Claude.ai, Gemini and Copilot usage that never appears in any expense report.

Does it work with ChatGPT.com, Claude.ai and Gemini?

Yes. That is the explicit reason we ship a Chrome/Edge MV3 extension alongside the egress proxy. The extension captures inside the page so streamed responses and full multi-turn conversations are reconstructed, not just domain hits.

Does Discover attribute usage to teams and departments?

Yes. Every captured request is mapped to a user identity (from the browser session or egress auth) and joined to your org structure. The org structure is managed in the console with CSV import; SSO group sync is supported for Okta, Azure AD and Google Workspace.

How is this different from Zscaler or Netskope?

Existing DLP/CASB tools see the domain (chatgpt.com) but not the content (the conversation). Discover parses the actual prompt and response inside the browser, runs 47+ DLP detectors on the content, reconstructs the conversation across turns, and computes a behavioral fingerprint. They see who visited, we see what was said.

Will users know they are being recorded?

Yes. The browser extension shows a status icon and an employee transparency portal lets each user see exactly what was captured about them, with GDPR-grade delete requests. Discovery is built for compliance β€” not surveillance.

Join our Design Program

Join the Design Program View documentation