Overview
Exaforce integrates with Claude's Compliance API, bringing Claude Enterprise activity into the Exaforce platform as a first-class detection source. AI assistants have moved from curiosity to core infrastructure in less than a year. Engineers write code with them, finance teams model with them, legal teams summarize contracts with them, and every one of those workflows touches sensitive data that lives completely outside the SIEM, DLP, and access reviews that protect the rest of the enterprise. Claude is now an enterprise data surface.
Until now, what your finance lead pasted into a Claude chat at 2 a.m. from an IP in a country your company doesn't operate in was invisible to your SOC. Exaforce makes Claude Enterprise governable, investigable, and detectable like the rest of the security stack.
Setup is straightforward: a Claude Enterprise administrator creates a Compliance API key, adds it to Exaforce, and Exaforce begins building the Claude activity, identity, project, and resource model automatically. When historical activity is available through the Compliance API, Exaforce backfills prior Claude events on first connect, so teams can investigate existing exposure immediately rather than only monitoring activity going forward.
Setup is straightforward. A Claude Enterprise administrator creates a Compliance API key, adds it to Exaforce, and Exaforce begins building the Claude activity, identity, project, and resource model automatically.
Fast onboarding and retrospective visibility
When historical activity is available through the Compliance API, Exaforce can backfill prior Claude events on first connect. That means teams can investigate existing exposure immediately, not just monitor activity going forward.
How it works
After connecting a Compliance API key, Exaforce continuously ingests and normalizes Claude audit events across organizations, users, projects, conversations, attachments, and role changes. Those events are correlated with the identity, device, SaaS, and cloud telemetry already in Exaforce, enabling faster attribution, higher-fidelity investigations, and more actionable detections.
What Exaforce sees once you connect Claude:
- Organizations, users, and organizational roles: every Claude user is mapped back to their corporate identity in Okta, Entra, Google Workspace, or whichever IdP you run
- Projects, project roles, and ownership: privacy settings, attachment counts, chat counts, and the humans accountable for each project
- Conversations and messages: auditable events, with content available for sensitivity analysis
- Attachments and project knowledge: files uploaded into Claude projects, inventoried as resources with relationships back to the projects and identities that touched them
- Audit events: logins, role changes, API key creation, project membership changes, conversation views, and more
- Posture findings: stale API keys, elevated users with no recent activity, sensitive projects with broad membership, orphaned project owners, weakened privacy settings, and projects containing sensitive chats or files
Core capabilities
Exaforce treats Claude audit events the same way it treats Okta, Google Workspace, GitHub, and Zscaler events: as a stream that gets baselined per identity, per workspace, and per project, then evaluated against behavioral and rule-based detectors. Because Claude activity is correlated with surrounding enterprise telemetry, Exaforce can connect a Claude event to identity, device, network, repository, cloud, endpoint, and SaaS activity during the same investigation.
Sensitive chat labeling
Exaforce analyzes Claude chat content and labels each conversation based on what types of sensitive data it contains: PII, payment data, secrets, regulated content, financial data, and customer data. A single conversation may contain multiple sensitive data types, and Exaforce flags each category present. Those labels feed back into detections and into the access graph, turning audit events into actionable incidents.
Sensitivity analysis runs without retaining a parallel copy of conversation content. Only labels and minimal evidence snippets flow into the platform. Conversation content is analyzed to produce sensitivity labels and detection context, while the original content remains governed in Claude.
Identity access graph
Exaforce builds a graph that walks from a corporate identity all the way down to the individual Claude resources that identity can reach: through organization roles, through organization membership, through project roles, into the projects themselves, and finally into the attachments and project knowledge files inside them.
Each node maps to a layer of access. Identity is the corporate user resolved against your IdP. From there, the graph traverses organizational role, organization membership, project role, individual projects with their privacy settings, and finally the resources reachable from those projects. Click any node to pivot: show every identity that can reach a dataset, or every project a user owns that contains PII-labeled chats. The same graph traversals your team runs for AWS IAM, Okta groups, and GitHub repo access now work for Claude.
Who this helps
SOC analysts
Investigating an identity compromise? Immediately see what Claude projects, chats, and attachments the affected account could reach, and whether sensitive chats were opened during the window of interest.
Detection engineers
Write rules against Claude audit events in the same language and engine used for the rest of the identity stack, with behavioral baselines computed per user.
Compliance leads
Prove who has access to what, where sensitive data lives inside Claude projects, and produce audit-ready evidence without exporting logs into yet another tool.
