tangate docsAI Configuration
Tangate uses AI to analyze suspicious traffic patterns in your CloudFront logs. You bring your own API key (BYOK), choose your provider, and control costs through sampling rate settings.
Supported Providers
| Provider | Default Model | API |
|---|---|---|
| Anthropic | claude-sonnet-4-20250514 | Anthropic Messages API |
| OpenAI | gpt-4o | OpenAI Chat Completions API |
| DeepSeek | deepseek-chat | DeepSeek Chat API |
Set your provider during deployment with the AiProvider CloudFormation parameter. To override the default model, use the AiModel parameter.
BYOK Model
Tangate uses a Bring Your Own Key (BYOK) model for AI:
- You create an API key with your chosen provider
- You provide the key during deployment (stored in AWS Secrets Manager)
- AI inference runs from your AWS account using your key
- You pay your AI provider directly for usage
- Tangate never sees or stores your AI API key outside your AWS account
The AI analysis prompt is defined in the Tangate Lambda code. You supply the API key and provider selection; the prompt is not visible or configurable.
Sampling Rate
The sampling rate controls what percentage of suspicious IPs are sent to your AI provider for analysis. This is the primary cost control mechanism.
How It Works
- The analysis pipeline identifies candidate IPs from your CloudFront logs
- Candidates are sorted by request count descending — the highest-traffic (most suspicious) IPs come first
- The sampling gate applies: for each candidate, a random check determines if it is analyzed
- At lower sampling rates, the most active IPs are still prioritized for analysis
Presets
| Rate | Behavior |
|---|---|
| 100% | Analyze all suspicious IPs (default) |
| 75% | Analyze ~75% of candidates |
| 50% | Analyze ~50% of candidates |
| 25% | Analyze ~25% of candidates |
| 10% | Analyze only ~10% of candidates |
| 0% | Disable AI analysis entirely (rule-based only) |
What Happens at 0%
Setting the sampling rate to 0% disables AI analysis completely. Tangate continues to operate in rule-only mode:
- Threat intelligence rules (global, elevated, instance) are still applied
- Your local rules (whitelist and blocklist) are still enforced
- No AI API calls are made
- No AI costs are incurred
- Detection relies entirely on known rules and threat intel feeds
Skipped Candidates
IPs that are skipped due to sampling are not cached. They remain candidates for future analysis runs. This means:
- A skipped IP may be analyzed on a subsequent run
- No IP is permanently excluded by sampling — it just delays analysis
- Over multiple runs, most active IPs will eventually be analyzed even at low sampling rates
7-Day Analysis Cache
Each IP analyzed by AI is cached in S3 at s3://{bucket}/deckard/analysis-cache/{ip}.json with a 7-day TTL. Both BLOCK and ALLOW decisions are cached.
Benefits:
- An IP analyzed once is not re-analyzed for 7 days
- Significantly reduces AI API costs for repeat visitors
- Cache is per-IP, so new IPs are always analyzed (subject to sampling)
- After 7 days, the cache entry expires and the IP becomes a candidate again
Cost Estimation
AI costs depend on your provider, model, traffic volume, and sampling rate. Key factors:
- Number of unique suspicious IPs per hour — Each unique IP is one potential AI call
- Cache hit rate — Repeat IPs within 7 days are free (cached)
- Sampling rate — Lower rates mean fewer AI calls
As a rough guide, with Anthropic Claude at 100% sampling:
- Low traffic site (< 100 unique suspicious IPs/day): < $5/month in AI costs
- Medium traffic site (100-1,000 unique suspicious IPs/day): $5-50/month
- High traffic site (1,000+ unique suspicious IPs/day): Consider 25-50% sampling
These are approximate. Monitor your AI provider dashboard for actual usage and adjust sampling accordingly.
Changing the Sampling Rate
Via the Dashboard
- Open your Tangate dashboard
- Go to Settings
- Select a new sampling rate from the dropdown
- Changes take effect on the next hourly analysis run
Via S3 Directly
Write to s3://{bucket}/deckard/config.json:
{
"sampling_rate": 0.5,
"updated": "2026-03-07T14:00:00Z"
}
The runtime config in S3 overrides the deploy-time SamplingRate CloudFormation parameter.
Changing Your AI Provider
To switch providers or update your API key:
- Generate a new API key from your new provider
- Update the secret in AWS Secrets Manager (
deckard/ai-api-key) - Update the CloudFormation stack with the new
AiProvider(and optionallyAiModel):
export AI_PROVIDER="openai"
export AI_API_KEY="<new-key>"
cd deckard/cloudformation
./deploy.sh
The analysis Lambda picks up the new provider and key on the next run.
Telemetry Visibility
Each telemetry report sent to the Tangate backend includes sampling metrics for operator visibility:
sampling_rate— Current rate settingai_calls_made— Number of AI calls in this runai_candidates_skipped— Number of candidates skipped by sampling
These are aggregate counts only. No individual IP addresses or decision details are included in telemetry.
Next Steps
- Dashboard — Adjust sampling rate from the Settings page
- Threat Intelligence — Understand rule-based detection (works without AI)
- Troubleshooting — Fix AI-related issues