Getting Started

Deploy Tangate in about 10 minutes. You will need an AWS account with a CloudFront distribution that has S3 access logging enabled.

Prerequisites

Before you begin, ensure you have:

  • AWS account with permissions to create CloudFormation stacks, Lambda functions, IAM roles, Secrets Manager secrets, and EventBridge rules
  • CloudFront distribution with S3 access logging enabled (you need the log bucket name)
  • CloudFront distribution ID (found in the CloudFront console)
  • AI provider API key from one of: Anthropic, OpenAI, or DeepSeek
  • AWS CLI installed and configured with appropriate credentials

Step 1: Sign Up

Create your Tangate account at www.tangate.com/signup. You will need:

  • Your company name
  • A contact email address

After completing payment via Stripe Checkout, you will be redirected to a welcome page displaying:

  • Instance ID — Identifies your Tangate deployment
  • API Key — 64-character hex string for authenticating with the Tangate backend

Save both values securely — the API key is shown only once. You will need them for deployment.

Step 2: Set Environment Variables

Set the following environment variables for the deployment script:

export STACK_NAME="deckard"
export TYRELL_ENDPOINT="https://api.tangate.com"
export TYRELL_API_KEY="<your-api-key>"
export INSTANCE_ID="<your-instance-id>"
export AI_PROVIDER="anthropic"          # or: openai, deepseek
export AI_API_KEY="<your-ai-api-key>"
export CLOUDFRONT_LOG_BUCKET="<your-log-bucket-name>"
export CLOUDFRONT_DISTRIBUTION_ID="<your-distribution-id>"

Step 3: Deploy the CloudFormation Stack

Run the deployment script:

cd deckard/cloudformation
./deploy.sh

The script will:

  1. Package the analysis Lambda and edge Lambda
  2. Upload Lambda packages to S3
  3. Deploy the CloudFormation stack with all parameters
  4. Upload the dashboard HTML to your output bucket

Deployment typically takes 2-3 minutes.

Step 4: Attach Lambda@Edge to CloudFront

After the stack deploys, retrieve the edge function ARN from the stack outputs:

aws cloudformation describe-stacks \
  --stack-name deckard \
  --query 'Stacks[0].Outputs[?OutputKey==`EdgeFunctionVersionArn`].OutputValue' \
  --output text

Then attach it to your CloudFront distribution as a viewer-request trigger:

  1. Open the CloudFront console
  2. Select your distribution
  3. Go to the Behaviors tab
  4. Edit the default behavior (or the behavior you want to protect)
  5. Under Function associations, add a Lambda@Edge function association:
    • Event type: Viewer request
    • Function ARN: paste the EdgeFunctionVersionArn from the stack output
  6. Save and wait for the distribution to deploy (this may take a few minutes)

Step 5: Verify

Check the Dashboard

Download the dashboard from the URL in your stack outputs:

curl -o dashboard.html "$(aws cloudformation describe-stacks \
  --stack-name deckard \
  --query 'Stacks[0].Outputs[?OutputKey==`DashboardDownloadUrl`].OutputValue' \
  --output text)"

Open dashboard.html in your browser. Log in with the Access Key ID and Secret Access Key from your stack outputs, your bucket name (deckard-out-{instance-id}), and region (us-east-1). You should see the Overview page.

Wait for the First Analysis Run

The analysis pipeline runs hourly via EventBridge. After the first run, your dashboard will show:

  • Blocklist version and generation time
  • Count of blocked IPs, CIDRs, user agents, and query patterns
  • Last analysis run timestamp

You can also check CloudWatch Logs for the analysis Lambda to verify it ran successfully.

Verify Edge Enforcement

After the first analysis run updates the blocklist, Lambda@Edge will begin enforcing blocks on the next cache refresh (within 5 minutes). You can verify by checking:

  • The blocklist file at s3://{your-log-bucket}/deckard/blocklist.json
  • CloudWatch Logs for the Lambda@Edge function
  • The Active Blocks page in your dashboard

What Happens Next

Once deployed, Tangate operates automatically:

  • Every hour: The analysis Lambda processes new CloudFront logs, runs AI analysis, and updates the blocklist
  • Every 5 minutes: Lambda@Edge refreshes its cached blocklist from S3
  • Every night: Tangate's threat intelligence pipeline updates global rules from open-source feeds

You can manage your deployment from the dashboard: view active blocks, add whitelist/blocklist rules, adjust the AI sampling rate, and review decision logs.

Next Steps