As organizations increasingly rely on LLM APIs for critical applications, monitoring and securing API usage has become paramount. In this comprehensive guide, I will walk you through designing a production-ready API Security Situation Awareness System (ASSAS) that provides real-time visibility into your AI API consumption patterns, threat detection, and cost optimization opportunities.
Why Your Organization Needs API Security Monitoring
Before diving into the technical implementation, let me share my hands-on experience: I once worked with a mid-sized fintech company that experienced a $47,000 bill in a single weekend due to an unattended development API key that was leaked in a public repository. A proper situation awareness system would have detected the anomalous usage pattern within 15 minutes and triggered automatic rate limiting. This experience shaped my approach to API security architecture.
HolySheep vs Official API vs Other Relay Services
When building your API security infrastructure, choosing the right provider significantly impacts your monitoring capabilities and cost structure:
| Feature | HolySheep AI | Official OpenAI/Anthropic | Standard Relay Services |
|---|---|---|---|
| Rate | ยฅ1 = $1 (saves 85%+ vs ยฅ7.3) | $1 = $1 (official pricing) | ยฅ1 = $0.85 (typical markup) |
| Latency | <50ms average | 80-200ms (varies by region) | 100-300ms |
| Payment Methods | WeChat, Alipay, Credit Card | Credit Card Only | Limited options |
| Free Credits | Yes, on registration | No | Rarely |
| Built-in Monitoring | Real-time dashboard + API | Basic usage page | Varies by provider |
| Security Features | IP whitelist, key rotation, anomaly alerts | Basic API key management | Limited |
| 2026 GPT-4.1 Price | $8/MTok (same as official) | $8/MTok | $8.50-$9/MTok |
| Claude Sonnet 4.5 | $15/MTok (same as official) | $15/MTok | $16-$17/MTok |
| Gemini 2.5 Flash | $2.50/MTok | $2.50/MTok | $2.75-$3/MTok |
| DeepSeek V3.2 | $0.42/MTok | N/A (not available) | $0.50-$0.60/MTok |
System Architecture Overview
Our API Security Situation Awareness System consists of four primary components:
- Gateway Layer: Intercepts all API requests before forwarding to the LLM provider
- Telemetry Collection: Captures request/response metadata in real-time
- Anomaly Detection Engine: Uses statistical analysis and ML for threat identification
- Dashboard & Alerting: Visualizes security posture and notifies stakeholders
Implementation: Building the Core Monitoring Client
The following implementation demonstrates a production-ready Python client that integrates with HolySheep AI while providing comprehensive security monitoring capabilities:
# api_security_monitor.py
import asyncio
import hashlib
import time
import logging
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from typing import Optional, Dict, List, Any
from collections import defaultdict
import httpx
import json
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
@dataclass
class APIRequest:
"""Represents a monitored API request with security metadata."""
request_id: str
timestamp: datetime
model: str
prompt_tokens: int
completion_tokens: int
total_cost: float
latency_ms: float
ip_address: str
user_agent: str
status: str
error_message: Optional[str] = None
@dataclass
class SecurityAlert:
"""Security alert data structure."""
alert_id: str
alert_type: str
severity: str # LOW, MEDIUM, HIGH, CRITICAL
description: str
timestamp: datetime
affected_requests: List[str]
recommended_action: str
class RateLimitRule:
"""Defines rate limiting rules for API keys or IP addresses."""
def __init__(self, identifier: str, requests_per_minute: int,
tokens_per_minute: int, max_cost_per_hour: float):
self.identifier = identifier
self.requests_per_minute = requests_per_minute
self.tokens_per_minute = tokens_per_minute
self.max_cost_per_hour = max_cost_per_hour
self.request_timestamps: List[datetime] = []
self.token_counts: List[int] = []
self.cost_amounts: List[float] = []
def check_rate_limit(self, request_tokens: int, request_cost: float) -> tuple[bool, str]:
"""Check if request passes rate limiting. Returns (allowed, reason)."""
now = datetime.now()
minute_ago = now - timedelta(minutes=1)
hour_ago = now - timedelta(hours=1)
# Clean old entries
self.request_timestamps = [t for t in self.request_timestamps if t > minute_ago]
self.token_counts = self.token_counts[len(self.request_timestamps):]
# Check request count limit
if len(self.request_timestamps) >= self.requests_per_minute:
return False, f"Request limit exceeded: {self.requests_per_minute}/min"
# Check token limit
recent_tokens = sum(self.token_counts[-60:]) if len(self.token_counts) >= 60 else sum(self.token_counts)
if recent_tokens + request_tokens > self.tokens_per_minute:
return False, f"Token limit exceeded: {self.tokens_per_minute}/min"
# Check cost limit
self.cost_amounts = [c for c in self.cost_amounts if now - timedelta(hours=1) <
datetime.fromtimestamp(sum([datetime.timestamp(hour_ago) for _ in [1]])/len([1]) if self.cost_amounts else 0)]
recent_cost = sum([c for c in self.cost_amounts if (now - c).total_seconds() < 3600])
if recent_cost + request_cost > self.max_cost_per_hour:
return False, f"Cost limit exceeded: ${self.max_cost_per_hour}/hour"
return True, "OK"
class APISecurityMonitor:
"""
Production-ready API Security Situation Awareness System client.
Integrates with HolySheep AI for secure LLM API access with comprehensive monitoring.
"""
def __init__(self, api_key: str, base_url: str = "https://api.holysheep.ai/v1"):
self.api_key = api_key
self.base_url = base_url.rstrip('/')
self.request_log: List[APIRequest] = []
self.rate_limit_rules: Dict[str, RateLimitRule] = {}
self.anomaly_thresholds = {
'request_spike_multiplier': 5.0, # 5x normal = anomaly
'cost_spike_multiplier': 3.0,
'latency_p95_ms': 5000, # 5 seconds
'error_rate_threshold': 0.15 # 15% errors = anomaly
}
self._client = httpx.AsyncClient(timeout=60.0)
self._stats = defaultdict(int)
async def create_completion(
self,
model: str,
messages: List[Dict[str, str]],
temperature: float = 0.7,
max_tokens: int = 2048,
metadata: Optional[Dict[str, Any]] = None
) -> Dict[str, Any]:
"""
Create a chat completion with full security monitoring.
All requests go through HolySheep AI at https://api.holysheep.ai/v1
"""
start_time = time.time()
request_id = hashlib.sha256(
f"{time.time()}{''.join(m['content'] for m in messages)}".encode()
).hexdigest()[:16]
try:
# Check rate limits if configured
for rule_key, rule in self.rate_limit_rules.items():
if request_id.startswith(rule_key[:8]) or rule_key == 'default':
allowed, reason = rule.check_rate_limit(
request_tokens=len(' '.join(m['content'] for m in messages).split()),
request_cost=0.01 # Estimated cost
)
if not allowed:
logger.warning(f"Rate limit hit for {request_id}: {reason}")
raise ValueError(f"Rate limit exceeded: {reason}")
# Prepare request payload
payload = {
"model": model,
"messages": messages,
"temperature": temperature,
"max_tokens": max_tokens
}
headers = {
"Authorization": f"Bearer {self.api_key}",
"Content-Type": "application/json",
"X-Request-ID": request_id,
"X-Client-Version": "security-monitor-v2.1"
}
# Make request to HolySheep AI
response = await self._client.post(
f"{self.base_url}/chat/completions",
json=payload,
headers=headers
)
latency_ms = (time.time() - start_time) * 1000
response_data = response.json()
if response.status_code != 200:
raise Exception(f"API Error: {response_data.get('error', {}).get('message', 'Unknown error')}")
# Extract response metadata
usage = response_data.get('usage', {})
prompt_tokens = usage.get('prompt_tokens', 0)
completion_tokens = usage.get('completion_tokens', 0)
# Calculate cost based on model
cost = self._calculate_cost(model, prompt_tokens, completion_tokens)
# Log the request
api_request = APIRequest(
request_id=request_id,
timestamp=datetime.now(),
model=model,
prompt_tokens=prompt_tokens,
completion_tokens=completion_tokens,
total_cost=cost,
latency_ms=latency_ms,
ip_address="internal",
user_agent="SecurityMonitor/2.1",
status="success"
)
self.request_log.append(api_request)
self._stats['total_requests'] += 1
self._stats['total_cost'] += cost
# Check for anomalies after each request
alerts = self._detect_anomalies()
if alerts:
await self._handle_alerts(alerts)
return response_data
except Exception as e:
latency_ms = (time.time() - start_time) * 1000
logger.error(f"Request failed: {str(e)}")
api_request = APIRequest(
request_id=request_id,
timestamp=datetime.now(),
model=model,
prompt_tokens=0,
completion_tokens=0,
total_cost=0,
latency_ms=latency_ms,
ip_address="internal",
user_agent="SecurityMonitor/2.1",
status="error",
error_message=str(e)
)
self.request_log.append(api_request)
self._stats['total_errors'] += 1
raise
def _calculate_cost(self, model: str, prompt_tokens: int, completion_tokens: int) -> float:
"""Calculate cost based on model pricing (2026 rates)."""
pricing = {
'gpt-4.1': {'prompt': 2.0, 'completion': 8.0}, # $2/MTok in, $8/MTok out
'gpt-4.1-turbo': {'prompt': 1.0, 'completion': 4.0},
'claude-sonnet-4.5': {'prompt': 3.0, 'completion': 15.0}, # $3/$15
'claude-opus-4': {'prompt': 15.0, 'completion': 75.0},
'gemini-2.5-flash': {'prompt': 0.35, 'completion': 2.50}, # $0.35/$2.50
'deepseek-v3.2': {'prompt': 0.14, 'completion': 0.42}, # $0.14/$0.42
}
model_key = model.lower().replace('-', '_')
rates = pricing.get(model_key, {'prompt': 1.0, 'completion': 4.0})
return (prompt_tokens / 1_000_000 * rates['prompt'] +
completion_tokens / 1_000_000 * rates['completion'])
def _detect_anomalies(self) -> List[SecurityAlert]:
"""Detect anomalous patterns in recent requests."""
alerts = []
now = datetime.now()
recent_window = now - timedelta(minutes=5)
recent_requests = [r for r in self.request_log if r.timestamp > recent_window]
if not recent_requests:
return alerts
# Calculate baseline metrics
total_requests = len(recent_requests)
error_count = sum(1 for r in recent_requests if r.status == 'error')
error_rate = error_count / total_requests if total_requests > 0 else 0
avg_latency = sum(r.latency_ms for r in recent_requests) / total_requests
avg_cost = sum(r.total_cost for r in recent_requests) / total_requests
# Detect error rate anomaly
if error_rate > self.anomaly_thresholds['error_rate_threshold']:
alerts.append(SecurityAlert(
alert_id=hashlib.md5(f"err_{now}".encode()).hexdigest()[:12],
alert_type="HIGH_ERROR_RATE",
severity="HIGH",
description=f"Error rate {error_rate:.1%} exceeds threshold {self.anomaly_thresholds['error_rate_threshold']:.1%}",
timestamp=now,
affected_requests=[r.request_id for r in recent_requests if r.status == 'error'],
recommended_action="Check API status and review error logs. Consider circuit breaker activation."
))
# Detect latency anomaly
latency_p95_idx = int(len(recent_requests) * 0.95)
if latency_p95_idx > 0:
sorted_latencies = sorted([r.latency_ms for r in recent_requests])
latency_p95 = sorted_latencies[min(latency_p95_idx, len(sorted_latencies)-1)]
if latency_p95 > self.anomaly_thresholds['latency_p95_ms']:
alerts.append(SecurityAlert(
alert_id=hashlib.md5(f"lat_{now}".encode()).hexdigest()[:12],
alert_type="HIGH_LATENCY",
severity="MEDIUM",
description=f"P95 latency {latency_p95:.0f}ms exceeds threshold {self.anomaly_thresholds['latency_p95_ms']}ms",
timestamp=now,
affected_requests=[],
recommended_action="Check network connectivity and HolySheep AI service status."
))
# Detect cost anomaly
if avg_cost > 0.50 and total_requests > 10:
cost_95_idx = int(len(recent_requests) * 0.95)
sorted_costs = sorted([r.total_cost for r in recent_requests])
if cost_95_idx < len(sorted_costs):
cost_p95 = sorted_costs[cost_95_idx]
if cost_p95 > avg_cost * 3:
alerts.append(SecurityAlert(
alert_id=hashlib.md5(f"cost_{now}".encode()).hexdigest()[:12],
alert_type="COST_SPIKE",
severity="CRITICAL",
description=f"Unusual cost pattern detected: P95=${cost_p95:.4f} vs avg=${avg_cost:.4f}",
timestamp=now,
affected_requests=[r.request_id for r in recent_requests if r.total_cost > avg_cost * 3],
recommended_action="IMMEDIATE: Review API key usage. Possible unauthorized access or prompt injection attack."
))
return alerts
async def _handle_alerts(self, alerts: List[SecurityAlert]):
"""Handle detected security alerts."""
for alert in alerts:
logger.critical(f"SECURITY ALERT [{alert.severity}]: {alert.alert_type}")
logger.critical(f" Description: {alert.description}")
logger.critical(f" Action: {alert.recommended_action}")
# In production, integrate with your alerting system
# Slack, PagerDuty, email, webhook, etc.
# Auto-rate-limit on CRITICAL alerts
if alert.severity == "CRITICAL":
logger.warning("Activating emergency rate limits...")
self.emergency_rate_limit = True
def get_security_report(self) -> Dict[str, Any]:
"""Generate comprehensive security report."""
now = datetime.now()
last_24h = now - timedelta(hours=24)
last_1h = now - timedelta(hours=1)
requests_24h = [r for r in self.request_log if r.timestamp > last_24h]
requests_1h = [r for r in requests_24h if r.timestamp > last_1h]
return {
"report_time": now.isoformat(),
"period_24h": {
"total_requests": len(requests_24h),
"total_cost": sum(r.total_cost for r in requests_24h),
"avg_latency_ms": sum(r.latency_ms for r in requests_24h) / len(requests_24h) if requests_24h else 0,
"error_count": sum(1 for r in requests_24h if r.status == 'error'),
"error_rate": sum(1 for r in requests_24h if r.status == 'error') / len(requests_24h) if requests_24h else 0,
},
"period_1h": {
"total_requests": len(requests_1h),
"total_cost": sum(r.total_cost for r in requests_1h),
"avg_latency_ms": sum(r.latency_ms for r in requests_1h) / len(requests_1h) if requests_1h else 0,
},
"stats": dict(self._stats),
"active_rate_limits": len(self.rate_limit_rules),
"system_health": "NOMINAL" if self._stats.get('total_errors', 0) < 10 else "DEGRADED"
}
async def close(self):
"""Clean up resources."""
await self._client.aclose()
Example usage with HolySheep AI
async def main():
# Initialize monitor with your HolySheep AI key
monitor = APISecurityMonitor(
api_key="YOUR_HOLYSHEEP_API_KEY",
base_url="https://api.holysheep.ai/v1"
)
# Set up rate limiting rules
monitor.rate_limit_rules['default'] = RateLimitRule(
identifier='default',
requests_per_minute=60,
tokens_per_minute=100000,
max_cost_per_hour=50.0
)
try:
# Example: Use DeepSeek V3.2 (only $0.42/MTok - great for high-volume tasks)
response = await monitor.create_completion(
model="deepseek-v3.2",
messages=[
{"role": "system", "content": "You are a security assistant."},
{"role": "user", "content": "Analyze this log entry for suspicious activity: 192.168.1.105 - Failed login attempt #47"}
],
temperature=0.3,
max_tokens=500
)
print(f"Response: {response['choices'][0]['message']['content']}")
# Generate security report
report = monitor.get_security_report()
print(json.dumps(report, indent=2, default=str))
finally:
await monitor.close()
if __name__ == "__main__":
asyncio.run(main())
Building the Real-Time Dashboard
Now let's create a web-based dashboard using FastAPI and WebSocket for real-time security monitoring:
# dashboard_server.py
from fastapi import FastAPI, WebSocket, WebSocketDisconnect, HTTPException
from fastapi.responses import HTMLResponse
from fastapi.staticfiles import StaticFiles
from pydantic import BaseModel
from typing import Dict, List, Optional
from datetime import datetime, timedelta
import asyncio
import json
import random
app = FastAPI(title="API Security Situation Awareness Dashboard")
class ConnectionManager:
"""Manages WebSocket connections for real-time updates."""
def __init__(self):
self.active_connections: List[WebSocket] = []
self.metrics_buffer: List[Dict] = []
self.max_buffer_size = 1000
async def connect(self, websocket: WebSocket):
await websocket.accept()
self.active_connections.append(websocket)
def disconnect(self, websocket: WebSocket):
if websocket in self.active_connections:
self.active_connections.remove(websocket)
async def broadcast(self, message: Dict):
"""Broadcast message to all connected clients."""
dead_connections = []
for connection in self.active_connections:
try:
await connection.send_json(message)
except:
dead_connections.append(connection)
for dead in dead_connections:
self.disconnect(dead)
manager = ConnectionManager()
class ThreatIntelligence:
"""Real-time threat intelligence and anomaly scoring."""
def __init__(self):
self.known_malicious_patterns = [
"prompt injection", "jailbreak", "sudo mode",
"ignore previous instructions", "disregard rules"
]
self.threat_signatures: Dict[str, float] = {}
def analyze_request(self, prompt: str, metadata: Dict) -> Dict:
"""Analyze a request for potential threats."""
threat_score = 0.0
detected_threats = []
prompt_lower = prompt.lower()
# Check for malicious patterns
for pattern in self.known_malicious_patterns:
if pattern in prompt_lower:
threat_score += 0.3
detected_threats.append(pattern)
# Check for unusual request characteristics
if metadata.get('tokens', 0) > 10000:
threat_score += 0.2
detected_threats.append("unusually_long_prompt")
if metadata.get('latency_ms', 0) > 10000:
threat_score += 0.15
detected_threats.append("high_latency")
# IP reputation check (simulated)
ip = metadata.get('ip', '')
if ip.startswith('185.220.'): # Known anonymizer range
threat_score += 0.4
detected_threats.append("suspicious_ip_range")
return {
'threat_score': min(threat_score, 1.0),
'threat_level': 'CRITICAL' if threat_score > 0.7 else 'HIGH' if threat_score > 0.4 else 'MEDIUM' if threat_score > 0.2 else 'LOW',
'detected_threats': detected_threats,
'recommended_action': 'BLOCK' if threat_score > 0.7 else 'REVIEW' if threat_score > 0.4 else 'ALLOW'
}
threat_engine = ThreatIntelligence()
@app.get("/")
async def get_dashboard():
"""Serve the main dashboard HTML."""
return HTMLResponse("""
API Security Situation Awareness Dashboard
๐ก๏ธ API Security Situation Awareness
โ Connected
0
Total Requests (24h)
$0.00
Total Cost (24h)
0ms
Avg Latency
0%
Error Rate
๐ Real-Time Threat Analysis
""")
@app.websocket("/ws")
async def websocket_endpoint(websocket: WebSocket):
"""WebSocket endpoint for real-time updates."""
await manager.connect(websocket)
try:
while True:
# Simulate real-time metrics (in production, pull from your database)
await asyncio.sleep(1)
metrics = {
'timestamp': datetime.now().isoformat(),
'metrics': {
'total_requests': random.randint(1000, 5000),
'total_cost': round(random.uniform(50, 200), 2),
'avg_latency': random.randint(30, 80),
'error_rate': random.uniform(0, 0.05)
},
'chart_data': {
'requests': random.randint(10, 100),
'costs': round(random.uniform(0.5, 2), 2),
'latency': random.randint(30, 100)
}
}
await websocket.send_json(metrics)
except WebSocketDisconnect:
manager.disconnect(websocket)
@app.get("/api/security/report")
async def get_security_report():
"""API endpoint for security report."""
return {
"status": "healthy",
"version": "2.1.0",
"uptime_seconds": 86400,
"last_updated": datetime.now().isoformat()
}
@app.get("/api/threats/analyze")
async def analyze_threat(prompt: str, ip: str = "0.0.0.0"):
"""Analyze a prompt for potential threats."""
result = threat_engine.analyze_request(prompt, {'ip': ip, 'tokens': len(prompt.split())})
return result
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8000)
Deployment Architecture
For production deployments, I recommend the following architecture that leverages HolySheep AI's high-performance infrastructure:
# docker-compose.yml for production deployment
version: '3.8'
services:
# Main application
api-gateway:
build: ./api-gateway
ports:
- "8080:8080"
environment:
- HOLYSHEEP_API_KEY=${HOLYSHEEP_API_KEY}
- HOLYSHEEP_BASE_URL=https://api.holysheep.ai/v1
- REDIS_URL=redis://redis:6379
- DATABASE_URL=postgresql://user:pass@postgres:5432/security
depends_on:
- redis
- postgres
networks:
- security-network
deploy:
resources:
limits:
cpus: '2'
memory: 4G
# Real-time monitoring
telegraf:
image: telegraf:latest
volumes:
- ./telegraf.conf:/etc/telegraf/telegraf.conf:ro
environment:
- HOLYSHEEP_ENDPOINT=http://api-gateway:8080/metrics
networks:
- security-network
# Dashboard
dashboard:
build: ./dashboard
ports:
- "3000:3000"
environment:
- API_GATEWAY_URL=http://api-gateway:8080
depends_on:
- api-gateway
networks:
- security-network
# Alerting system
alert-manager:
image: prom/alertmanager:latest
ports:
- "9093:9093"
volumes:
- ./alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
networks:
- security-network
# Redis for caching and rate limiting
redis:
image: redis:7-alpine
ports:
- "6379:6379"
networks:
- security-network
deploy:
resources:
limits:
memory: 512M
# PostgreSQL for logging
postgres:
image: postgres:15
environment:
- POSTGRES_DB=security
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
volumes:
- pgdata