For the CIO
Policy Bootstrap.
Fifteen days.
You do not author the policies. You watch your agents run for two weeks in shadow mode, then review the proposed rules in plain English against real recorded traffic, then enforce. The rules that ship are the ones you approved — derived from what your agents actually did, not a vendor's template.
The Three Days That Matter
Two weeks of observation. One day of review. One day to flip the switch.
WhiteFin sits inline on every agent-to-tool call. Nothing is blocked. Every call is recorded, labeled, and grouped. Your agents continue to run exactly as they did before; the only difference is that for the first time, you have ground truth about what they actually do.
A proposed policy set is generated from the two weeks of observed behavior. We sit with your team and walk through every rule. You see — in plain English, against real recorded traffic — what each rule allows, what it would have blocked, and what it would have escalated. You approve, edit, or reject before anything ships.
You flip the switch. Deny-by-default goes live. Approved tool calls pass. Unapproved calls stop, or route to a human approval queue, depending on how you set the rule. There are no surprises on day 16 because the rules are the ones you approved on day 15.
Two Ways to Deploy
Pick the one that matches your data-residency posture.
Self-hosted
You run the gateway inside your own cloud.
Your VPC, your network rules, your platform team's monitoring stack. WhiteFin ships the binary and the policies; the path stays inside your perimeter.
Air-gapped
No outbound dependency on WhiteFin infrastructure.
For environments where the gateway must operate without ever talking to a vendor. Policy updates and audit exports are explicit, manual operations. Right for the most sensitive deployments.