Detection Settings
10 min
maro's browser extension uses a language model (llm) to spot risky activity in real time — catching sensitive data before it leaves the browser and classifying how people use the apps they work in detection settings is where you choose which llm the extension uses to do that work for everyone in your organization you'll find it under organization → detection settings detection settings control the engine behind detection — the model that reads activity and decides whether a rule was triggered they don't change what you watch for or what happens when a rule fires; that's defined in your policies two ways to run detection there are two modes by default, organizations use the first one mode what it means when to use it use extension settings (default) each user's extension picks its own local model — for example gemini nano running directly in the browser no api key, no setup the default, and the right choice for most organizations detection runs on device and nothing leaves the user's machine use my llm (remote) the extension routes detection requests through an llm provider you configure here — anthropic, openai, or any openai compatible endpoint for machines that can't run a local model, or when you want every user on one consistent, centrally managed model use extension settings (the default) when this mode is selected, every user's extension chooses its own local llm this is the simplest option — there's nothing to configure and no api key to manage because detection happens on device, activity content is evaluated locally rather than sent to an outside provider this is the recommended default only switch to use my llm if you have a specific reason to use my llm (remote) choose this when local, on device models aren't an option — for example on locked down or older machines that can't run a browser embedded model — or when you want to guarantee that everyone in the org runs detection on the exact same model when you select use my llm , the extension stops using each user's local model and instead sends detection requests to the provider you configure below configuring a remote provider these fields appear only when use my llm is selected all of them are needed before you can save provider the llm service that will handle detection requests anthropic — claude models openai — gpt models openai compatible — any endpoint that speaks the openai api format (self hosted models, gateways, or third party providers) host url the address maro sends requests to for anthropic and openai , this defaults to the provider's public api ( https //api anthropic com and https //api openai com ) leave it as is unless you route traffic through your own proxy for openai compatible , this is required — point it at the base url of your endpoint model which model the provider should use for anthropic , choose from claude haiku 4 5 (recommended) — fast and cost effective claude sonnet 4 6 — more capable, higher cost for openai , choose from gpt 5 nano (recommended) — fast and cost effective gpt 5 mini — more capable, higher cost for openai compatible , type the exact model id your endpoint expects (for example, llama 3 1 70b instruct ) the recommended models are tuned for the high volume, low latency nature of real time detection start there unless you have a reason to prefer a larger model api key the credential maro uses to authenticate with your provider your key is stored encrypted on maro's servers and is never returned by the api — once saved, you can't read it back if a key is already saved, you'll see a key configured badge to change it, click replace key and enter the new one; click keep existing key to leave it untouched saving, resetting, and removing save configuration writes your changes the button stays disabled until you've actually changed something reset discards unsaved edits and restores the last saved configuration remove configuration clears your remote setup entirely the extension reverts to each user's local llm settings, and any stored api key is deleted and cannot be recovered after a successful save you'll get a confirmation, and the change takes effect for your organization's extensions who can change these settings only organization administrators can edit detection settings everyone else sees a read only view showing the current mode, provider, and model, and whether an api key is configured — but can't make changes how this fits with policies think of it as two layers working together detection settings (this page) decide the engine — the model that reads activity policies decide the rules — what to watch for, on which apps, and what happens when something is triggered switching detection modes or providers doesn't change your policies your rules keep working exactly as configured; only the model evaluating them changes