Anti-Venom policy hierarchy: six tiers explained
Subtitle: Global defaults, MSP overrides, client rules — predictable browser governance at scale.
Anti-Venom Secure Access applies policy from a six-tier hierarchy. Higher specificity wins. MSPs managing dozens of clients rely on this model to ship one baseline and per-client exceptions without redeploying extensions.
The six tiers (high → low precedence)
Client org exception — single-customer rule (e.g., allow industry portal)
Client org policy — default browser posture for that customer
MSP org override — your standard across all clients unless excepted
Platform template — Dual-Strike published baselines (AI tools, risky categories)
Agent local relay — offline/cache path when using LocalApi-first mode
Extension built-in safe defaults — fail-closed for unknown categories
Exact tier names in-console may vary slightly — precedence order is what matters.
What policies control
CategoryExample AI toolsAllow Copilot, warn on consumer ChatGPT Risky domainsBlock phishing tiers, warn on new domains SaaS catalogSanctioned vs. shadow IT labels Business hoursStricter rules outside 9–5 local TelemetrySession upload via agent relay vs. direct
Deployment flow (recap)
Agent on endpoint (MSI or RMM)
Extension from browser store (Edge GA highlighted in prior post)
Policy publish in console — extensions poll on interval
Browsing Insights validates sessions and categories
COBRA² consumes categories for detections
MSP pattern: golden template
Define MSP tier once — AI warn, risky block, SaaS tag
Clone to new client org on onboarding
Add client exceptions only for documented business apps
Review Browsing Insights top domains quarterly — promote shadow IT to sanctioned or block
Settings: Browser Extension · Insights: /browsing-insights
Downloads: dual-strike.com/downloads
Prefer agent relay at scale — reduces per-device cloud chatter (public architecture guidance only).

