Runtime AI security
One guardrail layer between any agent and the LLM.
AIFenders is a drop-in, OpenAI-compatible proxy. Five rails — input, dialog, retrieval, execution, output — enforce declarative safety policy across the whole agent lifecycle. Swap one base_url and every call is firewalled: prompt injection, PII, unsafe tool calls, and egress leaks. Zero code change.
Maps to OWASP LLM Top 10 · MITRE ATLAS · NIST AI RMF · EU AI Act · ISO 42001 · DPDP · GDPR
One line to adopt
Point your base_url at AIFenders.
Keep your model, your SDK, your code. Swap the base URL and every request is firewalled through all five rails — with guardrail telemetry on every response.
# point any OpenAI SDK at AIFenders — nothing else changes from openai import OpenAI client = OpenAI( base_url="https://aifenders.com/v1", api_key=AIFENDERS_KEY, ) # every call now firewalled: injection, PII, tool-policy, egress resp = client.chat.completions.create( model="aifenders-gateway", messages=[{"role":"user","content":"Summarize this contract…"}], ) print(resp.aifenders) # guardrail telemetry rides along
The problem
LLMs and agents fail in production in ways a chatbot never did.
The moment a model can retrieve documents, call tools, and act autonomously, its attack surface explodes — and a single bad output becomes a breach, a leak, or a destructive action.
Prompt injection
Users and poisoned documents override your instructions to exfiltrate data or jailbreak the model.
PII & secret leakage
Cards, Aadhaar, API keys and tokens flow into prompts and back out in responses — often mid-stream.
Unsafe tool calls
Agents delete records, move money, and email data off-domain with no human in the loop.
Poisoned RAG
A single weaponized chunk retrieved into context hijacks the agent — the top real-world attack.
The solution
Five rails, one declarative policy.
Each rail is a guard stage in the request lifecycle. All behavior lives in a single policy.json — no Colang DSL to learn. Tumeryk / NeMo-class coverage, developer-native.
Input
Prompt-injection scoring + PII/secret masking before the model sees the text.
Dialog
Topic & SOP control — allowlist a scope or block off-limits subjects.
Retrieval
Scores every RAG chunk for indirect injection and masks PII in context.
Execution
Risk-scores every tool call; destructive ops route to human approval.
Output
Streaming egress verifier catches leaked secrets and echoed PII — mid-token.
Proven, not promised
Published benchmarks. Auditor-ready mapping.
99.4% enforcement across 2,200 adversarial cases — with the over-defense rate and latency most vendors won't publish. Every rail decision carries the framework IDs your buyers' security teams already require.
Firewall your agents in one line.
Create a free account, get an API key, and point your base_url at AIFenders. Every call firewalled — no code change.