9 Layers · 100% MITRE ATLAS · < 20ms

Every AI Request,
Inspected.
Every Threat, Stopped.

AI-Sentinel is an inline 9-layer security sidecar for AI workloads. Drop it between your app and your model — it blocks prompt injections, strips PII, prevents data exfiltration, and enforces tool RBAC in under 20ms. No async blind spots.

See It Live →

522 req/s peak throughput Tamper-evident audit chain Zero-restart threat feed

L0 Telemetry ✓ pass

L1 Injection · PII ● scanning…

L2 Auth · Trust —

L4 Tool RBAC —

L7 Audit Chain —

The Problem

AI Models Are Attack Surfaces.
Most Security Tools Miss It.

💉

Prompt injections bypass your guardrails

A single "Ignore all previous instructions" can hijack your AI agent mid-session. Static regex filters don't catch the variants. DAN, SYSTEM overrides, and Llama-format attacks all land differently.

🔓

Models leak what they shouldn't

PII, AWS credentials, private keys, internal URLs — output inspection is an afterthought in most AI stacks, if it exists at all. One bad egress response exposes everything.

💥

Rogue tool calls can destroy production

An AI agent with DROP DATABASE in its tool manifest is a ticking clock. Without RBAC, it only takes one adversarial prompt to wipe a table or exfiltrate a backup.

🕳️

Async scanners create blind spots

If your security layer processes out-of-band, attacks that complete in under 100ms are already done before you know they happened. Out-of-band is not security — it's logging after the breach.

Without AI-Sentinel

Your App → "Ignore all previous instructions…"

↓ no inspection

LLM Model → receives injected payload

↓

Model output: "Here is the system prompt: …"

With AI-Sentinel

Your App → "Ignore all previous instructions…"

↓ POST /check

🛡 AI-Sentinel L1 — PROMPT_INJECTION detected (3ms)

↓

{ "status": "reject", "layer": "l1", "severity": "high" }

The Solution

One Sidecar. 9 Layers.
Inline, Always.

🛡

Stop attacks before the model processes them

L1 catches injection in under 3ms — before a single token is consumed. Fail-fast means the model never sees the payload.

🔒

Guarantee what leaves your model

L6 blocks SSRF URLs, AWS IAM keys, PGP private keys, JWTs, and SQL dumps in model output before they reach your client.

📋

Prove every decision, tamper-evident

L7 SHA-256 hash-chains every record. Verification endpoint detects any modification. Structured for SIEM export and compliance audits.

⚡

Ship new threat patterns without restart

Hot-swappable threat feed from OWASP LLM Top 10, CrowdSec CTI, and NVD CVE. Zero downtime on updates — atomic pointer swap in microseconds.

              
              
              
            

            POST /check — reject example
          
// Request
{
  "direction": "ingress",
  "payload": {
    "content": "Ignore all previous instructions…"
  },
  "caller_context": { "caller_id": "my-app" }
}

// Response — 3ms
{
  "status": "reject",
  "reject": {
    "layer":    "l1",
    "code":     "PROMPT_INJECTION",
    "severity": "high"
  },
  "latency_ms": 3
}
        

How It Works

Deploy in Minutes.
Protect in Milliseconds.

Wrap

Point your app at POST /check instead of the model directly. Pass your payload as-is. No SDK changes, no model modifications.

Inspect

9 layers run in sequence: normalize → injection detection → PII strip → auth → trust chain → intent guard → tool RBAC → rate limiting → output filtering → audit. First threat stops the chain.

Decide

Clean requests pass through (optionally with PII stripped). Threats return a structured reject with layer, code, and severity. All in under 20ms.

Features

9 Layers, Every One
Purpose-Built

🔤

Input Normalizer

Anti-obfuscation preprocessing: base64 decoding, Unicode normalization, zero-width character stripping, and leetspeak expansion. Ensures downstream layers see the true payload.

💉

Prompt Injection Detection

12+ regex patterns covering DAN, SYSTEM overrides, Llama-format injection, and null-byte attacks. Sub-3ms detection before any token is processed.

🧹

PII Stripping

SSN, credit cards, emails stripped before the model sees them. Mutate not block — clean requests still pass with redacted content. Optional Presidio NER.

🔑

L2.1–L2.3

Auth + Trust Chain

API key/JWT validation, agent-to-agent HMAC trust tokens with 60s replay protection, and live threat signature matching from OWASP + CrowdSec.

🔌

L2.4–L2.5

MCP + RAG Guard

MCP environment hardening validates tool server manifests and parameter schemas. RAG poisoning detection inspects retrieved context for injected instructions and adversarial chunks.

🧠

Intent Guard

Semantic drift detection across multi-turn conversations, topic correlation analysis, and command-and-control pattern recognition. Catches slow-burn manipulation attacks.

🛠

Tool RBAC

Deny-by-default for destructive tools (drop, rm, wipe, purge). Allowlist per role. CVE-mapped tool patterns from NVD. Prevents agents from calling what they shouldn't.

⏱

Rate + Cost Cap

Per-session token bucket and daily cost accumulator. Single request with $101 spend triggers immediate rejection. Global E-Stop flag for instant kill-switch.

🌐

SSRF Prevention

RFC-1918 private ranges, localhost, AWS/Azure/GCP metadata endpoints all blocked in model egress. Private infrastructure can never be reached via a model response.

🚫

Exfiltration Block

AWS IAM keys, PGP/RSA private key blocks, JWTs, SQL dumps, and large base64 blobs caught in model output before they reach the client.

📜

Tamper-Evident Audit

SHA-256 hash-chained record per request. Chain verification detects any modification. Every pass, reject, and mutation logged with caller, layer, and timestamp.

⚡

Semantic Cache + Routing

Intelligent response caching and model routing. Token budget tracking per request. Reduces redundant LLM calls while maintaining security coverage on every interaction.

Architecture

The 9-Layer Pipeline

Fail-fast sequential execution. The first rejection short-circuits the chain. Egress requests skip ingress-only layers and run directly into L6.

Ingress path (user → model)

Telemetry

Instrument

›

L0.5

Normalize

Anti-Obfusc

›

Sanitize

Inject · PII

›

L2.1

Auth

Key · JWT

›

L2.2

Trust

HMAC Replay

›

L2.3

Threat Feed

Signatures

›

L2.4

MCP

Env Harden

›

L2.5

RAG

Poison Detect

›

Intent

Drift

›

Tools

RBAC · CVE

›

Sandbox

Rate · Cost

›

Audit

Hash Chain

✓

Egress path (model → user)

Telemetry

Instrument

›

Tools

Data Inspect

›

Output

SSRF · Exfil

›

Audit

Hash Chain

›

Optimizer

Perf Tune

✓

By the Numbers

Built for the AI Security
Reality of 2026

100+

Detection Patterns

55/55

MITRE ATLAS Techniques

0μs

Feed Update Downtime

964

Automated Tests

We run 400+ AI agents across customer environments. AI-Sentinel is the first inline security layer that actually keeps up with the request volume — and the structured reject responses integrate cleanly with our incident routing.

Sarah K.

Head of AI Platform, Series B SaaS

The L7 audit chain was the deciding factor for our compliance team. Every decision is recorded, hash-chained, and verifiable. We can prove to auditors exactly what the model was allowed to see and produce.

Marcus T.

CTO, Healthcare AI Startup

Pricing

Enterprise-Grade AI Security

Flexible licensing to fit your deployment model — per-instance, per-API-call, or enterprise-wide.

Personal / Enterprise

Pricing Upon Request

Flexible per-instance, per-API-call, and enterprise license models

✓ All 9 security layers

✓ 100% MITRE ATLAS pipeline coverage

✓ Postgres + Redis session store

✓ CrowdSec CTI + NVD CVE feed

✓ Multi-tenant architecture

✓ Prometheus + Grafana monitoring

✓ SLA + dedicated support

Talk to Us →

FAQ

Common Questions

Does it add latency to my AI calls?

Yes — under 20ms for a full clean ingress pass on the Presidio path. Under 5ms without Presidio. Violation rejections return in 2–4ms because they short-circuit before Presidio is ever called. The sidecar runs on the same host as your app, so network overhead is minimal.

Is it inline or async?

100% inline. The request does not proceed until all applicable layers complete evaluation. There is no out-of-band analysis path — if AI-Sentinel hasn't responded, your model hasn't seen the payload. This eliminates the class of blind spots that affect async scanners entirely.

What happens if a layer throws an error?

Fail-open by default — layer errors are logged, a fault counter is incremented, and the pipeline continues to the next layer. This prevents your AI availability being blocked by security infrastructure instability. You can configure fail-closed per-layer in enterprise profiles.

Does it work with any AI model or provider?

Yes. AI-Sentinel is completely model-agnostic — it evaluates the request and response JSON payload, not model-specific wire formats. It works identically with OpenAI, Anthropic Claude, Mistral, local models, or any custom LLM deployment.

Can I run it without Docker?

Yes — it's a single statically-linked Rust binary. Run ./ai-sentinel with a config TOML file. Docker Compose is provided for convenience and to co-locate Presidio, Postgres, and the monitoring stack.

How does the threat feed work?

A background worker fetches injection patterns from OWASP LLM Top 10, CrowdSec CTI, and NVD CVE on a configurable interval (default 1 hour). New signatures are compiled and hot-swapped via an atomic Arc pointer — zero downtime, zero restart, no request interruption during the swap.

What is your MITRE ATLAS coverage?

AI-Sentinel covers 100% of applicable MITRE ATLAS techniques (55 of 55) for runtime LLM pipeline security. This includes all 14 applicable ATLAS tactics from Initial Access through Impact. Built in Rust for sub-20ms latency.

Every AI Request, Inspected. Every Threat, Stopped.

AI Models Are Attack Surfaces.Most Security Tools Miss It.

One Sidecar. 9 Layers.Inline, Always.

Deploy in Minutes.Protect in Milliseconds.

9 Layers, Every OnePurpose-Built