Back to Landscape/Runtime Guardrails & AI Firewall

Top Runtime Guardrails & AI Firewall Tools for 2026

Inline defenses that inspect prompts, responses, and context in real time — prompt injection defense, content safety, and policy enforcement.

28 solutions listed • part of the Guardion AI Security Index

How GuardionAI covers this

GuardionAI builds its own guard models and publishes the benchmarks — the numbers below come from the public guard models guide. Independent alternatives are listed right after this section.

Guard models are natively trained on 8 languages (English, Spanish, Italian, Portuguese, Russian, Chinese, Hindi, Arabic) extended to 100+ languages, and evaluated across 1,000+ languages — including historical and dead languages — with graceful post-training decay.

Prompt Defense

F1 0.95

Precision 0.98 • FPR 0.02

  • prompt injection
  • jailbreaks & adversarial attacks
  • bot abuse
  • spam

Moderation

F1 0.98

Recall 0.99aligned with the NVIDIA Aegis (Nemotron) content-safety taxonomy

  • Hate & harassment
  • Violence
  • Sexual content (stricter handling for minors)
  • Self-harm
  • Illicit / dangerous activity
  • Toxicity & profanity

PII / DLP & Secrets

F1 0.97

Precision 1.00 • FPR 0.004

PII groups

Person name · Contact · Address · Government ID · Payment · Digital ID · Company

Secrets

AWS access & secret keys · GitHub tokens · Google API keys · Slack tokens · Stripe keys · Private keys & JWTs · npm tokens · Seed phrases · Generic API keys, secrets & passwords

Policy engine decisions return in under 130ms — 20× faster than cloud provider guardrails. Benchmarks: sensitivity L1–L4, methodology in the docs.

Request a demo
#1

Lakera (Check Point)

8.8/10

A focused runtime security layer protecting against prompt injection, PII leakage, and hallucinations via API. Acquired by Check Point in late 2025 (~$300M reported); Lakera Guard and Lakera Red remain live products and anchor Check Point's Center of Excellence for AI Security.

Usage-based / Quote
Runtime LLM Guardrails
Acquired by Check Point
#2

Meta (Llama Guard)

8.6/10

A set of LLM safeguards designed to detect violating content across multiple use cases. Model-based guardrail.

Open Source
Content Safety
#3

Prompt Security (SentinelOne)

8.3/10

Secures the entire lifecycle of Generative AI, protecting employees from risky AI use and developers from insecure model integrations. Acquired by SentinelOne in September 2025 (~$250M reported) and integrated into the Singularity platform for prompt injection, data leakage, and shadow AI protection.

Subscription / Quote
Enterprise GenAI Governance
Acquired by SentinelOne
#4

Cisco AI Defense (Robust Intelligence)

8.3/10

Robust Intelligence pioneered the AI firewall and automated model assessment. Acquired by Cisco in 2024, its technology now ships as Cisco AI Defense — runtime protection, model validation, and AI visibility integrated with the Cisco security stack.

Enterprise (Cisco)
AI Firewall & Assessment
Acquired by Cisco
#5

Azure AI Content Safety (Prompt Shields)

8.3/10

Microsoft's cloud service for detecting harmful content, with Prompt Shields as its real-time API for blocking jailbreaks and indirect prompt injection from documents. By 2026 it also spans groundedness detection, protected-material detection, and a task-adherence API for agent tool misuse, feeding runtime signals into Microsoft Defender for AI.

Usage-based (cloud), free tier
Content Moderation & Prompt Attacks
#6

LLM Guard (Protect AI)

8.2/10

Comprehensive open-source toolkit to fortify LLM security, offering sanitization, detection, and prevention of attacks. Originally by Laiyer.ai, now maintained under Protect AI.

Open Source
Sanitization & Detection
#7

Google Cloud Model Armor

8.2/10

Google Cloud's GA service for screening LLM prompts and responses for prompt injection, jailbreaks, harmful content, malicious URLs, and sensitive data leakage. Model-agnostic (works with Gemini, OpenAI, Anthropic, Llama over REST) and integrated with Apigee, Vertex AI, Agent Gateway, and Security Command Center, with org-wide floor settings for baseline enforcement.

Usage-based (cloud), free tier
LLM Prompt/Response Screening
#8

Amazon Bedrock Guardrails

8.2/10

AWS lets teams attach six configurable safeguard policies — content filters, denied topics, word filters, PII redaction, contextual grounding, and Automated Reasoning checks — to model calls. Automated Reasoning uses formal logic to validate outputs against policies, and the standalone ApplyGuardrail API extends coverage to third-party and self-hosted models; cross-account safeguards went GA in 2026.

Usage-based (per 1,000 text units)
Configurable LLM Safeguards
#9

CalypsoAI (F5)

8.1/10

Security and orchestration platform allowing enterprises to safely use public and private LLMs with rigorous policy enforcement. Acquired by F5 in September 2025 ($180M); its inference-layer guardrails are integrated into F5's Application Delivery and Security Platform.

Enterprise Subscription
Enterprise GenAI Governance
Acquired by F5
#10

Rebuff

8.1/10

Multi-layered defense against prompt injection attacks using heuristics, vector DBs, and LLM analysis.

Open Source
Prompt Injection Defense
#11

Pangea (CrowdStrike)

8.1/10

API-based security services for AI applications, led by AI Guard (prompt injection and data-leak filtering) and AI Detection & Response for visibility into enterprise AI usage. CrowdStrike agreed to acquire Pangea for $260M in September 2025; by 2026 its technology anchors CrowdStrike's Falcon AIDR while the developer APIs continue to operate.

Usage-based API (free tier); CrowdStrike Falcon modules
AI Detection & Response
Acquired by CrowdStrike
#12

Meta LlamaFirewall

8.1/10

Meta's open-source (MIT) guardrail framework within the Purple Llama project, orchestrating layered scanners across chat and multi-step agent workflows: PromptGuard 2 (lightweight injection classifier), AlignmentCheck (chain-of-thought auditing for goal hijacking), CodeShield (static analysis of generated code), and custom regex scanners.

Free / Open Source
Agent Guardrail Framework
#13

Aporia (Coralogix)

8/10

Observability and guardrails platform that ensures AI reliability by detecting hallucinations and enforcing policies in real-time. Acquired by Coralogix in late 2024 and offered as Coralogix AI observability.

Usage / Tiered
Guardrails & Observability
Acquired by Coralogix
#14

SPLX.ai

8/10

End-to-end platform for automated security testing, runtime protection, and governance controls (Probe & Guard).

Quote
Full Lifecycle AI Security
#15

Cloudflare Firewall for AI

8/10

Extends Cloudflare's WAF to inspect LLM prompts inline at the edge, discovering LLM endpoints and flagging prompt injection, PII in prompts, and unsafe topics that can drive WAF rules. Pairs with AI Gateway Guardrails, which run moderation models on Workers AI to flag or block prompts and responses across providers; the WAF detections are an Enterprise add-on as of 2026.

Enterprise add-on (WAF); AI Gateway usage-based
Edge AI Traffic Security
#16

Virtue AI

8/10

Founded in 2024 by professors Bo Li, Dawn Song, Sanmi Koyejo, and Carlos Guestrin, Virtue AI offers VirtueRed (continuous algorithmic red teaming, 600+ attack vectors) and VirtueGuard (real-time multimodal guardrails), plus AgentSuite for agentic systems including MCP Guard. Raised $30M in combined seed and Series A in April 2025.

Enterprise subscription
AI Red Teaming & Guardrails
#17

IBM Granite Guardian

8/10

IBM's family of Apache 2.0 guardrail models that judge prompts and responses of any LLM for jailbreaks, harmful content, social bias, RAG groundedness failures, and agentic risks like function-calling hallucination. The 4.x generation shipped in 2026 aligned to IBM's AI Risk Atlas; the models rank near the top of the GuardBench leaderboard and power guardrails inside watsonx.governance.

Free / Open Source (hosted via watsonx)
Open Guardrail Models
#18

Vigil

7.9/10

Detects prompt injections and other LLM attacks. Can be used as a library or proxy.

Open Source
Prompt Injection Defense
#19

DeepKeep

7.8/10

End-to-end AI security platform offering AI Firewall, Usage Control, Agentic AI Security, and Automated Red Teaming for LLMs and Computer Vision.

Enterprise Quote
Full Stack AI Security
#20

PromptArmor

7.8/10

Protects enterprises from novel threats like indirect prompt injection and data exfiltration.

Quote
Indirect Injection Defense
#21

Operant AI

7.8/10

Provides '3D Runtime Defense' for modern stacks, protecting AI models and APIs in real-time without requiring code instrumentation.

Enterprise Quote
Runtime Protection
AARM extended
#22

OpenGuardrails

7.8/10

An open-source guard agent for AI agent runtime security, spanning personal to enterprise use. Promotes the AI-RSMS standard.

Open Source
Agent Runtime Security
#23

Pillar Security

7.7/10

Unified AI security layer providing visibility and guardrails across the organization.

Quote
Enterprise Guardrails
AARM aligned
#24

Enkrypt AI

7.6/10

Provides a control layer to govern, secure, and monitor the use of LLMs within the enterprise, ensuring data privacy and compliance.

Quote
Governance & Guardrails
#25

Preamble

7.5/10

Provides runtime guardrails for RAG, LLMs, and AI agents, enforcing safety and privacy policies.

Subscription
Policy & Safety Guardrails
#26

Infotect Security

7.5/10

Scans outbound response traffic in real time for undesirable content and confidential data at layer 4.

Commercial
Network Layer AI Security
#27

NVIDIA (NeMo Guardrails)

7.5/10

A toolkit for adding programmable guardrails to LLM-based conversational systems.

Open Source
Conversational Guardrails
#28

Guardrails AI

7.2/10

A Python library for validating structures and data from Large Language Models. Excellent for ensuring JSON output.

Open Source
Output Validation

Ready to secure your AI Agents?

Govern every agent command, tool call, and data access — with sub-130ms guardrails latency. 50M+ agent actions protected per month.