Guardrails / LLM Firewall: 7 Vendors and 5 Tools Compared for 2026
Guardrails / LLM Firewall covers request-time filters that sit between users and models, blocking injected prompts, unsafe output, and PII leaks before they land. It maps most closely to OWASP LLM risks LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM05 Improper Output Handling. 7 vendors and 5 open-source tools sit in this category, scored as of .
7 of 7 Guardrails / LLM Firewall vendors score Covered for LLM01 Prompt Injection, as of . See the whole market in the coverage matrix.
Vendors
Ranked by llmthreat's editorial coverage score, as of 2026-07-13 — public documentation, not a third-party audit.
| Vendor | Covered | Partial | Status | Funding | Best for |
|---|---|---|---|---|---|
| Lakera | 8/10 | 2 | Acquired | ~$30M total (incl. $20M Series A) | Real-time prompt-injection and content guardrails for GenAI/agentic apps, plus pre-deployment red teaming |
| Enkrypt AI | 4/10 | 6 | Active | $2.35M | Teams wanting combined red teaming plus runtime guardrails, hallucination detection and compliance evidence for LLM/agent apps |
| NeuralTrust | 4/10 | 5 | Active | $20M (€17.2M seed) | Enterprises needing an infrastructure-level guardrail/gateway plus red teaming across many LLM apps and agents |
| Lasso Security | 3/10 | 3 | Active | — | Enterprises wanting full-lifecycle GenAI security from shadow-AI discovery through runtime protection and red teaming |
| Pangea | 3/10 | 5 | Acquired | ~$51-52M total (Series A $25M + Series B $26M) | Developers embedding API-based prompt-injection and data-leakage guardrails into GenAI apps |
| Prompt Security | 3/10 | 4 | Acquired | ~$23M total ($5M seed + $18M Series A) | Governing employee GenAI/shadow-AI usage and wrapping homegrown LLM apps with real-time DLP and injection defense |
| WitnessAI | 3/10 | 3 | Active | Over $85M | Enterprises needing an inline AI firewall to discover shadow AI/MCP servers, enforce policy, redact sensitive data, and block prompt injection/jailbreaks across employee and agent usage |
Open-source tools
| Tool | License | Language | Stars | Last push | Status | Primary use |
|---|---|---|---|---|---|---|
| Guardrails | Apache-2.0 | Python | 7,130 | 2026-07-10 | Active | Framework for adding structural, type, and quality guardrails to LLM outputs, including input/output validators for security risks like prompt injection and PII leakage |
| LLM Guard | MIT | Python | 3,164 | 2026-07-08 | Archived | Security toolkit for LLM interactions — input/output scanners for prompt injection, PII, toxicity, jailbreaks, and data leakage |
| NeMo Guardrails | Apache-2.0 | Python | 6,669 | 2026-07-10 | Active | Open-source toolkit for adding programmable guardrails (topical, safety, security rails) to LLM-based conversational systems |
| Rebuff | Apache-2.0 | TypeScript | 1,511 | 2024-08-07 | Archived | LLM prompt injection detector using heuristics, an LLM-based detector, vector-store similarity, and canary tokens |
| Vigil | Apache-2.0 | Python | 490 | 2024-01-31 | Dormant | Detects prompt injections, jailbreaks, and other risky LLM inputs via a pluggable scanner pipeline |
How to choose a Guardrails / LLM Firewall product
Every vendor in this category claims a "99% detection rate" — that number is meaningless on its own. What actually separates products is where they set the bypass-rate/false-positive tradeoff, how much latency they add on the request path, and whether they cover just chat text or the tool calls an agent makes.
- 01 Detection threshold: bypass rate vs false positive rate
- There's no single accuracy number, only a curve. NeMo Guardrails hits 0% bypass but a 16.22% false-positive rate at ~1.5s latency; Meta's Prompt Guard runs the opposite way, 38.48% bypass at 3.6% FPR. And the threshold behaves counterintuitively: on Prompt Guard 2, raising it from 0.30 to 0.99 pushes bypass up from 54% to 65% — the higher cutoff is more permissive, so a stricter-sounding setting can leave you more exposed. Ask for the vendor's ASR/FPR curve at the threshold they recommend in production, not a headline percentage.
- 02 Inline latency budget: purpose-built classifier vs LLM-as-judge
- Purpose-built guard models (Lakera Guard, Llama Guard, Luna-2 SLMs) run roughly 30-200ms, cheap enough to sit inline and block every request before it reaches the user. Using a frontier model as the safety judge is a different tier — benchmarks put GPT-5-class LLM-as-judge latency in the multi-second range, not milliseconds. That's unusable inline at chat latency, so teams fall back to async or detection-only checks — meaning the unsafe output already shipped before the guardrail flags it.
- 03 Scope: text moderation vs tool-call/agentic action guardrails
- Most first-generation firewalls only inspect the prompt and the generated text for jailbreaks, toxicity, and PII. Agent deployments need policy hooks on the actions the model takes — API calls, DB writes, file access, outbound emails — because a guardrail failure on an agent means a deleted record or a wire transfer, not a bad sentence. Confirm the product enforces policy on tool-call arguments and results, not just the chat turn.
- 04 Deployment model: SaaS proxy vs self-hosted
- A hosted single-API-call integration ships fastest and is usually cheaper at low-to-moderate volume. Self-hosting (sidecar container, on-prem model) costs more in engineering time but is often non-negotiable for GDPR/HIPAA-scoped data — routing regulated data through a US-based SaaS guardrail can itself be a cross-border transfer violation, independent of how good the detector is.
- 05 Resistance to encoding/adversarial evasion
- Character injection (zero-width Unicode, homoglyphs) and adversarial perturbation have pushed measured evasion to 100% against production systems including Azure Prompt Shield and Meta Prompt Guard in published research. A clean benchmark score says nothing about resistance to encoding tricks the benchmark didn't test. Ask what evasion classes the vendor tests against and how often the classifier gets retrained against new ones.
Vendors report a single self-benchmarked "detection rate," not the bypass-rate/FPR curve at the threshold you'd actually run, and that number almost never covers Unicode/homoglyph evasion — techniques that independent research has driven to 100% success against named commercial products (Azure Prompt Shield, Meta Prompt Guard). Re-test any finalist yourself with garak or PyRIT against your own traffic before trusting the vendor's number.
Frequently asked questions
What is Guardrails / LLM Firewall?
Request-time filters that sit between users and models, blocking injected prompts, unsafe output, and PII leaks before they land.
Which vendors lead Guardrails / LLM Firewall coverage?
Lakera, Enkrypt AI, NeuralTrust cover the most OWASP LLM Top 10 risks in Guardrails / LLM Firewall, by llmthreat's scoring, as of 2026-07-13. See the ranked table above.
What is the best Guardrails / LLM Firewall tool for prompt injection?
Lakera leads Guardrails / LLM Firewall for Prompt Injection, by llmthreat's coverage scoring: Real-time prompt-injection and content guardrails for GenAI/agentic apps, plus pre-deployment red teaming. Compare the full ranked list above.