llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors
Category

Guardrails / LLM Firewall: 7 Vendors and 5 Tools Compared for 2026

Guardrails / LLM Firewall covers request-time filters that sit between users and models, blocking injected prompts, unsafe output, and PII leaks before they land. It maps most closely to OWASP LLM risks LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM05 Improper Output Handling. 7 vendors and 5 open-source tools sit in this category, scored as of .

7 of 7 Guardrails / LLM Firewall vendors score Covered for LLM01 Prompt Injection, as of . See the whole market in the coverage matrix.

Vendors

Ranked by llmthreat's editorial coverage score, as of 2026-07-13 — public documentation, not a third-party audit.

Guardrails / LLM Firewall vendors — as of 2026-07-13
VendorCoveredPartialStatusFundingBest for
Lakera 8/10 2 Acquired ~$30M total (incl. $20M Series A) Real-time prompt-injection and content guardrails for GenAI/agentic apps, plus pre-deployment red teaming
Enkrypt AI 4/10 6 Active $2.35M Teams wanting combined red teaming plus runtime guardrails, hallucination detection and compliance evidence for LLM/agent apps
NeuralTrust 4/10 5 Active $20M (€17.2M seed) Enterprises needing an infrastructure-level guardrail/gateway plus red teaming across many LLM apps and agents
Lasso Security 3/10 3 Active Enterprises wanting full-lifecycle GenAI security from shadow-AI discovery through runtime protection and red teaming
Pangea 3/10 5 Acquired ~$51-52M total (Series A $25M + Series B $26M) Developers embedding API-based prompt-injection and data-leakage guardrails into GenAI apps
Prompt Security 3/10 4 Acquired ~$23M total ($5M seed + $18M Series A) Governing employee GenAI/shadow-AI usage and wrapping homegrown LLM apps with real-time DLP and injection defense
WitnessAI 3/10 3 Active Over $85M Enterprises needing an inline AI firewall to discover shadow AI/MCP servers, enforce policy, redact sensitive data, and block prompt injection/jailbreaks across employee and agent usage

Open-source tools

Guardrails / LLM Firewall tools — as of 2026-07-13
ToolLicenseLanguageStarsLast pushStatusPrimary use
Guardrails Apache-2.0 Python 7,130 2026-07-10 Active Framework for adding structural, type, and quality guardrails to LLM outputs, including input/output validators for security risks like prompt injection and PII leakage
LLM Guard MIT Python 3,164 2026-07-08 Archived Security toolkit for LLM interactions — input/output scanners for prompt injection, PII, toxicity, jailbreaks, and data leakage
NeMo Guardrails Apache-2.0 Python 6,669 2026-07-10 Active Open-source toolkit for adding programmable guardrails (topical, safety, security rails) to LLM-based conversational systems
Rebuff Apache-2.0 TypeScript 1,511 2024-08-07 Archived LLM prompt injection detector using heuristics, an LLM-based detector, vector-store similarity, and canary tokens
Vigil Apache-2.0 Python 490 2024-01-31 Dormant Detects prompt injections, jailbreaks, and other risky LLM inputs via a pluggable scanner pipeline

How to choose a Guardrails / LLM Firewall product

Every vendor in this category claims a "99% detection rate" — that number is meaningless on its own. What actually separates products is where they set the bypass-rate/false-positive tradeoff, how much latency they add on the request path, and whether they cover just chat text or the tool calls an agent makes.

01 Detection threshold: bypass rate vs false positive rate
There's no single accuracy number, only a curve. NeMo Guardrails hits 0% bypass but a 16.22% false-positive rate at ~1.5s latency; Meta's Prompt Guard runs the opposite way, 38.48% bypass at 3.6% FPR. And the threshold behaves counterintuitively: on Prompt Guard 2, raising it from 0.30 to 0.99 pushes bypass up from 54% to 65% — the higher cutoff is more permissive, so a stricter-sounding setting can leave you more exposed. Ask for the vendor's ASR/FPR curve at the threshold they recommend in production, not a headline percentage.
02 Inline latency budget: purpose-built classifier vs LLM-as-judge
Purpose-built guard models (Lakera Guard, Llama Guard, Luna-2 SLMs) run roughly 30-200ms, cheap enough to sit inline and block every request before it reaches the user. Using a frontier model as the safety judge is a different tier — benchmarks put GPT-5-class LLM-as-judge latency in the multi-second range, not milliseconds. That's unusable inline at chat latency, so teams fall back to async or detection-only checks — meaning the unsafe output already shipped before the guardrail flags it.
03 Scope: text moderation vs tool-call/agentic action guardrails
Most first-generation firewalls only inspect the prompt and the generated text for jailbreaks, toxicity, and PII. Agent deployments need policy hooks on the actions the model takes — API calls, DB writes, file access, outbound emails — because a guardrail failure on an agent means a deleted record or a wire transfer, not a bad sentence. Confirm the product enforces policy on tool-call arguments and results, not just the chat turn.
04 Deployment model: SaaS proxy vs self-hosted
A hosted single-API-call integration ships fastest and is usually cheaper at low-to-moderate volume. Self-hosting (sidecar container, on-prem model) costs more in engineering time but is often non-negotiable for GDPR/HIPAA-scoped data — routing regulated data through a US-based SaaS guardrail can itself be a cross-border transfer violation, independent of how good the detector is.
05 Resistance to encoding/adversarial evasion
Character injection (zero-width Unicode, homoglyphs) and adversarial perturbation have pushed measured evasion to 100% against production systems including Azure Prompt Shield and Meta Prompt Guard in published research. A clean benchmark score says nothing about resistance to encoding tricks the benchmark didn't test. Ask what evasion classes the vendor tests against and how often the classifier gets retrained against new ones.
Watch out

Vendors report a single self-benchmarked "detection rate," not the bypass-rate/FPR curve at the threshold you'd actually run, and that number almost never covers Unicode/homoglyph evasion — techniques that independent research has driven to 100% success against named commercial products (Azure Prompt Shield, Meta Prompt Guard). Re-test any finalist yourself with garak or PyRIT against your own traffic before trusting the vendor's number.

Frequently asked questions

What is Guardrails / LLM Firewall?

Request-time filters that sit between users and models, blocking injected prompts, unsafe output, and PII leaks before they land.

Which vendors lead Guardrails / LLM Firewall coverage?

Lakera, Enkrypt AI, NeuralTrust cover the most OWASP LLM Top 10 risks in Guardrails / LLM Firewall, by llmthreat's scoring, as of 2026-07-13. See the ranked table above.

What is the best Guardrails / LLM Firewall tool for prompt injection?

Lakera leads Guardrails / LLM Firewall for Prompt Injection, by llmthreat's coverage scoring: Real-time prompt-injection and content guardrails for GenAI/agentic apps, plus pre-deployment red teaming. Compare the full ranked list above.

Last verified . Sources: OWASP GenAI Solutions Reference Guide, vendor documentation, GitHub API. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — verify vendor and tool claims directly before a purchasing or security decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.