Protect AI threat coverage: OWASP LLM Top 10 & MITRE ATLAS (2026)
Acquired · Palo Alto NetworksProtect AI is an AI-SPM / Runtime Protection vendor based in Seattle, USA. Its flagship product is Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty. Against the OWASP LLM Top 10 (2025) we score it Covered on 2 of 10 risks, Partial on 4, with 6 MITRE ATLAS techniques mapped as of . It now operates under Palo Alto Networks.
- 2/10
- Risks covered
- 4
- Partial
- 6
- ATLAS techniques
- ~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M
- Funding
- Acquired
- Status
At a glance
- Category
- AI-SPM / Runtime Protection
- Headquarters
- Seattle, USA
- Founded
- 2022
- Employees
- 51-200 (approx)
- Flagship product
- Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty
- Deployment
- SaaS + self-hosted; API/gateway and CI scanning
- Best for
- Securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline
- Funding to date
- ~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M
- Last round
- Series B ($60M) · 2024-08
- Status
- Acquired by Palo Alto Networks
Facts as of .
What does Protect AI do?
The MLSecOps pioneer — model scanning, red teaming, and runtime protection — now folded into Palo Alto's Prisma AIRS. It ships as SaaS + self-hosted; API/gateway and CI scanning, and it's built for securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline. It's a weaker fit for teams wanting only a lightweight prompt/response firewall for employee ChatGPT use.
Which OWASP LLM Top 10 risks does Protect AI cover?
Protect AI's strongest verdict is LLM03Supply Chain. The two tables below come from our editorial read of Protect AI's public documentation as of (it's what the docs support, not a hands-on lab test), and this row also sits in the full matrix across all 21 vendors.
| OWASP LLM Risk | What it is | Protect AI coverage | How it's addressed | Source |
|---|---|---|---|---|
| LLM01 Prompt Injection | User or hidden input overrides the model's rules or intended behavior. | Partial | Recon red-teams apps for prompt injection; Layer provides runtime detection. | https://protectai.com/guardian |
| LLM02 Sensitive Information Disclosure | The model leaks secrets, personal data, or proprietary content in its output. | Partial | Layer runtime security monitors GenAI apps for data leakage. | https://protectai.com/guardian |
| LLM03 Supply Chain | Compromised models, datasets, plugins, or dependencies add risk before runtime. | Covered | Guardian scans 35+ model formats and 1.5M+ Hugging Face models; huntr AI/ML bug bounty. | https://protectai.com/guardian |
| LLM04 Data and Model Poisoning | Tampered training or fine-tuning data corrupts how the model behaves. | Covered | Guardian detects deserialization attacks, architectural backdoors, and malicious model payloads. | https://protectai.com/guardian |
| LLM05 Improper Output Handling | Downstream systems trust model output without checking it, enabling injection or code execution. | Partial | Recon red teaming surfaces unsafe output handling in LLM apps. | https://protectai.com/guardian |
| LLM06 Excessive Agency | An agent holds more permissions, tools, or autonomy than the task needs. | Unverified | No clear public documentation of agent/excessive-agency controls at time of research. | None found |
| LLM07 System Prompt Leakage | The system prompt or the secrets inside it get exposed to users. | Partial | Recon tests for system prompt/extraction weaknesses. | https://protectai.com/guardian |
| LLM08 Vector and Embedding Weaknesses | Flaws in RAG stores let attackers poison, extract, or infer data. | Unverified | No explicit vector/embedding weakness coverage found in public docs. | None found |
| LLM09 Misinformation | The model produces false or fabricated content that users act on. | Unverified | No explicit misinformation/factuality control found in public docs. | None found |
| LLM10 Unbounded Consumption | Uncontrolled requests drive cost, denial of service, or model extraction. | Unverified | No explicit unbounded-consumption/rate-limit control found in public docs. | None found |
| ATLAS Technique (ID) | Tactic | Protect AI coverage | Notes | Source |
|---|---|---|---|---|
| ML Supply Chain Compromise (AML.T0010) | Initial Access / Resource Development | Covered | Guardian scans models from Hugging Face, MLflow, S3, SageMaker for malicious artifacts. | https://protectai.com/guardian |
| Backdoor ML Model (AML.T0018) | Persistence | Covered | Detects architectural backdoors in model files. | https://protectai.com/guardian |
| LLM Prompt Injection (AML.T0051) | Initial Access / Execution | Partial | Recon red teaming and Layer runtime address injection. | https://protectai.com/guardian |
| LLM Data Leakage (AML.T0057) | Exfiltration | Partial | Layer runtime monitors for sensitive data exposure. | https://protectai.com/guardian |
| Poison Training Data (AML.T0020) | Resource Development | Partial | Model scanning can flag poisoning triggers in artifacts. | https://protectai.com/guardian |
| Craft Adversarial Data (AML.T0043) | ML Attack Staging | Partial | Recon automated red teaming simulates adversarial inputs. | https://protectai.com/guardian |
Is Protect AI independent, and how is it funded?
Protect AI was acquired by Palo Alto Networks for $700M total consideration (cash + replacement equity awards) (2025-04-28; completed 2025-07-22) and now operates as a brand of Palo Alto Networks. Packaging, pricing, and support can shift under new ownership, so confirm current terms with Palo Alto Networks before you buy.
Protect AI alternatives
The closest alternatives we track in AI-SPM / Runtime Protection are Apiiro, Cranium, HiddenLayer.
Frequently asked questions
What is Protect AI used for?
Protect AI is an AI-SPM / Runtime Protection vendor. Its flagship product is Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty. It ships as SaaS + self-hosted; API/gateway and CI scanning, and it's built for securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline.
Is Protect AI independent or acquired?
Protect AI was acquired by Palo Alto Networks and now operates as a subsidiary, as of 2026-07-13.
How many OWASP LLM Top 10 risks does Protect AI cover?
We score Protect AI as Covered on 2 of the ten OWASP LLM Top 10 (2025) risks, with 4 more Partial, as of 2026-07-13. The table on this page breaks down every risk, including the ones marked Not covered or Unverified.
How is Protect AI deployed?
Protect AI ships as SaaS + self-hosted; API/gateway and CI scanning.
What are the best alternatives to Protect AI?
The closest AI-SPM / Runtime Protection alternatives llmthreat tracks are Apiiro, Cranium, HiddenLayer.