llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors

Protect AI is an AI-SPM / Runtime Protection vendor based in Seattle, USA. Its flagship product is Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty. Against the OWASP LLM Top 10 (2025) we score it Covered on 2 of 10 risks, Partial on 4, with 6 MITRE ATLAS techniques mapped as of . It now operates under Palo Alto Networks.

2/10
Risks covered
4
Partial
6
ATLAS techniques
~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M
Funding
Acquired
Status

At a glance

Category
AI-SPM / Runtime Protection
Headquarters
Seattle, USA
Founded
2022
Employees
51-200 (approx)
Flagship product
Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty
Deployment
SaaS + self-hosted; API/gateway and CI scanning
Best for
Securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline
Funding to date
~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M
Last round
Series B ($60M) · 2024-08
Status
Acquired by Palo Alto Networks

Facts as of .

What does Protect AI do?

The MLSecOps pioneer — model scanning, red teaming, and runtime protection — now folded into Palo Alto's Prisma AIRS. It ships as SaaS + self-hosted; API/gateway and CI scanning, and it's built for securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline. It's a weaker fit for teams wanting only a lightweight prompt/response firewall for employee ChatGPT use.

Which OWASP LLM Top 10 risks does Protect AI cover?

Protect AI's strongest verdict is LLM03Supply Chain. The two tables below come from our editorial read of Protect AI's public documentation as of (it's what the docs support, not a hands-on lab test), and this row also sits in the full matrix across all 21 vendors.

OWASP LLM Top 10 (2025) coverage — as of 2026-07-13
OWASP LLM Risk What it is Protect AI coverage How it's addressed Source
LLM01 Prompt Injection User or hidden input overrides the model's rules or intended behavior. Partial Recon red-teams apps for prompt injection; Layer provides runtime detection. https://protectai.com/guardian
LLM02 Sensitive Information Disclosure The model leaks secrets, personal data, or proprietary content in its output. Partial Layer runtime security monitors GenAI apps for data leakage. https://protectai.com/guardian
LLM03 Supply Chain Compromised models, datasets, plugins, or dependencies add risk before runtime. Covered Guardian scans 35+ model formats and 1.5M+ Hugging Face models; huntr AI/ML bug bounty. https://protectai.com/guardian
LLM04 Data and Model Poisoning Tampered training or fine-tuning data corrupts how the model behaves. Covered Guardian detects deserialization attacks, architectural backdoors, and malicious model payloads. https://protectai.com/guardian
LLM05 Improper Output Handling Downstream systems trust model output without checking it, enabling injection or code execution. Partial Recon red teaming surfaces unsafe output handling in LLM apps. https://protectai.com/guardian
LLM06 Excessive Agency An agent holds more permissions, tools, or autonomy than the task needs. Unverified No clear public documentation of agent/excessive-agency controls at time of research. None found
LLM07 System Prompt Leakage The system prompt or the secrets inside it get exposed to users. Partial Recon tests for system prompt/extraction weaknesses. https://protectai.com/guardian
LLM08 Vector and Embedding Weaknesses Flaws in RAG stores let attackers poison, extract, or infer data. Unverified No explicit vector/embedding weakness coverage found in public docs. None found
LLM09 Misinformation The model produces false or fabricated content that users act on. Unverified No explicit misinformation/factuality control found in public docs. None found
LLM10 Unbounded Consumption Uncontrolled requests drive cost, denial of service, or model extraction. Unverified No explicit unbounded-consumption/rate-limit control found in public docs. None found
MITRE ATLAS coverage — as of 2026-07-13
ATLAS Technique (ID) Tactic Protect AI coverage Notes Source
ML Supply Chain Compromise (AML.T0010) Initial Access / Resource Development Covered Guardian scans models from Hugging Face, MLflow, S3, SageMaker for malicious artifacts. https://protectai.com/guardian
Backdoor ML Model (AML.T0018) Persistence Covered Detects architectural backdoors in model files. https://protectai.com/guardian
LLM Prompt Injection (AML.T0051) Initial Access / Execution Partial Recon red teaming and Layer runtime address injection. https://protectai.com/guardian
LLM Data Leakage (AML.T0057) Exfiltration Partial Layer runtime monitors for sensitive data exposure. https://protectai.com/guardian
Poison Training Data (AML.T0020) Resource Development Partial Model scanning can flag poisoning triggers in artifacts. https://protectai.com/guardian
Craft Adversarial Data (AML.T0043) ML Attack Staging Partial Recon automated red teaming simulates adversarial inputs. https://protectai.com/guardian

Is Protect AI independent, and how is it funded?

Protect AI was acquired by Palo Alto Networks for $700M total consideration (cash + replacement equity awards) (2025-04-28; completed 2025-07-22) and now operates as a brand of Palo Alto Networks. Packaging, pricing, and support can shift under new ownership, so confirm current terms with Palo Alto Networks before you buy.

Protect AI alternatives

The closest alternatives we track in AI-SPM / Runtime Protection are Apiiro, Cranium, HiddenLayer.

Frequently asked questions

What is Protect AI used for?

Protect AI is an AI-SPM / Runtime Protection vendor. Its flagship product is Guardian (model scanning), Recon (AI red teaming), Layer (runtime security), huntr bug bounty. It ships as SaaS + self-hosted; API/gateway and CI scanning, and it's built for securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline.

Is Protect AI independent or acquired?

Protect AI was acquired by Palo Alto Networks and now operates as a subsidiary, as of 2026-07-13.

How many OWASP LLM Top 10 risks does Protect AI cover?

We score Protect AI as Covered on 2 of the ten OWASP LLM Top 10 (2025) risks, with 4 more Partial, as of 2026-07-13. The table on this page breaks down every risk, including the ones marked Not covered or Unverified.

How is Protect AI deployed?

Protect AI ships as SaaS + self-hosted; API/gateway and CI scanning.

What are the best alternatives to Protect AI?

The closest AI-SPM / Runtime Protection alternatives llmthreat tracks are Apiiro, Cranium, HiddenLayer.

Last verified . Sources: https://www.paloaltonetworks.com/company/press/2025/palo-alto-networks-announces-intent-to-acquire-protect-ai--a-game-changing-security-for-ai-company, https://www.prnewswire.com/news-releases/palo-alto-networks-completes-acquisition-of-protect-ai-302510757.html, https://www.businesswire.com/news/home/20240801066345/en/Protect-AI-Raises-$60M-in-Series-B-Financing-to-Secure-Artificial-Intelligence-and-Machine-Learning-from-Unique-Security-Risks, https://protectai.com/guardian, https://www.geekwire.com/2025/palo-alto-networks-to-acquire-seattle-cybersecurity-startup-protect-ai/. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — verify Protect AI's claims and threat coverage against the official OWASP and MITRE sources and the vendor directly before making a purchasing or security decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.