Vijil is an Agentic AI Security vendor based in Menlo Park, California, USA. Its flagship product is Vijil (Diamond red teaming, Dome runtime guardrails, Depot hardened LLMs, Darwin RL improvement). Against the OWASP LLM Top 10 (2025) we score it Covered on 5 of 10 risks, Partial on 4, with 6 MITRE ATLAS techniques mapped as of . It's independent.
- 5/10
- Risks covered
- 4
- Partial
- 6
- ATLAS techniques
- $23M
- Funding
- Active
- Status
At a glance
- Category
- Agentic AI Security
- Headquarters
- Menlo Park, California, USA
- Founded
- 2023
- Employees
- 11-50
- Flagship product
- Vijil (Diamond red teaming, Dome runtime guardrails, Depot hardened LLMs, Darwin RL improvement)
- Deployment
- SaaS and on-premise; agents run in confidential-computing/trusted execution environment
- Best for
- Teams building and operating AI agents that need context-specific red teaming plus low-latency runtime guardrails and hardened base models across the agent stack (LLM, tools, MCP, delegated agents)
- Funding to date
- $23M
- Last round
- $17M · 2025-11
- Status
- Active
Facts as of .
What does Vijil do?
Focused on making agents provably trustworthy: red teaming, runtime guardrails, and hardened models rolled into a trust score. It ships as SaaS and on-premise; agents run in confidential-computing/trusted execution environment, and it's built for teams building and operating AI agents that need context-specific red teaming plus low-latency runtime guardrails and hardened base models across the agent stack (LLM, tools, MCP, delegated agents). It's a weaker fit for buyers seeking broad AI governance/GRC, model inventory across an enterprise estate, or pure compliance mapping.
Which OWASP LLM Top 10 risks does Vijil cover?
Vijil's strongest verdict is LLM01Prompt Injection. The two tables below come from our editorial read of Vijil's public documentation as of (it's what the docs support, not a hands-on lab test), and this row also sits in the full matrix across all 21 vendors.
| OWASP LLM Risk | What it is | Vijil coverage | How it's addressed | Source |
|---|---|---|---|---|
| LLM01 Prompt Injection | User or hidden input overrides the model's rules or intended behavior. | Covered | Diamond tests prompt-injection resistance; Dome blocks injections at runtime. | https://vijil.ai/ |
| LLM02 Sensitive Information Disclosure | The model leaks secrets, personal data, or proprietary content in its output. | Covered | Tests privacy violations and data leakage; Dome runtime defense. | https://vijil.ai/ |
| LLM03 Supply Chain | Compromised models, datasets, plugins, or dependencies add risk before runtime. | Partial | Depot provides hardened LLMs, reducing base-model provenance risk; broader supply-chain scanning not detailed. | https://vijil.ai/ |
| LLM04 Data and Model Poisoning | Tampered training or fine-tuning data corrupts how the model behaves. | Partial | Adversarial-robustness testing; not a dedicated training-data poisoning tool. | https://vijil.ai/ |
| LLM05 Improper Output Handling | Downstream systems trust model output without checking it, enabling injection or code execution. | Partial | Dome filters harmful/toxic responses at output. | https://vijil.ai/ |
| LLM06 Excessive Agency | An agent holds more permissions, tools, or autonomy than the task needs. | Covered | Tests entire agent system (LLM, tools, MCP gateway, delegated agents) and policy violations. | https://vijil.ai/ |
| LLM07 System Prompt Leakage | The system prompt or the secrets inside it get exposed to users. | Partial | Data-leakage testing includes prompt/context-extraction paths. | https://vijil.ai/ |
| LLM08 Vector and Embedding Weaknesses | Flaws in RAG stores let attackers poison, extract, or infer data. | Not covered | Embeddings are used only as one of Dome's internal detection layers (pattern matching + ML classifiers + embeddings + LLM-as-jury); no capability is documented for securing customer vector stores/RAG pipelines. | https://vijil.ai/platform |
| LLM09 Misinformation | The model produces false or fabricated content that users act on. | Covered | Hallucination detection is a stated evaluation dimension. | https://vijil.ai/ |
| LLM10 Unbounded Consumption | Uncontrolled requests drive cost, denial of service, or model extraction. | Covered | Vijil Dome's documented policy domains explicitly list 'Input Sanitization: Prompt classification, rate limiting, and DoS filtering.' | https://vijil.ai/blog/vijil-dome-securing-the-future-of-ai-agents |
| ATLAS Technique (ID) | Tactic | Vijil coverage | Notes | Source |
|---|---|---|---|---|
| LLM Prompt Injection (AML.T0051) | Initial Access / Execution | Covered | Tested by Diamond and blocked by Dome. | https://vijil.ai/ |
| LLM Jailbreak (AML.T0054) | Defense Evasion | Covered | Jailbreak prevention tested and enforced. | https://vijil.ai/ |
| LLM Data Leakage (AML.T0057) | Exfiltration | Covered | Privacy and data-leakage testing. | https://vijil.ai/ |
| Craft Adversarial Data (AML.T0043) | ML Attack Staging | Covered | Custom, context-specific adversarial test generation. | https://vijil.ai/ |
| LLM Plugin Compromise (AML.T0053) | Execution | Covered | Tests tools, MCP gateway and delegated agents. | https://vijil.ai/ |
| Discover LLM Hallucinations (AML.T0062) | Discovery | Covered | Hallucination detection dimension. | https://vijil.ai/ |
Is Vijil independent, and how is it funded?
Vijil is an independent company as of . It has raised $23M to date, most recently a $17M dated 2025-11. Lead investors: Brightmind Partners.
Vijil alternatives
The closest alternatives we track in Agentic AI Security are Akto, Straiker. On the open-source side, Agentic Security covers similar ground.
Frequently asked questions
What is Vijil used for?
Vijil is an Agentic AI Security vendor. Its flagship product is Vijil (Diamond red teaming, Dome runtime guardrails, Depot hardened LLMs, Darwin RL improvement). It ships as SaaS and on-premise; agents run in confidential-computing/trusted execution environment, and it's built for teams building and operating AI agents that need context-specific red teaming plus low-latency runtime guardrails and hardened base models across the agent stack (LLM, tools, MCP, delegated agents).
Is Vijil independent or acquired?
Vijil is an independent company as of 2026-07-13 and has not been acquired.
How many OWASP LLM Top 10 risks does Vijil cover?
We score Vijil as Covered on 5 of the ten OWASP LLM Top 10 (2025) risks, with 4 more Partial, as of 2026-07-13. The table on this page breaks down every risk, including the ones marked Not covered or Unverified.
How is Vijil deployed?
Vijil ships as SaaS and on-premise; agents run in confidential-computing/trusted execution environment.
What are the best alternatives to Vijil?
The closest Agentic AI Security alternatives llmthreat tracks are Akto, Straiker. On the open-source side, Agentic Security covers similar ground.