VCAL Security Guard
A self-hosted security layer for AI Cost Firewall and enterprise LLM deployments. Inspect AI requests for prompt injection, abuse patterns, suspicious activity, and policy violations before they reach the model provider.
Built for teams that need self-hosted deployment, AI threat controls, and observability around LLM traffic.
Detect risky AI traffic
Identify prompt injection attempts, data exfiltration patterns, unsafe instructions, suspicious automation, and custom policy-defined risks before model execution.
Allow, warn, or block
Apply deployment-specific security policies to decide whether a request should pass through, be flagged for review, or be blocked before reaching the LLM.
Measure and investigate
Export security counters, guard decisions, findings, and latency metrics so teams can understand AI traffic behavior during pilots and production rollout.
A security control point for LLM traffic
VCAL Security Guard can be orchestrated by AI Cost Firewall or integrated as a separate service. It inspects selected message content, applies the configured security policy, and returns a decision that AI Cost Firewall can use before forwarding the request downstream.
User prompt or agent step
Orchestrates guard calls and upstream requests
Inspects, scores, flags, and blocks
Choose the security behavior per deployment
Pilot deployments can start with visibility-only detection and then move toward warnings, blocking, and stricter enforcement as security policies mature.
Detect only
Find risky prompts and expose metrics without blocking or changing request flow.
Warn
Flag risky requests and return structured findings while still allowing controlled pass-through.
Block
Stop high-risk requests before they reach the LLM provider or local model endpoint.
Audit
Record security decisions and findings for review, dashboards, and future compliance workflows.
Self-hosted and designed for enterprise security pilots
VCAL Security Guard is designed to run inside your own environment, close to AI Cost Firewall and the applications that generate LLM traffic. It exposes HTTP APIs for request inspection and guard decisions, plus health and metrics endpoints for operational visibility.
Pilot deployment includes
- • Self-hosted service deployment
- • AI Cost Firewall integration path
- • API-key based service authentication
- • Prometheus-compatible metrics
- • Fail-open or fail-closed policy options
- • Security findings and action counters
Where Security Guard helps
RAG prompt-injection defense
Detect attempts to override instructions, extract hidden context, or manipulate retrieval-augmented workflows.
Agentic workflow control
Add a guardrail before repeated tool calls, routing steps, summarization tasks, and autonomous actions.
Credential and secret abuse
Flag requests that try to expose API keys, bearer tokens, private prompts, or privileged internal context.
Security operations
Inspect AI-assisted incident analysis, log interpretation, and investigation prompts for risky or suspicious behavior.
Enterprise AI gateways
Add request-layer security enforcement to shared internal AI endpoints used by multiple teams and applications.
Enterprise pilots
Start with a narrow security policy and expand toward broader privacy, audit, and compliance controls over time.
First step toward a broader security and governance layer
VCAL Security Guard is part of the broader VCAL enterprise guard direction. It complements VCAL Privacy Guard, audit/export capabilities, and future compliance packages for customers that need a self-hosted control plane around enterprise LLM traffic.
FAQ
Is VCAL Security Guard available now?
It is available for enterprise pilots. General public self-serve access is not the primary distribution model at this stage.
Does it send data to VCAL?
No. The intended deployment model is self-hosted inside your own environment, close to AI Cost Firewall and your application traffic.
Can it work without AI Cost Firewall?
It can expose inspection and decision APIs as a separate service, but the recommended enterprise path is orchestration through AI Cost Firewall.
Is this a traditional WAF?
No. Security Guard is focused on LLM request and prompt-layer risks. It should complement, not replace, existing application, network, and identity controls.
Interested in a Security Guard pilot?
Contact VCAL to discuss deployment scope, security policies, AI Cost Firewall integration, security review, pilot metrics, or enterprise packaging.