Compare the top AI guardrails, agent firewalls, and observability platforms. Find the right alternative for your specific use case.
Confused by the market noise? Read our comprehensive CISO guide on the emerging threats, architectural shifts, and security solutions for autonomous agents.
A focused runtime security layer protecting against prompt injection, PII leakage, and hallucinations via API. Acquired by Check Point in late 2025 (~$300M reported); Lakera Guard and Lakera Red remain live products and anchor Check Point's Center of Excellence for AI Security.
Developer-friendly CLI tool for testing, evaluating, and red teaming LLM applications.
A set of LLM safeguards designed to detect violating content across multiple use cases. Model-based guardrail.
A GenAI-first platform focused on protecting LLM interactions, offering a secured gateway, browser integrations, and specialized protection for AI agents via MCP.
Platform for evaluating, logging, and refining AI products with enterprise-grade security and scale.
Unified platform for MLSecOps, focusing on model scanning, supply chain security (AIBOM), and runtime protection (Guardian). Acquired by Palo Alto Networks in July 2025 and natively integrated into Prisma AIRS (3.0 launched March 2026 for agentic AI security).
Centralized platform enabling safe use of data and AI with strong governance and privacy controls.
Open-source observability and analytics for LLM applications, focusing on traces and evaluations.
Generative AI Red-teaming & Assessment Kit, now maintained by NVIDIA. Scans LLMs for hallucinations, data leakage, and prompt injection with a comprehensive probe library.
Wiz AI-SPM extends its agentless CNAPP to discover every AI asset via an AI-BOM, covering Bedrock, Azure OpenAI, Vertex AI, and self-hosted models. In 2025–26 it added runtime monitoring for rogue agents, prompt injection, and behavioral drift, with attack-path analysis connecting AI misconfigurations to sensitive training data via DSPM.
Secures the entire lifecycle of Generative AI, protecting employees from risky AI use and developers from insecure model integrations. Acquired by SentinelOne in September 2025 (~$250M reported) and integrated into the Singularity platform for prompt injection, data leakage, and shadow AI protection.
Leverages Zscaler's Zero Trust Exchange to provide visibility into Shadow AI, enforce data loss prevention (DLP) policies, and control access.
Robust Intelligence pioneered the AI firewall and automated model assessment. Acquired by Cisco in 2024, its technology now ships as Cisco AI Defense — runtime protection, model validation, and AI visibility integrated with the Cisco security stack.
Specializes in PII identification and redaction for text, audio, and images, often used as a pre-processing layer for LLMs.
Automated evaluation and security testing platform for Large Language Models to catch hallucinations and safety issues.
Open-source testing framework dedicated to ML models and LLMs, covering bias, performance, and security flaws.
Microsoft's cloud service for detecting harmful content, with Prompt Shields as its real-time API for blocking jailbreaks and indirect prompt injection from documents. By 2026 it also spans groundedness detection, protected-material detection, and a task-adherence API for agent tool misuse, feeding runtime signals into Microsoft Defender for AI.
Integrated AI security platform providing visibility across the AI lifecycle, from development to production, ensuring compliant and secure model usage.
Designed to protect AI agents and Model Context Protocol (MCP) workflows through automated discovery, red teaming, and guardrails.
Acquired by Snowflake, TruEra provides deep diagnostics, testing, and monitoring for ML and LLM applications to ensure quality and reliability.
Machine learning observability platform to monitor, troubleshoot, and explain model performance.
Comprehensive open-source toolkit to fortify LLM security, offering sanitization, detection, and prevention of attacks. Originally by Laiyer.ai, now maintained under Protect AI.
Google Cloud's GA service for screening LLM prompts and responses for prompt injection, jailbreaks, harmful content, malicious URLs, and sensitive data leakage. Model-agnostic (works with Gemini, OpenAI, Anthropic, Llama over REST) and integrated with Apigee, Vertex AI, Agent Gateway, and Security Command Center, with org-wide floor settings for baseline enforcement.
AWS lets teams attach six configurable safeguard policies — content filters, denied topics, word filters, PII redaction, contextual grounding, and Automated Reasoning checks — to model calls. Automated Reasoning uses formal logic to validate outputs against policies, and the standalone ApplyGuardrail API extends coverage to third-party and self-hosted models; cross-account safeguards went GA in 2026.
Snyk acquired Zurich-based Invariant Labs in June 2025, folding the research team that coined 'tool poisoning' and 'MCP rug pulls' into Snyk Labs. Invariant's mcp-scan lineage lives on in the open-source Snyk Agent Scan, detecting 15+ risks across MCP servers and agent skills, and feeds Evo by Snyk, its agentic security orchestration platform launched October 2025.
A suite including GenAI Protect, Application Protection, and Risk Scanner providing visibility and control over enterprise AI usage across browsers and apps.
An AI security layer that manages access controls, data masking, and audit logs for enterprise data connecting to LLMs.
A unified platform for monitoring, explaining, and securing ML models and LLMs, featuring a dedicated 'Trust Service' for guardrails.
Security and orchestration platform allowing enterprises to safely use public and private LLMs with rigorous policy enforcement. Acquired by F5 in September 2025 ($180M); its inference-layer guardrails are integrated into F5's Application Delivery and Security Platform.
Force-multiplies AppSec teams to design and deliver secure software, now with Agentic AI focus.
Policy-as-code platform that now includes specialized authorization for AI agents and tool calls.
Cloud-native DLP platform that detects and redacts sensitive data in GenAI prompts and SaaS applications.
Open-source text metrics toolkit for monitoring language models, detecting quality and security issues.
Multi-layered defense against prompt injection attacks using heuristics, vector DBs, and LLM analysis.
Netskope One AI Security governs enterprise GenAI use through its SSE/SASE platform: shadow AI app discovery with risk ratings, inline DLP on prompts and uploads, and user coaching. SkopeAI powers ML-based DLP with trainable classifiers, and its 2026 Cloud and Threat Report documents GenAI data policy violations doubling year-over-year.
API-based security services for AI applications, led by AI Guard (prompt injection and data-leak filtering) and AI Detection & Response for visibility into enterprise AI usage. CrowdStrike agreed to acquire Pangea for $260M in September 2025; by 2026 its technology anchors CrowdStrike's Falcon AIDR while the developer APIs continue to operate.
Meta's open-source (MIT) guardrail framework within the Purple Llama project, orchestrating layered scanners across chat and multi-step agent workflows: PromptGuard 2 (lightweight injection classifier), AlignmentCheck (chain-of-thought auditing for goal hijacking), CodeShield (static analysis of generated code), and custom regex scanners.
Unified platform for discovering shadow AI, assessing model risks (AI-SPM), and enforcing runtime protection.
Now part of Tenable, Apex Security provides visibility and risk assessment for AI models, focusing on the 'AI Exposure Graph'.
Observability and security platform for AI, offering 'LangKit' for telemetry and an AI Control Center for enforcing policy guardrails.
Observability and guardrails platform that ensures AI reliability by detecting hallucinations and enforcing policies in real-time. Acquired by Coralogix in late 2024 and offered as Coralogix AI observability.
End-to-end platform for automated security testing, runtime protection, and governance controls (Probe & Guard).
Facilitates secure application development and runtime protection, extending CNAPP to AI workloads.
Platform for evaluating, monitoring, and debugging LLM systems throughout the lifecycle.
AI-native data protection platform that provides visibility and control over sensitive data in GenAI prompts and RAG contexts.
Scans models (h5, pickle, saved_model) to determine if they contain unsafe code or malware.
Extends Cloudflare's WAF to inspect LLM prompts inline at the edge, discovering LLM endpoints and flagging prompt injection, PII in prompts, and unsafe topics that can drive WAF rules. Pairs with AI Gateway Guardrails, which run moderation models on Workers AI to flag or block prompts and responses across providers; the WAF detections are an Enterprise add-on as of 2026.
Okta secures AI agents as first-class identities: Auth for GenAI (via Auth0) provides Token Vault, async human-in-the-loop authorization, and fine-grained RAG access, while Okta for AI Agents manages agent lifecycle. Its Cross App Access (XAA) protocol extends OAuth/OIDC so identity providers govern agent-to-app connections, with 25+ adopters including Anthropic, Atlassian, and Slack.
Enterprise AI control platform combining an MCP gateway, threat detection on every request, shadow-AI discovery, and identity-aware permissions via Okta/Entra. Launched from stealth in November 2025; by mid-2026 customers include Gusto, Instacart, dbt Labs, and PagerDuty. Holds AARM Extended conformance — the highest tier in the CSA registry.
Tel Aviv-based runtime security company using eBPF sensors to watch applications, libraries, and AI workloads as they execute, proving exploitability and detecting attacks in real time. Its platform spans application detection and response, runtime vulnerability management, and Runtime AI Security for LLMs and agents. Customers include Databricks, Salesforce, and Instacart.
Founded in 2024 by professors Bo Li, Dawn Song, Sanmi Koyejo, and Carlos Guestrin, Virtue AI offers VirtueRed (continuous algorithmic red teaming, 600+ attack vectors) and VirtueGuard (real-time multimodal guardrails), plus AgentSuite for agentic systems including MCP Guard. Raised $30M in combined seed and Series A in April 2025.
IBM's family of Apache 2.0 guardrail models that judge prompts and responses of any LLM for jailbreaks, harmful content, social bias, RAG groundedness failures, and agentic risks like function-calling hallucination. The 4.x generation shipped in 2026 aligned to IBM's AI Risk Atlas; the models rank near the top of the GuardBench leaderboard and power guardrails inside watsonx.governance.
Created by ETH Zurich spin-off Invariant Labs and maintained by Snyk since its June 2025 acquisition, mcp-scan auto-discovers agent configurations (Claude, Cursor, Windsurf, Gemini CLI) and scans MCP servers, skills, and harnesses for 15+ risk categories including prompt injection, tool poisoning, tool shadowing, and toxic flows. Rebranded Snyk Agent Scan; v0.5.12 released June 2026.
Offensive-security platform automating adversarial testing for LLMs and custom agents to identify vulnerabilities before deployment.
Spun out of KPMG, Cranium focuses on AI Security Posture Management (AI-SPM) and generating AI Bill of Materials (AI BOM) for compliance.
A comprehensive platform for MLSecOps, offering model scanning (SAIF) and runtime detection (MDR) for adversarial attacks.
Specializes in securing low-code/no-code platforms and AI agents. It focuses on 'Application Lifecycle Management' for agents, preventing data leakage and broken access control in Copilots.
AI monitoring and observability platform for ML, NLP, and LLM systems. Its Shield product adds a runtime firewall that detects and blocks toxic, hallucinatory, or PII-leaking content.
Detects prompt injections and other LLM attacks. Can be used as a library or proxy.
Apache-2.0 platform from Stacklok (co-maintained with Red Hat) that runs MCP servers in isolated containers with fine-grained permissions, network controls, and encrypted secrets, managed via a desktop UI, CLI, or Kubernetes operator. By mid-2026 it is production-ready with a curated registry and a Virtual MCP gateway; Stacklok Enterprise layers on SSO and central management.
End-to-end AI security platform offering AI Firewall, Usage Control, Agentic AI Security, and Automated Red Teaming for LLMs and Computer Vision.
Enables enterprises to increase productivity via GenAI with a native platform for visibility and control.
Protects enterprises from novel threats like indirect prompt injection and data exfiltration.
Platform offering an open-source AI gateway and automated red teaming for protection.
Automated adversary emulation platform protecting commercial and custom GenAI models, powered by dark web intel.
Platform for enforcing governance, compliance, and security policies across enterprise AI usage.
Provides '3D Runtime Defense' for modern stacks, protecting AI models and APIs in real-time without requiring code instrumentation.

An open-source guard agent for AI agent runtime security, spanning personal to enterprise use. Promotes the AI-RSMS standard.
Enforces need-to-know access controls on enterprise AI assistants and copilots to stop LLM oversharing and data leakage. By 2026 it has expanded into securing AI agents and coding assistants — including MCP servers, skills, and IDE extensions — via Kirin and Shadow AI Spotlight. Founded by Sounil Yu and Gadi Evron.
AI agent trust platform spanning evaluation (Diamond), runtime defense (Dome), hardened components (Depot), and continuous improvement via reinforcement learning (Darwin), producing agent trust scores mapped to NIST AI RMF and the EU AI Act. Raised a $17M round in November 2025 and was named a Gartner Cool Vendor in agentic AI trust and security.
Automates red teaming ('haizing') of LLMs and AI applications, using search and fuzzing algorithms to surface inputs that trigger unsafe behavior, paired with calibrated Judges for evaluation and monitoring. Works with AI labs including Anthropic and AI21; closed a $12.5M seed announced December 2025.
Docker's MCP Catalog distributes 300+ verified MCP servers as signed container images with SBOMs, while the MCP Toolkit and open-source MCP Gateway run them in resource-limited, isolated containers behind a single endpoint with logging, interceptors, and secrets blocking. In May 2026 Docker extended this into Docker AI Governance for centralized agent and tool policy.
Focuses on rigorous red teaming, offering a platform to simulate attacks on AI models to uncover vulnerabilities.
Offers 'Citadel Lens' for automated red teaming and evaluation of LLM applications, focusing on reliability and fairness.
Unified AI security layer providing visibility and guardrails across the organization.
Delivers 'Ascend AI' for pentesting and 'Defend AI' for visibility and guardrails.
An open-source platform specifically designed to manage and secure Model Context Protocol (MCP) servers, providing a control plane for agent-tool interactions.
Extends security architectures to detect, analyze, and control AI use (Shadow AI and Embedded Agents) to prevent data loss and threat insertion.
Decompiles and analyzes Python pickle files to detect malicious code injection in ML models.
Enterprise MCP gateway and agent-governance platform adding OAuth/SSO, least-privilege agent identities, audit trails, and secret/PII scanning in front of MCP servers used by Claude, Cursor, and custom agents. Founded by ex-Google Brain engineers, backed by Coatue and Andrej Karpathy; customers include Coursera and Harvey AI. AARM Core conformant.
A protocol-aware reverse proxy that parses 15+ wire protocols — Postgres, MongoDB, Snowflake, SSH, Kubernetes, S3, and MCP — and enforces least-privilege policies inline at query level. In 2026 it positions as AI-native PAM, proxying agent access to data stores with PII masking and tool-call blocking. Backed by Thrive Capital and Y Combinator; AARM Core conformant.
San Francisco startup providing automated AI red teaming with post-trained attacker models, AI detection and response, runtime guardrails, and AI asset management across agents, copilots, and MCPs. Known for headline exploits like the Cursor/Supabase MCP data-leak disclosure; founded 2025 by researchers from Cohere, NVIDIA, and DeepMind; $10M seed led by Altos Ventures (April 2026).
Trains workforces against AI-powered social engineering using hyperrealistic deepfake voice, video, email, and SMS attack simulations built from OSINT, plus adaptive training and risk scoring. OpenAI's first cybersecurity investment; closed an $81M Series B led by Bain Capital Ventures in December 2025.
Focuses on the entire AI lifecycle, securing the data science supply chain, runtime pipelines, and autonomous agents.
Provides a control layer to govern, secure, and monitor the use of LLMs within the enterprise, ensuring data privacy and compliance.
Protects the behavior of AI/ML and GenAI models at build time (testing) and run time (firewall).
Delivers comprehensive AI agent security, discovering agents and enforcing runtime guardrails.
A platform that monitors agent behavior in real-time to catch blind spots and steer agents toward safer actions using 'contextual agentic security'.
Agent security and AI governance platform (formerly Javelin) that issues verified agent identities, authorizes every action inline, and maps decisions to EU AI Act, NIST AI RMF, OWASP, and MITRE ATLAS. Its DeepContext multi-turn guardrail model and 150+ runtime detectors target agentic attack patterns; ZeroID identity core is open source (SPIFFE/OIDC). AARM Core conformant.
Runtime security platform using eBPF sensors to discover and protect APIs, AI agents, LLMs, MCP servers, and vector stores without code changes or SDKs. Its 2026 platform pairs an established API security suite with AI red-teaming, an AI gateway/firewall, and MCP discovery and testing.
Provides runtime guardrails for RAG, LLMs, and AI agents, enforcing safety and privacy policies.
Scans outbound response traffic in real time for undesirable content and confidential data at layer 4.
Modern PAM solution that provides just-in-time access management for AI agents and humans.
A toolkit for adding programmable guardrails to LLM-based conversational systems.
Combines ARTEMIS, an automated red-teaming engine testing AI systems against 15M+ attack patterns in 100+ languages, with ARGUS runtime guardrails that block malicious inputs in under 100ms, plus AI asset inventory and an MCP gateway. Guardrail policies are auto-calibrated from red-team findings.
YC-backed platform that discovers, risk-scores, and governs AI coding agents and tools — Claude Code, Cursor, Copilot, MCP servers — at the endpoint, enforcing allow/deny policies on agent actions with audit logging. Its AI gateway adds real-time data-leak protection; customers include Siemens, WeWork, and Flipkart.
Builds a runtime control layer between AI agents and enterprise systems, constraining which systems and data an agent may touch under strict, predictable rules — deterministic enforcement rather than probabilistic guardrail models. The team gained attention for offensive research including compromising Notion's agent in under four hours; ~$5M seed led by Syn Ventures (2026).
A Python library for validating structures and data from Large Language Models. Excellent for ensuring JSON output.
Deterministic identity and access stack for AI agents, enabling per-task permission boxes.
The AI security market is fragmenting. Input/Output Guardrails (like Lakera) focus on sanitizing prompts.Agentic IAM (like Keycard) focuses on identity.Agent Runtime Security (like GuardionAI) unifies these by protecting the entire execution lifecycle of autonomous agents.
If you have a simple chatbot, look for Guardrails. If you are deploying autonomous agents that use tools (APIs, DBs), you need Runtime Security with strong tool authorization. For enterprise visibility without blocking, look at Observability platforms.