WrapSec
WrapSecAI Security Gateway

Prevent unsafe prompts
from reaching your LLM

Protect your application from prompt injection, data leakage, and unsafe outputs - before they happen.

For teams building AI-powered applications in production that need enforcement, not just monitoring.

WrapSec is an AI security gateway - multi-layer threat detection, real-time policy enforcement, and a full audit trail. Deploys on your own infrastructure in minutes.

Request flow
Your Applicationorigin
inspect -> ALLOW / BLOCK / SANITIZE
WrapSecWrapSec Gateway
enforced
proxied via HTTPS - inspect output
LLM Providerproxied
ALLOWBLOCKSANITIZE
The problem

Without an enforcement layer

Most AI applications ship features without a dedicated security layer between user input and the model. The consequences are predictable.

Models get manipulated
Without enforcement, a crafted prompt can override your system instructions, change model behaviour, or extract data your application never intended to expose.
Sensitive data leaks
PII entered by users - or retrieved through RAG pipelines - can pass through to LLM providers or appear in responses without detection or redaction.
Outputs cannot be trusted
Without output inspection, your application passes LLM responses directly to users. There is no enforcement point between the model and your customers.

This is not a detection problem - it is an enforcement problem.

~5ms
Detection latency
Rule + ML Tier 1. Transformer optional (~20-50ms), LLM analysis optional.
22
PII entity types
Enforced on input and output, before reaching the model
6
Threat categories
Full AI attack surface coverage in one layer
368
Tests passing
Validated across unit, integration, security, and E2E
What it detects

Six threat categories.
One enforcement pipeline.

Each detection method catches what the others miss. Rule-based detection is fast but rigid. ML classification generalises. LLM semantic analysis catches intent that neither rules nor classifiers can codify.

Covers both known attack patterns and emerging threats beyond static rules.

Prompt Injection
Detects attempts to override system instructions through crafted user input - including indirect injections from retrieved documents and tool outputs.
Jailbreak Attempts
Multi-layer detection across rule heuristics, ML classification, and semantic LLM analysis catches novel bypass techniques that single-method approaches miss.
PII Leakage
Identifies and redacts 22 personally identifiable entity types from both input and output - SSNs, card numbers, emails, IBANs, passports, API keys, and more.
Toxic Content
Independent guardrail reading ML toxicity confidence directly - bypassing detection weight dilution so a high-confidence signal always triggers enforcement.
Data Exfiltration
Flags prompts designed to extract training data, internal context, or confidential documents surfaced through RAG pipelines or tool-augmented agents.
Malicious Intent
Catches prompts attempting to weaponise your model for fraud, social engineering, or generating harmful content at scale through your application.
How detection works

Multi-layer pipeline.
Independent guardrails.

WrapSec does not rely on a single detection method. It combines independent layers to ensure no attack passes through a single failure point.

Each layer adds a different protection mechanism. Guardrails always override the detection pipeline, and any detector failure returns an explicit error rather than a silent pass.

Guardrail-first - Guardrails run ahead of the detection pipeline with no bypass path.
Fail-safe design - Any detector failure blocks the request - never a silent pass to the LLM.
Weighted scoring - Risk score reflects agreement across all active detection layers.
Two detection modes - Fast or full mode, selectable per request.
detection pipeline
Input
PII Guard<1ms
Rule Detector~1ms
ML Pipelinetwo-tier
Tier 1 - Base Model~5ms
Tier 2 - Transformeroptional
Toxicity Guardindependent
LLM Detectorfull mode
Policy EngineALLOW / BLOCK / SANITIZE
Deployment modes

Two modes. One decision surface.

Integrate without changing your application architecture. Both modes produce the same structured decision and full audit trail.

Scan-Only- minimal integration, you forward to your LLM
Proxy Mode- full enforcement, WrapSec handles the LLM request end-to-end
POST /v1/ai/request

Scan-Only

Send a prompt to WrapSec, receive a structured decision - ALLOW, BLOCK, or SANITIZE - then forward to your own LLM. Minimal integration, zero change to your provider setup.

  • Decision + confidence score
  • Risk score per detector
  • Sanitized input on SANITIZE
  • Full trace ID for audit
Recommended
POST /v1/chat/completions

AI Interaction Firewall

OpenAI-compatible drop-in proxy. WrapSec forwards to your LLM provider with your provider key stored encrypted at rest, never returned to your app - enforcing policy on both input and output before your app sees any response.

  • Input + output enforcement
  • Provider key never exposed to app
  • Decision headers on response
  • Full proxy interaction audit
Why WrapSec instead of provider moderation or DIY filters?
Provider moderation (OpenAI, Anthropic)
  • -Post-generation - the model sees the prompt first
  • -No input enforcement, no PII redaction
  • -No audit trail you own
  • -Breaks on provider change
DIY filters / Guardrails libraries
  • -No ML-based detection out of the box
  • -No output inspection
  • -No audit logging or policy scoping
  • -Maintenance burden on your team
WrapSec
  • +Pre-enforcement - unsafe prompts never reach the model
  • +Input + output, PII + toxicity + injection
  • +Full audit trail, SIEM-ready export
  • +Works across any provider or self-hosted model
For security teams, not just developers

Full visibility. Full control.

Every request is traceable. Every decision is explainable. Designed for environments where compliance, auditability, and data residency are requirements - not afterthoughts.

Audit-ready logging
Every request logged with decision, severity, risk score, trace ID, and threat categories. CSV export endpoint included - structured for SIEM ingestion.
On-premises data control
Your prompts, responses, and audit logs are stored in your own PostgreSQL instance. No data is transmitted to external services. You own and control all audit data.
Department-level policy
Scope detection thresholds and guardrail settings per business unit independently. Finance and support can operate under separate policies.
Role-based access
ADMIN, DEVELOPER, and VIEWER roles with JWT, token versioning, session invalidation, and forced password rotation built in.
Integration

Works with every provider

OpenAI-compatible API. Point WrapSec at your existing integration and every request is protected immediately.

Drop-in compatibility - no changes required to your existing LLM integration.

OpenAI
GPT-4o, GPT-4 Turbo, GPT-3.5
Groq
Llama 3, Mixtral, Gemma
Ollama
Any self-hosted model
OpenAI-compatible
Any OpenAI-compatible API endpoint
Python SDK
Sync + async, full CLI
Node.js SDK
Native fetch, zero dependencies
FastAPI
Middleware + explicit scan
Prometheus
14 security metrics + Grafana

Start in under 5 minutes

Self-hosted. No account required. Clone the repo, run Docker Compose, and your first scan is one API call away.

View on GitHubGetting started guide