Negative security never finishes

A blocklist enumerates badness. But prompt injection has effectively infinite phrasings, so the list is never complete—you’re always one clever rewrite behind. Worse, most guardrails read the prompt as instructions to decide if it’s safe, which is the very thing attackers exploit.

Positive security by design

Seraph flips the model. You declare the intents your application is meant to serve; anything that doesn’t match is refused. There is no blocklist to bypass because the default answer is “no.”

Two tiers, one gate

Because the gate evaluates intent rather than executing the prompt, “jailbreaking Seraph” is a contradiction in terms—there’s no instruction channel to hijack.

Drop-in, zero prompt changes

Point your SDK’s base URL at Seraph and you’re protected—OpenAI, Anthropic, Azure, Ollama, vLLM. No changes to your prompts, tools, or business logic. It also scrubs outbound responses, catching leaked secrets before they reach the client.

The proxy is open source on the GitHub org—deploy it in front of any model you already run.