Negative security never finishes
A blocklist enumerates badness. But prompt injection has effectively infinite phrasings, so the list is never complete—you’re always one clever rewrite behind. Worse, most guardrails read the prompt as instructions to decide if it’s safe, which is the very thing attackers exploit.
Positive security by design
Seraph flips the model. You declare the intents your application is meant to serve; anything that doesn’t match is refused. There is no blocklist to bypass because the default answer is “no.”
Two tiers, one gate
- Tier 1 — semantic allow-list. A NeMo + embeddings check scores the request against allowed intents at line speed and rejects the obvious.
- Tier 2 — LLM-as-judge. Genuine edge cases escalate to a judge model that rules on intent—never treating the user’s text as commands.
Because the gate evaluates intent rather than executing the prompt, “jailbreaking Seraph” is a contradiction in terms—there’s no instruction channel to hijack.
Drop-in, zero prompt changes
Point your SDK’s base URL at Seraph and you’re protected—OpenAI, Anthropic, Azure, Ollama, vLLM. No changes to your prompts, tools, or business logic. It also scrubs outbound responses, catching leaked secrets before they reach the client.
The proxy is open source on the GitHub org—deploy it in front of any model you already run.