DefensiveLLM Guardrail Proxy

Defense by architecture, not by detection.

Seraph

A transparent security proxy for LLM apps. Every request and response passes through a two-tier guardrail—a NeMo Guardrails semantic allow-list (defined in Colang) up front, then a local Mistral 7B judge for the edge cases. The guardrail evaluates intent instead of executing the prompt, so there’s nothing to jailbreak past.

seraph · llm gateway GUARDING
Two-tier pipeline
Prompt in
Tier 1 · semantic allow-list BLOCK
Tier 2 · Mistral 7B judge
Upstream model
Blocked · last 24h
Prompt injection128
Jailbreak43
Data exfil12
Prompt leak7
10:41:02 [tier-1] ✗ BLOCK prompt_injection — intent 0.21 / 0.75
10:41:08 [tier-2] ✗ BLOCK jailbreak — judge conf 0.94
10:41:15 [output] ⚠ SCRUB leaked secret → [REDACTED]
10:41:21 [tier-1] ✓ ALLOW matched intent: support_lookup

Positive-security by default — everything outside the allow-list is refused.

A defense you can’t argue with.

Positive security by design

Define the intents your app is meant to serve. Everything else is rejected by default—there's no blocklist to bypass because the default answer is “no.”

Two-tier defense

A NeMo Guardrails allow-list with embeddings catches the obvious at line speed; genuine edge cases escalate to a local Mistral 7B judge (via Ollama) that rules on intent.

Immune to its own attack surface

Seraph evaluates intent instead of executing the prompt—so prompt injection against Seraph is a contradiction in terms. There's no instruction channel to hijack.

Drop-in for every provider

Point your SDK's base URL at Seraph—OpenAI, Anthropic, Azure, Ollama, vLLM. Zero changes to your prompts, tools, or business logic.

Every blocklist eventually fails.

A blocklist enumerates badness, but prompt injection has effectively infinite phrasings—you're always one clever rewrite behind. Seraph inverts the problem: it maps the small, knowable set of things your users should be able to do, and treats everything else as suspect. It also scrubs outbound responses, catching leaked secrets and sensitive data before they reach the client. It's a defense designed for the prompts you haven't seen yet.

See it block.

The Colang policy on the left is the whole allow-list—those are the only things users may ask. Click a request to send it through Seraph and watch the verdict.

seraph · sandbox GUARDING
Allowed intents · Colang
# everything not defined here is refused
define user ask_order_status
  "where is my order"
  "order status for #4821"
 
define user ask_support
  "reset my password"
  "change my email"
 
define flow
  user ask_order_status
  bot respond_order_status
Send a request — click one
POST /v1/chat/completions
[tier-1] intent 0.91 / 0.75 → ask_order_status
✓ ALLOW forwarded to upstream · 200

Three legit requests, two attacks, one output scrub — all decided by intent, not a blocklist.

Swap the base URL. Done.

seraph · setup
# run Seraph (or: docker compose up)
$ poetry install && export UPSTREAM_API_KEY=sk-...
$ SERAPH_CONFIG=config.yaml uvicorn app.main:app --port 8000
 
# point your app at it — nothing else changes
client = OpenAI(base_url="http://localhost:8000/v1")
 
one YAML file · hot-reload via /reload · streaming pass-through
PythonFastAPINeMo GuardrailsLangGraphMistral 7BColang

Put Seraph in front of your model.

Open source, self-hosted, provider-agnostic. Define your intents and deploy the proxy in minutes.