Defense by architecture, not by detection.
A transparent security proxy for LLM apps. Every request and response passes through a two-tier guardrail—a NeMo Guardrails semantic allow-list (defined in Colang) up front, then a local Mistral 7B judge for the edge cases. The guardrail evaluates intent instead of executing the prompt, so there’s nothing to jailbreak past.
Positive-security by default — everything outside the allow-list is refused.
What it does
Define the intents your app is meant to serve. Everything else is rejected by default—there's no blocklist to bypass because the default answer is “no.”
A NeMo Guardrails allow-list with embeddings catches the obvious at line speed; genuine edge cases escalate to a local Mistral 7B judge (via Ollama) that rules on intent.
Seraph evaluates intent instead of executing the prompt—so prompt injection against Seraph is a contradiction in terms. There's no instruction channel to hijack.
Point your SDK's base URL at Seraph—OpenAI, Anthropic, Azure, Ollama, vLLM. Zero changes to your prompts, tools, or business logic.
Why positive security
A blocklist enumerates badness, but prompt injection has effectively infinite phrasings—you're always one clever rewrite behind. Seraph inverts the problem: it maps the small, knowable set of things your users should be able to do, and treats everything else as suspect. It also scrubs outbound responses, catching leaked secrets and sensitive data before they reach the client. It's a defense designed for the prompts you haven't seen yet.
Sandbox
The Colang policy on the left is the whole allow-list—those are the only things users may ask. Click a request to send it through Seraph and watch the verdict.
Three legit requests, two attacks, one output scrub — all decided by intent, not a blocklist.
Integration
Open source, self-hosted, provider-agnostic. Define your intents and deploy the proxy in minutes.