Flexible Deployment For AI Risk Containment
Deploy in minutes. Scale at your pace. No forced inline blocking.
Deployment Options: Three Levels, One Security Standard
Level 1 — Presence Detection
Are AI systems being used on my network?
IDEAL FOR
Executive visibility, compliance discovery, security assessments, early pilots, highly regulated environments.
AT LEVEL 1
- Detects AI usage based on: DNS queries , TLS metadata (SNI, fingerprints) and Network flow characteristics.
- No decryption.
- No traffic modification.
- No impact on users or applications.
Deployment Models
Plug-and-play deployment with zero downtime, requiring no routing changes, certificates, or client configuration.
Option 1: On-prem
- Connect PromptShield™ to your main switch.
- Enable port mirroring (SPAN) on WAN or egress port.
- PromptShield passively observes traffic.
Option 2: Cloud (AWS / Azure / GCP)
- Deploy as: VM image or Container.
- Attach to: VPC traffic mirror, Gateway mirror or load balancer mirror (cloud-specific).
- Identical passive behavior.
Level 2 — Full Detection
Understand how AI systems are being used and how risky that usage is.
IDEAL FOR
AI governance, legal and compliance review, risk analysis, and teams building confidence before enforcement.
AT LEVEL 2
- PromptShield™ inspects: Prompts, Responses.
- And performs: Tokenization, Labeling, Risk scoring.
- Only risk metadata is sent to cloud analytics.
- Traffic is still not blocked.
Deployment Models
Requires limited routing changes for AI traffic using rule-based forwarding, policy-based routing, or DNS-based
AI domain steering without client-side changes required.
Option 1: Firewall On A Stick
- Ingress and egress VLANs
- PromptShield™ attached to firewall
- Only AI domains routed to PromptShield™
Option 2: Two-Wire Inline > AI-Only
- Separate ingress / egress interfaces
- AI traffic routed through device
- Non-AI traffic bypasses entirely
Option 3: Cloud > AWS / Azure / GCP
- VM or container
- Gateway routing rules steer AI domains
- Works with: AWS Transit Gateway, Azure Route Tables and GCP VPC rout
Level 3 — Inline Blocking (Transparent AI Firewall)
Actively prevent dangerous AI usage in real time.
IDEAL FOR
Mature security programs, regulated industries, and high-risk AI usage in production.
AT LEVEL 3
- PromptShield™ becomes a fully inline, transparent AI WAF that:
- Blocks malicious prompts.
- Rewrites unsafe responses.
- Enforces policy decisions in-path.
Deployment Models
Extends Level 2 routing with inline AI enforcement; high availability recommended per standard WAF architectures.
Option 1: Enterprise On-prem
- Rack-mounted hardware
- High-throughput NICs (10–100+ Gbps)
- Copper or fiber
- HA pairs supported
Option 2: Cloud
- High-performance VM
- Multi-AZ deployment
- Load-balanced inline path
- Cloud-native HA
Which Deployment Model Is Right For You?
Not every organization or AI use case needs the same level of enforcement on day one.
A short AI risk assessment can help determine: your current AI exposure, regulatory and compliance pressure.
Frequently Asked Questions
Does PromptShield™ Require Decrypting Traffic?
No. Level 1 requires no decryption. Levels 2 and 3 inspect AI content only when traffic is explicitly routed for inspection.
Will This Slow AI Responses?
No. Levels 1 and 2 introduce no blocking. Level 3 is designed for low-latency inline enforcement.
Can We Deploy Incrementally?
Yes. Most customers progress from Level 1 → Level 2 → Level 3 over time.
What Happens If PromptShield™ Fails?
Levels 1 and 2 cannot cause outages. Level 3 follows standard WAF redundancy patterns.
Does This Replace Our Existing WAF?
No. PromptShield™ complements existing security by focusing specifically on AI interactions.