Lakera Guard

What is Lakera Guard?

Lakera Guard is a runtime security API for generative AI applications. We researched it as a tool built for a problem most teams discover late, after the chatbot is live, the agent has tool access, and somebody starts trying to break it. Instead of helping you build an LLM app, Lakera Guard sits in front of and around that app, screening prompts and responses for prompt injection, jailbreaks, sensitive data leakage, unsafe content, and malicious links. The pitch is simple, one API call, model-agnostic coverage, and latency low enough for production systems, with Lakera claiming sub-50ms on many requests and support across 100+ languages.

Lakera itself was founded in 2021 in Zurich, with roots in AI security research and a team that has included people from Google, Meta, and aerospace backgrounds. The company became well known through Gandalf, its public prompt-injection game, which doubled as a giant source of attack data and security education. That research pipeline feeds Lakera Guard, which Lakera says is trained on a threat database with more than 30 million attack data points and roughly 100,000 new entries per day.

This is a tool for teams already serious about shipping AI into the real world. Lakera Guard is used by Fortune 500 companies and has named backing and customer ties that include Dropbox. In 2025, Check Point acquired Lakera for a reported $300 million, which changed the story a bit. Lakera Guard is no longer just a promising specialist startup product, it is now part of a larger cybersecurity company with enterprise distribution, compliance expectations, and a longer runway than many standalone AI security vendors.

Key Features

• Prompt Injection Detection: Lakera Guard is best known for detecting direct and indirect prompt injection attempts, including jailbreaks and obfuscated attacks. This matters because most real AI failures do not come from model quality, they come from someone convincing the model to ignore instructions or trust poisoned content. Lakera claims 98%+ accuracy in its own materials, though independent benchmarks show more mixed results depending on the test set.

• Data Leakage Prevention: The platform scans inputs and outputs for sensitive material such as PII, API keys, secrets, and payment data. For teams building internal copilots or customer-facing assistants, this is often the first control legal and security teams ask for. Lakera also supports custom detectors with regex, so companies can add their own patterns for internal IDs or proprietary terms.

• Content Moderation: Lakera Guard can flag categories like violence, hate, sexual content, profanity, criminal activity, and weapons. The practical value here is not abstract safety language, it is policy enforcement in production, especially for education, support, and consumer apps where moderation mistakes become trust issues fast.

• Malicious Link Detection: The API can inspect links in model outputs and flag suspicious destinations. That matters for assistants that summarize web content, answer with citations, or generate messages for end users. A model does not need to be hacked to become risky, it only needs to repeat a bad URL.

• Low-Latency Runtime Screening: Lakera positions Guard as a real-time control, not just a testing tool. The company says many requests complete in under 50ms, with typical production performance low enough for chat and agent workflows. If a guardrail adds too much delay, most teams turn it off, so speed is part of the product, not a nice extra.

• Model-Agnostic Coverage: Lakera Guard works with any LLM, including OpenAI, Anthropic, Meta, and self-hosted models. This matters for buyers because security tooling tied to one model vendor ages badly. Teams switching models or running multiple models do not want to rebuild their safety layer each time.

• 100+ Language Support: Lakera says the platform supports more than 100 languages and can detect cross-language attacks. That is important for global products because prompt injection is not an English-only problem. A safety stack that works in one language but fails in another creates blind spots exactly where many companies have the least internal review capacity.

• Configurable Policies and Sensitivity Levels: Teams can tune policies from more lenient to more paranoid settings, depending on whether they care more about reducing false positives or catching every suspicious case. In practice, this is one of the more useful features for production rollouts. A support bot and a healthcare assistant should not have the same tolerance for risk.

• SaaS and Self-Hosted Deployment: Lakera Guard is available as a hosted API or as a self-hosted container for enterprises. This matters less to hobby developers and a lot to regulated teams. If your legal team is already nervous about customer data flowing through AI systems, deployment flexibility can decide the deal.

• MCP and Agent Workflow Protection: Lakera has expanded Guard to support Model Context Protocol scenarios and more agent-style workflows. That is increasingly relevant because the biggest AI security concerns now involve tools, connectors, and retrieved content, not just a user typing “ignore previous instructions.”

Use Cases

One of the clearest patterns in our research is that Lakera Guard shows up where AI systems have moved past demos and into environments with real consequences. Fortune 500 companies use it to protect production GenAI systems, especially where employees or customers can interact freely with a model and where the model may have access to internal context. In those settings, the fear is not only toxic output. It is prompt injection, secret leakage, and the possibility that a system with tool access can be manipulated into doing something it should never do.

Lakera has also pointed to an EdTech deployment where a Fortune 500 company secured more than 20 GenAI applications used to serve educational content to children. That is a good example of where runtime security becomes operational, not theoretical. In a child-facing environment, teams need moderation, privacy protection, and clear policy enforcement at the same time. A single missed output can become a PR issue, a trust issue, and a compliance issue all at once.

Dropbox appears in Lakera’s orbit both as an investor and as part of the company’s enterprise credibility story. While public implementation details are limited, that association matters because it signals the kind of buyer Lakera has been built for, large product organizations that need a security layer they can add without rebuilding their application stack. Lakera’s broader customer story is less about flashy public case studies and more about being the runtime layer that security-conscious teams put in place before wider rollout.

There is also a strong use case around agent security. Lakera’s own materials repeatedly focus on systems that browse the web, retrieve documents, and call tools. In those products, the attack often arrives indirectly, through a poisoned webpage, a malicious document chunk in RAG, or compromised tool metadata. Lakera Guard is being used as a checkpoint at each stage, user input, retrieved context, tool output, and final response, to stop the model from treating untrusted text as instructions.

Strengths and Weaknesses

Strengths:

• Lakera Guard is unusually easy to explain and easy to integrate. Teams do not need to adopt a whole new framework or switch model providers. In the best case, it is one API call added to an existing flow, which is a big reason security teams can get product teams to actually ship it instead of debating it for a quarter.

• The product is focused on the problem buyers actually feel. A lot of AI safety tooling still sounds like research. Lakera Guard sounds like incident prevention. Prompt injection, data leakage, and unsafe outputs are concrete enough that security, legal, and engineering can all agree they matter.

• The company has a real research story behind it. Gandalf was not just a marketing experiment, it became a large-scale source of adversarial attack data. That gives Lakera more credibility than vendors whose threat intelligence story is vague or entirely internal.

• Deployment flexibility is stronger than many newer competitors. SaaS works for teams that want speed, and self-hosted matters for enterprises with data residency or compliance requirements. Community users get a free path in, while enterprise buyers can negotiate for the controls they need.

• The Check Point acquisition changes the risk profile in Lakera’s favor. Before that, buyers had to ask the usual startup questions about longevity and support. Now the concern is less “will this company survive?” and more “how will the product evolve inside a larger security platform?”

Weaknesses:

• Independent benchmark results are not always as flattering as Lakera’s own positioning. In some third-party tests, Lakera Guard trails top competitors on moderation and adversarial jailbreak benchmarks, and false positive rates can be high in difficult scenarios. So while the product is strong, buyers should not assume the marketing claim of 98%+ accuracy tells the whole story.

• Pricing is not transparent once you move past the free tier. That is normal for enterprise security software, but it creates friction for startups and mid-market teams trying to forecast cost. If your app traffic grows quickly, a usage-based security layer can become a meaningful budget line.

• Public customer stories are thinner than some visitors may want. We found references to Fortune 500 use, Dropbox, and an EdTech deployment with 20+ applications, but fewer detailed case studies with hard before-and-after metrics than some competing vendors publish.

• Lakera Guard is strongest as a runtime control, not a full AI governance platform. If a team wants broad model evaluation, policy management, observability, and lifecycle governance in one place, they may still need other tools around it. Lakera has related products like Lakera Red, but Guard itself is a focused layer.

Pricing

• Community: $0 Free, no credit card required, with up to 10,000 requests per month and prompts up to 8,000 tokens. For most developers, this is enough to test a chatbot, secure a prototype, or run a meaningful proof of concept before talking to sales.

• Enterprise: Custom Custom pricing for production use, with configurable request volume, larger context sizes up to 1MB, SaaS or self-hosted deployment, SSO, RBAC, SIEM integration, and data residency options beyond the default EU setup.

The free tier is better than many enterprise security products because it is large enough to actually learn the product. You can test real traffic patterns instead of a toy demo. The catch is what happens after that. Lakera does not publish enterprise rates, so teams need a sales cycle to understand what production will cost.

Hidden costs are mostly operational rather than technical. If you run Guard on every turn of a chat or at multiple steps in an agent loop, request volume rises quickly. That is not unique to Lakera, but it matters when comparing it to open-source alternatives like LLM Guard or NeMo Guardrails, where infrastructure cost replaces vendor cost.

Alternatives

Protect AI LLM Guard is one of the closest alternatives if you want an open-source route. It gives teams scanners for inputs and outputs and more control over how things are deployed. Some companies choose it because they want to avoid per-request vendor pricing or keep everything in-house. The tradeoff is that your team now owns more tuning, hosting, and maintenance work. Lakera wins on convenience and managed threat intelligence, LLM Guard wins on control and cost structure.

NVIDIA NeMo Guardrails serves teams that want programmable control over conversational behavior. It is less of a turnkey security API and more of a toolkit for defining how assistants should behave. That makes it attractive to engineering-heavy teams that want to encode specific rules and flows. Lakera is easier to drop into an existing app, while NeMo can be better if you want to shape the whole interaction layer.

Meta Llama Guard is a natural option for teams already deep in the Llama ecosystem and comfortable deploying model-based guardrails themselves. It can be a good fit for companies that prefer open weights and local inference. Lakera has the advantage if your stack is mixed, your team wants a vendor-managed service, or you care about broad language support and enterprise deployment flexibility.

Promptfoo is not a direct replacement, but it comes up often because many teams use it to test and red-team LLM apps. Promptfoo helps you find weaknesses before launch. Lakera Guard helps catch attacks at runtime after launch. For many serious teams, the real comparison is not either-or. It is whether you are willing to do both.

HiddenLayer and similar AI security vendors appeal to buyers looking for broader AI security coverage across the model lifecycle. They can be a better fit if your main concern is supply chain security, model risk management, or organizational governance. Lakera Guard is narrower and more practical. It is built for the moment a real prompt hits a real production system.

FAQ

What does Lakera Guard actually do?

It screens LLM inputs and outputs in real time for prompt injection, data leakage, unsafe content, and malicious links. Think of it as a runtime checkpoint between your app and the model.

How do I get started?

Start with the free Community plan, create an API key, and test requests through Lakera’s API or playground. Most teams begin in monitoring mode before they block anything.

How long does it take to set up?

For a simple chatbot or assistant, setup can take hours, not weeks. More complex agent systems take longer because teams usually decide where to place checks across multiple steps.

Does Lakera Guard work with OpenAI, Anthropic, and other models?

Yes. Lakera positions Guard as model-agnostic, so it can sit in front of different LLM providers and self-hosted models.

Is there a free plan?

Yes. The Community tier is free and includes 10,000 requests per month with prompts up to 8,000 tokens.

Can I self-host Lakera Guard?

Yes, on the Enterprise plan. That option is aimed at organizations with stricter compliance, privacy, or data residency requirements.

How fast is Lakera Guard?

Lakera says many requests complete in under 50ms, with low enough latency for production chat and agent use cases. Actual performance depends on architecture and deployment setup.

What kinds of attacks can it catch?

It focuses on direct and indirect prompt injection, jailbreaks, prompt leakage, sensitive data exposure, unsafe content, and suspicious links. It is especially relevant for RAG systems and agents with tool access.

Does Lakera Guard support multiple languages?

Yes. Lakera says it supports 100+ languages and can detect cross-language attack patterns.

Is Lakera Guard good for RAG applications?

Yes, this is one of its strongest fits. It can be used to screen user queries, retrieved documents, and model outputs so poisoned context does not turn into model instructions.

What are Lakera Guard’s biggest limitations?

The biggest ones we found are enterprise pricing opacity and mixed third-party benchmark results in some categories. It is also a focused runtime security product, not a full governance platform.

Who is Lakera Guard best for?

Teams shipping AI systems into production, especially customer-facing apps, internal copilots, and agents with access to tools or sensitive data. If your AI app can cause a real incident, Lakera Guard is in the category of tools worth evaluating early.