Every request that passes through Forge is processed by ForgeGuard, a seven-layer security pipeline designed to catch threats at every stage of the AI inference lifecycle. This is not a single firewall or a simple input filter — it is defense in depth, where each layer addresses a different class of attack and operates independently so that a bypass of one layer does not compromise the others.

Pre-Gate: SpiceDB + OPA Authorization

Before a request even reaches the security pipeline, it passes through the Pre-Gate. This stage combines SpiceDB (a Zanzibar-style permissions engine) with OPA (Open Policy Agent) to determine whether the requesting user, agent, or service has permission to make this specific type of request. SpiceDB evaluates relationship-based permissions in under 5ms, while OPA evaluates Rego policies as compiled WASM modules in under 2ms. If the caller does not have the right permissions, the request is rejected before consuming any compute resources.

S1: Gate + Agent-Vault

Stage 1 is the authentication and credential protection layer. It verifies API keys, validates JWT tokens, enforces rate limits, and manages credential rotation. Agent-Vault ensures that credentials used by AI agents are stored securely, rotated automatically, and never exposed in logs or traces. This layer also enforces subscription tier limits — free tier users get different rate limits than Pro or Ultimate subscribers.

S2: Input Scan

Stage 2 is where the heavy lifting happens for input security. Multiple scanners run in parallel to analyze the incoming prompt:

LlamaFirewall is the primary defense. It is Meta's prompt injection detection system, purpose-built for catching adversarial inputs that attempt to override system instructions. LlamaFirewall runs PromptGuard 2 internally as its core classifier.

DeBERTa-v3 provides semantic analysis as a secondary classifier. It evaluates the semantic intent of the prompt to detect manipulation attempts that might look syntactically benign but carry adversarial meaning.

LLM Guard scans for a broader set of input risks including toxicity, bias, and content policy violations. It also handles language detection and profanity filtering when configured.

Presidio detects personally identifiable information (PII) in the input. When PII is found, Forge can redact it before forwarding the request to the LLM provider, ensuring that sensitive data never leaves your infrastructure boundary.

All S2 scanners run concurrently. If any scanner flags the input above the configured threshold, the request is blocked with a detailed explanation of what was detected and why.

S3: Vector Protection

Stage 3 protects the memory and retrieval layer. When Forge retrieves context from vector databases (Qdrant) or knowledge graphs (Neo4j) to augment the prompt, S3 ensures that the retrieved content has not been tampered with and that the user has permission to access it. This prevents memory poisoning attacks where an adversary injects malicious content into the knowledge base that later gets retrieved and acted upon by the model.

S4: Secure Route

Stage 4 ensures that the request is routed to a provider that meets the security requirements. If the request contains sensitive data that cannot leave a specific geographic region, S4 enforces data residency by routing only to providers with infrastructure in the required jurisdiction. It also validates that the selected provider's terms of service are compatible with the data being processed — some providers retain training data while others do not.

S5: Output Scan

Stage 5 scans the model's response before it reaches the user. This is critical because even a perfectly clean input can produce a harmful output. S5 runs LLM Guard and Presidio again on the output to catch PII leakage, toxic content, and policy violations. It also checks for data exfiltration patterns where a compromised model might try to embed sensitive information in its response through steganographic techniques.

S6: Audit — Augustus

Augustus is Forge's adversarial probing system. Unlike the other layers which operate on every request, Augustus runs periodically to test the security pipeline itself. It generates adversarial inputs designed to bypass the other six layers and reports any successful evasions. Think of it as a continuous red team that stress-tests your security posture. Augustus findings are logged to Langfuse and can trigger automatic policy updates to strengthen the scanners.

S7: MCP Security

Stage 7 secures the Model Context Protocol (MCP) tool chain. When AI agents use external tools via MCP, S7 runs mcp-scan to verify tool provenance, check for known vulnerabilities, and validate that the tool's behavior matches its declared capabilities. This prevents supply chain attacks where a compromised MCP tool could exfiltrate data or execute unauthorized actions. Combined with Forge Vault's cryptographic signing, S7 provides a complete trust chain for every tool an agent uses.

Why Defense in Depth Matters for AI

Traditional application security focuses on the network perimeter and input validation. AI systems face fundamentally different threats: prompt injection can turn a model into an unwitting accomplice, context poisoning can corrupt long-term memory, and tool misuse can escalate privileges through legitimate APIs. No single scanner can catch every attack vector.

ForgeGuard's seven-layer approach ensures that even if one layer is bypassed, the remaining layers catch the threat. The Pre-Gate handles authorization. S1 handles authentication. S2 handles input attacks. S3 handles memory attacks. S4 handles routing attacks. S5 handles output attacks. S6 handles the unknown unknowns. And S7 handles supply chain attacks. Together, they cover the full OWASP Agentic Top 10 attack surface.

Every scan result is logged to Langfuse with full trace context, giving you complete visibility into what was detected, which layer caught it, and what action was taken. This audit trail is essential for SOC 2, HIPAA, and EU AI Act compliance.

The Seven Layers of ForgeGuard Security