Security

ForgeGuard 7-layer security pipeline.

Security

ForgeGuard is Forge's enterprise-grade security pipeline that protects every API request through 7 layers (plus a Pre-Gate), covering input validation, prompt injection detection, PII protection, output scanning, and MCP tool safety. The pipeline is OWASP Agentic Top 10 compliant and supports three configurable security levels.

Security Levels

Configure security via the forge.security.level parameter:

  • basic: Fast input scanning only (S1-S2). Minimal latency impact. Good for internal tools.
  • standard: Full input and output scanning (S1-S5). Recommended for production applications.
  • strict: All 7 layers active including adversarial probing and MCP scanning (S1-S7). Required for compliance-sensitive workloads.
{
  "forge": {
    "security": {
      "level": "standard",
      "pii": { "detect": true, "redact": true },
      "customPolicies": ["no-competitor-data", "medical-safe"]
    }
  }
}

ForgeGuard 7-Layer Pipeline

Pre-Gate — Authorization (SpiceDB + OPA): Before any processing, the request is authorized against SpiceDB (Zanzibar-style permissions, sub-5ms) and OPA policies (Rego rules, sub-2ms via WASM). This enforces tenant isolation, API key permissions, and feature access controls.

S1 — Gate + Agent-Vault: Rate limiting per key, per tier. Agent-Vault protects credentials from being leaked through LLM interactions. Credentials are stored in a secure vault and never included in prompts.

S2 — Input Scan: The primary defense layer using multiple scanning engines in parallel:

  • LlamaFirewall (primary): Meta's open-source firewall for prompt injection, jailbreaking, and policy violations
  • DeBERTa-v3: Semantic analysis for subtle manipulation attempts
  • LLM Guard: Comprehensive input/output scanning
  • Presidio: Microsoft's PII detection and anonymization (names, emails, SSNs, credit cards, etc.)
  • PromptGuard 2: Prompt injection detection within LlamaFirewall

S3 — Vector Protection: Detects adversarial embedding attacks and poisoned vector stores. Validates that retrieved memory content has not been tampered with.

S4 — Secure Route: Ensures the selected provider meets security requirements. Some queries may be restricted to specific providers based on data residency policies or compliance requirements.

S5 — Output Scan: Validates LLM responses for PII leakage, hallucinated credentials, harmful content, and policy compliance before returning to the user.

S6 — Audit (Augustus): Adversarial probing that periodically tests the pipeline with known attack patterns to ensure defenses remain effective. Logs all security events for compliance auditing.

S7 — MCP Security (mcp-scan): Scans MCP tool calls for safety. Validates tool parameters, checks tool provenance, and blocks calls to untrusted or modified tools.

Custom Security Policies

Define custom OPA policies in Rego to enforce organization-specific rules:

# Block requests mentioning competitor data
package forge.security

deny[msg] {
  contains(input.content, "competitor_name")
  msg := "Competitor data discussion blocked by policy"
}

OWASP Agentic Top 10 Compliance

Forge Shield maps all OWASP Agentic Top 10 risks to specific mitigations:

  • A1 Goal Hijack → Behavioral drift detector
  • A2 Tool Misuse → Tool capability bounds + sandboxing
  • A3 Identity/Privilege Abuse → Per-agent privilege scoping
  • A4 Supply Chain → MCP tool provenance validation (Forge Vault)
  • A5 Code Execution → Sandbox with resource limits (Forge Compute)
  • A6 Memory Poisoning → Memory write integrity verification

Compliance

  • SOC 2 Type I / Type II compliance path
  • HIPAA BAA support (Enterprise tier)
  • EU AI Act compliance via Probo + EuConform
  • Data residency routing for GDPR compliance
  • Automated compliance evidence with Forge Comply
Previous
Memory
Next
Payments
Back to all documentation