· for LLM
customer perimeter
LLM Firewall inside your perimeter
All your company AI traffic under control, without slowing adoption: DLP inbound and outbound, kill-switch, provable audit.
One line of config. Every model behind the gateway.
Only base_url changes to point at the gateway. Your SDK, client code and models stay the same, the gateway key replaces the vendor key, and traffic flows through Prizma inspection.
from openai import OpenAI
client = OpenAI(
base_url="https://prizma.acme.internal/v1", # gateway instead of api.openai.com
api_key=PRIZMA_TOKEN, # gateway key, not the vendor key
)
resp = client.chat.completions.create(model="gpt-5", messages=msgs) from anthropic import Anthropic
client = Anthropic(
base_url="https://prizma.acme.internal", # traffic flows through Prizma
api_key=PRIZMA_TOKEN, # gateway key, not the vendor key
)
msg = client.messages.create(model="claude-sonnet-4.6", messages=msgs) # one env, and the whole coding agent goes through the gateway
export ANTHROPIC_BASE_URL="https://prizma.acme.internal"
export ANTHROPIC_API_KEY="$PRIZMA_TOKEN" # gateway key, not the vendor key
claude # requests inspected inbound and outbound # same call, gateway domain instead of api.openai.com
curl https://prizma.acme.internal/v1/chat/completions \
-H "Authorization: Bearer $PRIZMA_TOKEN" \
-H "Content-Type: application/json" \
-d '{"model": "gpt-5", "messages": [{"role": "user", "content": "..."}]}' One path for every request
One gateway between developers, agents and models. DLP runs twice: before the model call and after the response. Any stage can be cut with the kill-switch or rewritten by policy.
Routing for availability, cost and latency
The client keeps one contract, and underneath the gateway picks the provider and model for the current load.
Availability
A dead route never drops the request: retry and fallback walk the chain down to a local model inside your perimeter.
Cost
A two-tier semantic cache answers a repeat without hitting the provider or burning tokens again.
Latency
Live rolling p95 per provider, and Thompson-Sampling shifts the route to the fastest responder.
Inspect, control, prove
Inspect
Sees more than just secrets, inbound and outbound.
- DLP layers 0–7 + multimodal (OCR)
- pre-call and post-call, streaming
- secrets, PII, financial data · milliseconds
Control
Policy decides what reaches the model: before the call, not after.
- BLOCK / MASK / WARN policies, RBAC
- budgets and cost attribution
- kill-switch L0–L4 · instant
Prove
Every request leaves a trail that survives an audit.
- HMAC-chained audit, tamper-evident
- SIEM export over CEF
- evidence packs 152-FZ / GDPR / SOC 2
Regex, NER and a code detector: inbound and outbound
Regex with validators (Luhn for cards, MOD-11 for INN), Presidio NER for names and organizations, a dedicated code detector: AWS keys in source, GPL/AGPL headers and internal API domains never reach the model. Three modes: tokens [CARD_1], format-preserving substitution (a valid synthetic INN and a Luhn-correct card) or full redaction. Below, the first of eight layers runs live, right in your browser. Switch the mode by hand to see the difference.
Data never leaves your perimeter
Not SaaS. It lives in your perimeter, on hardware you control: under your SIEM, secret store and SSO. Deploys in a couple of minutes, runs in air-gap.
DeploymentAll your AI traffic under your control
A self-hosted LLM Firewall inside your perimeter. One base_url line, and no prompt leaves directly.