Agents act on whatever they read. Gate decides what gets through.
AI agents follow instructions wherever they find them: a web page, a README, an email, a
pasted document. Gate sits between your agents and the model and screens every request
and every response, so an attack is stopped before the model ever sees it and a leaked
secret is redacted before it leaves.
Agents fail in two ways that matter: they read something malicious and act on it, or
they repeat something sensitive to a place it shouldn't go. The first is prompt
injection, and its most damaging form is a hijacked tool call — an instruction hidden
in a page or document that redirects what the agent does next. The second is leakage:
API keys, customer PII, and PHI pasted into responses, logs, and downstream tools.
Gate screens both directions for both failure modes, and enforces spend and rate
caps on top.
Case A · Leakage
The support export
A support agent summarizes a ticket thread for a handoff. The export includes
customer email addresses. Gate redacts the values in the response before the
agent's downstream tools or logs ever see them. The summary still arrives; the
addresses don't.
The record shows response redacted · PII, and the redaction itself is part of the sealed entry.
Case B · Injection
The poisoned page
A research agent opens a page whose hidden text instructs it to forward the
conversation to an external URL. Gate flags the page content as an indirect
injection and blocks it before the model reads it. The run continues on the
remaining sources.
The record shows blocked · injection, source: tool output, with the offending content fingerprinted.
Case C · Spend
The overnight loop
A batch job hits a failing call and retries all night. At the project's spend cap
Gate returns a clean refusal the agent can handle, and the loop exits instead of
compounding until someone wakes up.
The record shows cap enforced, with the request count and the exact amount metered against the limit.
02 — How it works
Every request is screened on the way in, every response on the way out.
Point your agent at Gate's endpoint and every message passes through a layered
screening pipeline. Nothing to install in your codebase, nothing to retrain.
Every verdict lands in a record you can hand to someone else.
Allowed, flagged, blocked, or redacted — each decision is written to a hash-chained
trail and anchored to
Constellation Digital Evidence.
For the operator, that's the record you show your boss, your customer, or an auditor.
For the engineer, it's the record you pull when the incident review lands on your desk.
each entry chains to the previous · fingerprints anchored on-ledger · content never leaves Gate
Immutable on write. Entries are cryptographically chained; changing one breaks the chain visibly. Not your team, not us.
Independently verifiable. A record can be checked against the anchor without going through Gate.
Deletion shows as deletion. A gap in the chain is evidence in itself, which is what makes the trail worth showing to an auditor.
Fingerprints, not content. The ledger stores cryptographic hashes. Prompts and responses never leave Gate's infrastructure.
03 — Evidence
Tested in the open, at a threshold you can run.
Most vendors quote a headline score without telling you the operating point. We publish
ours the way you'd run it: one global threshold, a strict false-positive budget, and
per-dataset results anyone can re-run. Goehausen & Sousa,
arXiv:2606.02959, June 2026.
97.4%F1 · 16 public benchmarks · 12,111 samples · ≤1% pooled false-positive budget
At the unconstrained max-F1 operating point (4.2% FPR), F1 rises to 98.7%. In plain
terms: roughly 95 of 100 injection attempts caught at a 1-in-100 false-alarm cap,
nearly 99 of 100 at a 4-in-100 cap.
Method, in one paragraph. One threshold is selected on held-out folds (max F1
subject to pooled FPR ≤ 1%, 5-fold cross-validation) and applied uniformly to all 16
datasets — no per-benchmark tuning, the way production traffic actually arrives. Every
dataset is public and named in the paper. Generalization is stress-tested with
leave-one-dataset-out cross-validation and a random-label control (shuffled-label AUC
0.5146, chance level): the model isn't memorizing benchmark quirks.
Fig. 3 — Gate's rank on each dataset's primary metric, among all third-party-verified systems publishing itarXiv:2606.02959, per-dataset table
Comparison: Lakera Guard.
The clearest difference is false alarms. On the two public benign suites, Gate wrongly
flags 2.7% and 1.4% of legitimate requests; Lakera Guard, the incumbent Check Point
acquired for $300M, flags 12.4% and 17.4%. That is four to twelve times fewer false
alarms, at matched false-positive rates where Gate also leads on detection.
Measure
Gate AI
Lakera Guard
Benign over-block rate, NotInject (lower is better)
2.7%
12.4%
Benign over-block rate, WildGuard-benign (lower is better)
1.4%
17.4%
Mean F1 at matched FPR (deepset, gentel-jailbreaking, gentel-goal-hijacking, gentel-prompt-leaking)
Screening that adds seconds per request doesn't survive contact with an agent loop.
Gate adds 53 ms at the median and 60 ms at p90; its 104 ms mean is the lowest in the
paper's comparison corpus, against Lakera Guard's 140 ms.
04 — Data handling & FAQ
Where your data goes.
Screening
Runs on Gate's own models, on infrastructure Gate operates. Prompts and responses
are not sent to third-party scanning services.
Model traffic
Goes to the model provider serving your request and nowhere else. Bring your own
keys and it runs under your existing provider agreement.
The ledger
Stores cryptographic fingerprints of audit entries, never prompt or response
content.
Analytics
Product analytics cover Gate's own dashboards and site, not the content of your
requests.
I already run LiteLLM, Helicone, or OpenRouter. Do I need Gate?
Those are routers and observability layers, and they're good at it. Gate is the screening layer: benchmarked injection defense, credential and PII redaction, enforced caps, and a tamper-evident record. They compose. LiteLLM and most proxies speak to OpenAI-compatible endpoints, so you can point your existing setup at Gate and keep it.
Isn't structured logging enough for an audit?
Logs can be edited or deleted by whoever holds the keys, which is exactly what an auditor will point out. Gate's audit trail is hash-chained and anchored to Constellation Digital Evidence, so a record can be verified independently and a deletion shows up as a deletion. The ledger stores cryptographic fingerprints, never your content.
Can I keep my own provider keys?
Yes. Bring your own keys and your existing provider agreements stay in place, or run models through Gate's keys on pay-as-you-go.
Put the defense in front of your agents.
Sign up, point your tools at Gate with Gate Connect or one
line of config, and every request after that is screened.