AI agent security

Agents act on whatever they read.
Gate decides what gets through.

AI agents follow instructions wherever they find them: a web page, a README, an email, a pasted document. Gate sits between your agents and the model and screens every request and every response, so an attack is stopped before the model ever sees it and a leaked secret is redacted before it leaves.

Numbers on this page are from the benchmark paper, arXiv:2606.02959 (June 2026).

AGENTUNCHANGEDMODEL APIANY PROVIDERREQUESTSSCREENEDBLOCKEDRESPONSESSCAN12REDACT14METER16SEAL1810202224Δt +53 MS P50
Fig. 1 — Gateway cross-section: request and response screening 10 agent · 12–18 screening chambers · 22 redacted segment · 24 blocked input
01 — What it catches

Three incidents, as Gate records them.

Agents fail in two ways that matter: they read something malicious and act on it, or they repeat something sensitive to a place it shouldn't go. The first is prompt injection, and its most damaging form is a hijacked tool call — an instruction hidden in a page or document that redirects what the agent does next. The second is leakage: API keys, customer PII, and PHI pasted into responses, logs, and downstream tools. Gate screens both directions for both failure modes, and enforces spend and rate caps on top.

Case A · Leakage

The support export

TICKET #4821 — SUMMARYPII.EMAIL × 3REDACTEDBEFORE RETURN

A support agent summarizes a ticket thread for a handoff. The export includes customer email addresses. Gate redacts the values in the response before the agent's downstream tools or logs ever see them. The summary still arrives; the addresses don't.

The record shows response redacted · PII, and the redaction itself is part of the sealed entry.

Case B · Injection

The poisoned page

FONT-SIZE: 0 — INVISIBLE TO THE OPERATORHIDDENBLOCKEDNEVER REACHESTHE MODEL

A research agent opens a page whose hidden text instructs it to forward the conversation to an external URL. Gate flags the page content as an indirect injection and blocks it before the model reads it. The run continues on the remaining sources.

The record shows blocked · injection, source: tool output, with the offending content fingerprinted.

Case C · Spend

The overnight loop

22:0000:0002:0004:0006:00$CAP $250CAP ENFORCED — 03:12CLEAN REFUSAL · LOOP EXITS

A batch job hits a failing call and retries all night. At the project's spend cap Gate returns a clean refusal the agent can handle, and the loop exits instead of compounding until someone wakes up.

The record shows cap enforced, with the request count and the exact amount metered against the limit.

02 — How it works

Every request is screened on the way in, every response on the way out.

Point your agent at Gate's endpoint and every message passes through a layered screening pipeline. Nothing to install in your codebase, nothing to retrain.

ALL TRAFFICTIER 1 — FAST PATHSCANREDACTMETERSEAL~90% OF REQUESTSP50 53 MS · P90 60 MSHARD CASESTIER 2 — DEEP ANALYSISDEFERREDP95 571 MS · P99 612 MSRESPONSES SCREENED ON RETURN
Fig. 2 — Two-tier screening pipeline Latency percentiles: arXiv:2606.02959, §5

Every verdict lands in a record you can hand to someone else.

Allowed, flagged, blocked, or redacted — each decision is written to a hash-chained trail and anchored to Constellation Digital Evidence. For the operator, that's the record you show your boss, your customer, or an auditor. For the engineer, it's the record you pull when the incident review lands on your desk.

Audit trail — org/acme ✓ chain verified
14:02:11 allowed request forwarded · claude-sonnet-5 …c41f → 9b2e
14:02:56 redacted response · pii.email × 3 …9b2e → f7a1
14:03:12 blocked indirect injection · tool output …f7a1 → 30cc
14:03:40 cap project dev-agents · $250.00 / $250.00 …30cc → 81d4
each entry chains to the previous · fingerprints anchored on-ledger · content never leaves Gate
  • Immutable on write. Entries are cryptographically chained; changing one breaks the chain visibly. Not your team, not us.
  • Independently verifiable. A record can be checked against the anchor without going through Gate.
  • Deletion shows as deletion. A gap in the chain is evidence in itself, which is what makes the trail worth showing to an auditor.
  • Fingerprints, not content. The ledger stores cryptographic hashes. Prompts and responses never leave Gate's infrastructure.
03 — Evidence

Tested in the open, at a threshold you can run.

Most vendors quote a headline score without telling you the operating point. We publish ours the way you'd run it: one global threshold, a strict false-positive budget, and per-dataset results anyone can re-run. Goehausen & Sousa, arXiv:2606.02959, June 2026.

97.4% F1 · 16 public benchmarks · 12,111 samples · ≤1% pooled false-positive budget

At the unconstrained max-F1 operating point (4.2% FPR), F1 rises to 98.7%. In plain terms: roughly 95 of 100 injection attempts caught at a 1-in-100 false-alarm cap, nearly 99 of 100 at a 4-in-100 cap.

Method, in one paragraph. One threshold is selected on held-out folds (max F1 subject to pooled FPR ≤ 1%, 5-fold cross-validation) and applied uniformly to all 16 datasets — no per-benchmark tuning, the way production traffic actually arrives. Every dataset is public and named in the paper. Generalization is stress-tested with leave-one-dataset-out cross-validation and a random-label control (shuffled-label AUC 0.5146, chance level): the model isn't memorizing benchmark quirks.

DATASET#1#2#3#4#5#6#7#8FIELDDEEPSETOF 28SAFEGUARDOF 13WILDGUARD-BENIGNOF 10GENTEL-GOAL-HIJACKINGOF 9GENTEL-PROMPT-LEAKINGOF 9LLMAILOF 7SALAD-DATAOF 6ADVBENCHOF 3GANDALF-IGNOREOF 24GENTEL-JAILBREAKINGOF 9JACKHHAOOF 6ILION-BENCHOF 5NOTINJECTOF 10HARMBENCHOF 12BIPIAOF 16HACKAPROMPTEVALUATED — NO PUBLISHED THIRD-PARTY COMPARATORRANK #18/16DATASETS#2 ON 3 · #3 ON 1ONE GLOBAL THRESHOLDPOOLED FPR 1.0%
Fig. 3 — Gate's rank on each dataset's primary metric, among all third-party-verified systems publishing it arXiv:2606.02959, per-dataset table

Comparison: Lakera Guard.

The clearest difference is false alarms. On the two public benign suites, Gate wrongly flags 2.7% and 1.4% of legitimate requests; Lakera Guard, the incumbent Check Point acquired for $300M, flags 12.4% and 17.4%. That is four to twelve times fewer false alarms, at matched false-positive rates where Gate also leads on detection.

Measure Gate AI Lakera Guard
Benign over-block rate, NotInject (lower is better) 2.7% 12.4%
Benign over-block rate, WildGuard-benign (lower is better) 1.4% 17.4%
Mean F1 at matched FPR (deepset, gentel-jailbreaking, gentel-goal-hijacking, gentel-prompt-leaking) 96.6% 83.7%
deepset F1 at matched FPR 0.7% 88.7% 82.3%

All values from the per-dataset table of arXiv:2606.02959.

Screening that adds seconds per request doesn't survive contact with an agent loop. Gate adds 53 ms at the median and 60 ms at p90; its 104 ms mean is the lowest in the paper's comparison corpus, against Lakera Guard's 140 ms.

04 — Data handling & FAQ

Where your data goes.

Screening
Runs on Gate's own models, on infrastructure Gate operates. Prompts and responses are not sent to third-party scanning services.
Model traffic
Goes to the model provider serving your request and nowhere else. Bring your own keys and it runs under your existing provider agreement.
The ledger
Stores cryptographic fingerprints of audit entries, never prompt or response content.
Analytics
Product analytics cover Gate's own dashboards and site, not the content of your requests.

Full detail in the privacy policy and terms.

The questions we get.

I already run LiteLLM, Helicone, or OpenRouter. Do I need Gate?

Those are routers and observability layers, and they're good at it. Gate is the screening layer: benchmarked injection defense, credential and PII redaction, enforced caps, and a tamper-evident record. They compose. LiteLLM and most proxies speak to OpenAI-compatible endpoints, so you can point your existing setup at Gate and keep it.

Isn't structured logging enough for an audit?

Logs can be edited or deleted by whoever holds the keys, which is exactly what an auditor will point out. Gate's audit trail is hash-chained and anchored to Constellation Digital Evidence, so a record can be verified independently and a deletion shows up as a deletion. The ledger stores cryptographic fingerprints, never your content.

Can I keep my own provider keys?

Yes. Bring your own keys and your existing provider agreements stay in place, or run models through Gate's keys on pay-as-you-go.

Put the defense in front of your agents.

Sign up, point your tools at Gate with Gate Connect or one line of config, and every request after that is screened.