scandar-guard wraps your AI client in one line of code and inspects every message, tool call, and agent response — inside your environment, never ours.
Free on all plans · TypeScript · Python · Go
An AI agent reads a file from a shared drive. The file contains hidden malicious instructions. Guard catches them before the model processes them.
One line. No architecture changes. The same client API you already use.
scandar-scan finds threats before deployment. Guard catches what only reveals itself at runtime — when your agent is actually talking to the world.
When your agent reads a file, scrapes a webpage, or calls an API, that content flows back to the model. Malicious instructions — even encoded in base64, hex, ROT13, or unicode homoglyphs — are decoded and caught before the model ever sees them.
14 decoding methods: base64, hex, ROT13, leetspeak, Cyrillic/Greek homoglyphs, Caesar brute-force (all 25 rotations), Base32, zero-width character stripping, RTL mark removal, URL, HTML entities — plus recursive multi-layer decoding that catches base64(hex(ROT13(payload))). Encoding is a signal of adversarial intent.
Sophisticated attacks spread injection fragments across multiple conversation turns. Guard tracks a 12-message sliding window and detects when fragments like 'ignore' + 'previous' + 'instructions' appear across separate messages.
PII, secrets, API keys, and shell injection in tool arguments — caught before the call is made. If the model is about to route sensitive data to an unknown endpoint, Guard flags it.
Guard learns your agent's normal tool patterns over sessions. After 5 sessions of baseline data, it flags when an agent suddenly uses a tool it has never used before — context-aware anomaly detection.
Every LLM call gets a single 0-100 threat score weighing all signals: pattern matches, encoding evasion, multi-turn fragments, behavioral anomalies, profile deviations, and your pre-deployment scan trust score.
Invisible zero-width unicode tokens injected into system prompts and tool results. If a canary appears in any outbound tool call, it's irrefutable proof of data exfiltration. Per-call rotation traces exactly which content was leaked.
Fake tools registered in the agent's schema that should never be called. If the model calls one, it's definitive proof of compromise. Fuzzy matching catches typo evasion (admin_0verride). 1.0 confidence.
Fingerprints sensitive data from source tools (file reads, DB queries). Detects the same data in outbound sinks (HTTP, email, webhook). Catches exfiltration that URL pattern matching misses — tracks the data, not the destination.
When threat score exceeds threshold, automatically freezes the session, quarantines the agent fleet-wide, captures forensic snapshots, and alerts all channels. Honeypot and canary triggers bypass threshold — always respond.
27 injection patterns across 9 languages: Spanish, French, German, Chinese, Japanese, Russian, Arabic, Portuguese, Korean. Plus language-switching detection for mixed-script evasion attempts.
Detects when an agent is being tricked into revealing its system prompt through indirect questioning, roleplay scenarios, or encoding tricks.
Identifies personal information, API keys, database credentials, and other secrets in agent responses before they reach the user.
One line of code. Guard wraps your Anthropic, OpenAI, MCP, or LangChain client — identical API, zero code refactoring.
client = guard(Anthropic())Every message, tool call, and response is scanned against 44 threat patterns with encoding detection, multi-turn tracking, and behavioral profiling — in-process, in milliseconds.
response = client.messages.create(...)
# Guard inspects automaticallyIn observe mode: findings are logged locally. In block mode: ScandarBlockedError is raised before the threat reaches your agent.
client = guard(Anthropic(), GuardConfig(
mode="block", block_on=["critical"]
))Unlike network-level proxies and cloud-hosted guardrails, Guard runs entirely inside your application process. No sidecar containers. No traffic routing. No third-party servers between your agent and its model.
Findings are written to a local JSONL audit log. Your agent continues normally. Use this to see what Guard would catch in your production traffic before enabling enforcement.
Guard raises a ScandarBlockedError with the full finding before the threat reaches your model. Your application handles it gracefully.
scandar-scan catches threats in AI artifacts before deployment — skill files, MCP servers, configs, prompts, agent definitions. scandar-guard catches what only reveals itself at runtime. Together they cover the full lifecycle. Neither alone is enough.
scandar-scanscandar-guardFree on every plan. Works with Anthropic, OpenAI, MCP, LangChain, AutoGen, and CrewAI. Ship it today — no infrastructure changes required.
Real-time visibility into every agent in your organization — kill chain graphs, blast radius simulation, EU AI Act compliance, and automated quarantine. Self-serve setup in 25 minutes.