Skip to content
All insights

What is AIDR? The firewall your AI layer is missing

6 min readAI SecurityAIDRDELIA
A stack's security layers: network, endpoints and applications marked as covered; the AI layer (LLM, RAG, agents) marked as a blind spot, covered by AIDR

You have a WAF in front of web traffic, an EDR on the endpoints and DLP over the data. Every layer of your stack is watched by something. The moment you put an LLM, a RAG or an agent into production, a new layer shows up that none of those controls looks at: the AI layer. That is the gap.

AIDR (AI Detection & Response) is the category that fills that gap: observe, detect and respond to attacks on your AI applications, at runtime and in the pipeline itself. If you know what an EDR is for endpoints, AIDR is the equivalent for the AI layer.

Why your current stack can't see it

The problem is not that your controls are bad, it is that they watch the wrong place. An attack on an LLM does not arrive as an exploit against your network or as a malicious binary: it arrives as data. A hidden instruction in a PDF someone uploads, in a page the agent browses, in a document the RAG retrieves.

  • The WAF inspects HTTP requests. The injection rides inside a legitimate document, not in the request.
  • The EDR watches processes and binaries. Nothing odd runs on the host here; the model simply obeys.
  • Classic DLP looks at files and email. It does not grasp that the model just exfiltrated a secret inside a chat reply.
  • Guardrails and evaluation suites test the model before deploy. They are not inline when the attack happens in production.

The attack is semantic and happens at runtime, which is why you need something that sits in the pipeline and understands what flows through it.

What an AIDR does

It sits inline in the pipeline and does the same thing at every hop: it observes with OpenTelemetry traces, detects on a deterministic hot path (plus an ML cold path), responds on the spot, and exports the evidence to your SIEM.

Architecture diagram of an AIDR: untrusted data (documents, web, OSINT) enters at retrieval and tool responses enter at the tool hop; AIDR sits inline and intercepts every hop, with the observe, detect, respond and integrate capabilities, and exports OCSF evidence to the SIEM

Notice where the attack enters: not through the network, but with the data your pipeline retrieves (documents, web, OSINT) and with what tools return. AIDR sits right there, at every hop, and does four things in order:

  1. Observe. Trace every hop of the pipeline (retrieval, model call, tool call, output) with an open standard like OpenTelemetry. No visibility, no detection.
  2. Detect. The data-borne threats: direct and indirect prompt injection, RAG poisoning, exfiltration, excessive agency. Mapped to frameworks your team already knows, the OWASP LLM Top 10 and MITRE ATLAS.
  3. Respond inline. Where the attack happens: sanitize the content, quarantine the hostile chunk, block the output or gate a tool pending human approval.
  4. Integrate. Normalize findings to an open format like OCSF and send them to your SIEM, so the AI layer shows up on the same board as the rest of your security.

Detection runs on two lanes. A hot path, inline and deterministic, that decides on the spot (under 2 ms, with fail-safe) so it adds no latency to your app, and an asynchronous cold path with ML and a semantic judge for the gray zone, which enriches the evidence without blocking. The hot path never waits for the cold path.

Diagram of how an AIDR decides: an inline hot path (gateway, fast rule and scope-guard detection, allow/block/gate decision) and an asynchronous cold path (ML detection with ONNX, LLM judge, OCSF evidence builder and storage), both flowing to the SIEM

In a single request, here is how the first three capabilities look when an injection arrives inside a retrieved document: it observes the hop, detects the threat and responds, in under two milliseconds.

// POST /intercept/retrieval
{
  "action": "block",
  "latency_us": 1750,
  "verdicts": [{
    "detector": "d1-indirect-injection",
    "score": 1.0,
    "action": "block",
    "labels": ["LLM01", "AML.T0051"]
  }]
}

And that same finding, normalized to OCSF and signed, is what goes to your SIEM:

// OCSF · class_uid 2004 → SIEM
{
  "hop": "retrieval",
  "detector": "d1-indirect-injection",
  "action": "block",
  "owasp_llm": ["LLM01"],
  "mitre_atlas": ["AML.T0051"],
  "tamper_verified": true
}

All four capabilities on one screen: the AI layer on the same board as the rest of your security, with detections by hop, OWASP LLM categories and MITRE ATLAS techniques.

DELIA operations console: intercepted, blocked, quarantined and P95 latency; detections by hop; top OWASP LLM categories and MITRE ATLAS techniques; and live detections

AIDR next to what you already have

It does not replace anything in your stack; it covers a layer the others cannot reach. The difference is on three axes: where it lives (runtime, not just development), what it inspects (every hop of the pipeline, not HTTP or processes) and how it responds (inline, not just an alert).

Table comparing AIDR with WAF, EDR, DLP and guardrails by what they protect, what they inspect and how they respond

One important nuance: an AIDR is not a guardrail. Guardrails and evaluation suites (garak, promptfoo and the like) are pre-deploy tests, hugely valuable for finding flaws before production. But when the attack arrives in a document at three in the morning, the test already ran. The AIDR is what is inline at that moment.

Which companies this changes something for

This is not theoretical. Any company that puts a chatbot, an internal search or an agent over its data inherits the AI layer, and with it the gap. Four cases we see:

SectorAI systemMain riskWhat AIDR intercepts
Banking and insuranceRAG assistant over contracts and regulationData leak between customers; injection hidden in a PDF the user uploadsDLP on the output, per-customer partitioning and indirect injection (d1, d3)
HealthcarePatient chatbot with calendar accessPII leaking into the answer; booking or cancelling with no controlSemantic DLP and tool gating (d3, scope-guard)
LegalAgent over the documents of a caseHidden instruction in a document filed by the opposing party; exfiltrationQuarantine of the hostile chunk and OCSF evidence for the audit trail (d1)
Support and e-commerceAgent with tools (orders, refunds)Confused deputy: a message triggers a refund; unbounded costHuman approval per tool and spend limits (scope-guard)

In all of them the pattern is the same: the attack does not come through the network or a binary, but through the content your own application processes. And in all of them, the evidence AIDR leaves also serves compliance (EU AI Act, NIS2), not just defense.

Why now

Agents are moving into production fast, and every tool you give them widens the surface. At the same time, the EU AI Act requires high-risk systems to be secure by design, and ENISA reads that as robustness against adversarial attacks, exactly the kind of threat that lives in the AI layer. The layer nobody was watching is becoming both the most exposed and the most regulated.

DELIA, our take on AIDR

DELIA is the AIDR we build in the lab: sovereign, self-hostable and OpenTelemetry-native, in R&D. It sits inline in the pipeline, detects the threats mapped to OWASP LLM Top 10 and MITRE ATLAS, and responds at the hop. An example on the testbed: a vendor email with a hidden order to forward the 2FA code. No traditional control sees it, because it arrives inside a legitimate document; DELIA detects it at retrieval and quarantines it before the model reads it (the demo corpus is Spanish, so the model prose is Spanish; the DELIA verdict is what matters).

Swagger: POST /chat with protect:true; delia.retrieval marks vendor_email.md as quarantine with d1-indirect-injection, dropped 1, and the model answer comes back clean

What sets it apart is how it is validated: KAIX HAVOC, our offensive engine, continuously attacks the protected pipeline, and every successful attack becomes a validated detection.

If you want to see the concept with real attacks and the output it returns, we walk through it step by step in OWASP LLM Top 10: ten real attacks and what DELIA intercepts. And if you run LLM, RAG or agents in production, book a demo.