Skip to main content
← PurfectShield
Interactive Guide

How PurfectShield Works

An interactive walkthrough of the architecture, threat model, and audit trail that keeps your AI infrastructure secure — without changing how your team works.

What is PurfectShield?

PurfectShield is a transparent redaction gateway that sits between every AI tool your developers use and every LLM provider they call. It inspects every request and response in real time — scrubbing secrets, PII, and protected content before it ever leaves your environment.

Think of it as a security camera for your AI pipeline. It doesn't block your team — it watches, redacts, and logs. Developers keep using Copilot, Cursor, Claude Code, and their favorite CLI tools. Shield runs silently in the background, catching what shouldn't leave the building.

Local Only

Runs on your infrastructure. No cloud dependency. No data egress. Your secrets stay on your metal.

Zero Code Changes

Set one environment variable. Every API call flows through Shield automatically. No SDK required.

Provider Agnostic

Works with any OpenAI-compatible API. Anthropic, OpenAI, Google, local models — Shield doesn't care.

Source Delivered

You own the code. No license server. No subscription. Full source at handoff.

Ready to lock down your AI pipeline?

One day to deploy. One env var to configure. Zero cloud dependencies. Source code is yours.

See Pricing Book a Demo

Frequently Asked Questions

Shield operates as a transparent proxy. In local mode, added latency is typically under 5ms — imperceptible to users. The proxy sits on the same host, so there's no network hop. Filter pack matching uses pre-compiled regex trees that evaluate in microseconds.
Shield is designed as a local sidecar, not a remote service. It runs on your infrastructure alongside your applications. If the Shield process stops, it fails closed — requests are blocked rather than passed through uninspected. For high-availability deployments, you can run multiple Shield instances behind a load balancer.
Yes. Shield sits between your application and the LLM provider as a man-in-the-middle proxy. It terminates TLS, inspects the plaintext, then re-encrypts for the upstream provider. This is why Shield runs locally — the plaintext never leaves your host.
Shield is provider-agnostic. It works with any OpenAI-compatible API (Anthropic, OpenAI, Google, DeepSeek, Mistral, local models via Ollama/vLLM). The proxy speaks standard HTTP/1.1 and doesn't care which model is on the other side.
WAFs and API gateways operate at the network/HTTP layer — they block IPs, rate-limit, and check headers. Shield operates at the semantic layer: it understands the structure of LLM requests and responses. It can detect when a prompt contains secrets, when a model response leaks PII, or when a developer is about to send production configs to an external API. Traditional tools can't see inside JSON-RPC bodies.
No. Shield works as a transparent proxy. Set one environment variable (SHIELD_PROXY_URL) and every API call flows through Shield automatically. No SDK, no library, no code changes. Your developers keep using their existing tools and workflows.