LLMs Don’t Have a Security Layer — So I Built One

Matheus Delgado — Sun, 04 Jan 2026 02:19:31 +0000

Over the last year, companies have started connecting LLMs to real users, real data and real systems. That’s when I realised something important:

LLMs don’t come with a security layer.

Once you expose an LLM to the real world, you also expose yourself to:

prompt injection
phishing & social-engineering via LLM
data exfiltration
PII leakage
unsafe or non-compliant outputs
zero auditability

And unlike traditional input validation, LLM attacks are linguistic — meaning you’re not filtering SQL or JSON… you’re filtering natural language.

So I built a Zero-Trust Security Gateway for LLMs

Instead of calling the model directly, requests flow through:

client
↓
Firewall & risk detection

↓
Prompt normalization & rewriting

↓
Policy enforcement

↓
Inbound data protection (masking)
↓
LLM
↓
Outbound protection (redaction)
↓
Response governance filter
↓
Audit logging

This runs as a gateway, so teams can deploy it inside their own infrastructure — without sending data to yet another SaaS.

Real-world risks I’m seeing

Prompt injection
Users convince the model to ignore your instructions.
Phishing & social engineering
LLM becomes the attack channel itself.
Data leakage
Models happily return internal or sensitive information.

What this gateway actually does

detect malicious or risky instructions
detect phishing & deception
normalize & rewrite prompts safely
enforce policy rules
mask & protect sensitive data
block unsafe outputs
log every decision None of this is a silver bullet — the goal is to reduce risk in production environments.

Example: blocking a phishing-style response
If the model attempts to request credentials or send a malicious link, the gateway blocks or rewrites it — and logs the decision so it is auditable later.

Why self-hosted?
Many companies don’t want another SaaS handling sensitive data.
So the gateway runs via Docker in your own infra — the license only validates usage.

I’d love feedback
This is still evolving. If you’re working with LLMs in a serious environment (security, compliance, healthcare, finance, SaaS) I’d really value your input.

Demo & docs: https://llmsafe.cloud

Happy to answer questions or discuss real-world attack scenarios.

Forem: Matheus Delgado

LLMs Don’t Have a Security Layer — So I Built One