The short version
Pipelock is a network-layer proxy. It scans HTTP requests and MCP tool calls for credential leaks, prompt injection, and tool poisoning. Works with any agent that makes HTTP requests.
LlamaFirewall is an inference-layer Python library from Meta. It checks the model’s reasoning chain before it acts, using three scanners: PromptGuard (input classification), AlignmentCheck (chain-of-thought auditing), and CodeShield (static analysis of generated code).
They operate at completely different layers. One watches the wire. The other watches the model.
Feature comparison
| Feature | Pipelock | LlamaFirewall |
|---|---|---|
| Layer | Network (HTTP/MCP proxy) | Inference (Python SDK) |
| Language | Go (single binary) | Python |
| Deployment | Proxy, sidecar, or standalone | Library imported into your code |
| DLP (credential scanning) | Yes, 46 patterns, encoding-aware | No |
| Prompt injection detection | Pattern-matching on responses | PromptGuard classifier (model-based) |
| Chain-of-thought auditing | No | Yes (AlignmentCheck, novel) |
| Code analysis | No | Yes (CodeShield, regex + semgrep) |
| MCP tool scanning | Yes (bidirectional) | No |
| Tool poisoning detection | Yes | No |
| Rug-pull detection | Yes | No |
| SSRF protection | Yes | No |
| Works with Claude Code | Yes (HTTPS_PROXY) | No (can’t modify inference chain) |
| Works with Cursor | Yes (proxy config) | No |
| Works with custom agents | Yes | Yes (if Python, if you control the pipeline) |
| Process sandbox | Yes (Linux + macOS alpha) | No |
| Flight recorder | Yes (hash-chained, tamper-evident) | No |
| Compliance evidence | Yes (OWASP, NIST, EU AI Act, SOC 2) | No |
| A2A protocol scanning | Yes | No |
| Attack simulation | Yes (54 scenarios) | No |
| Dependencies | 17 Go modules | PyTorch, Transformers, model downloads |
| License | Apache 2.0 | MIT |
Where LlamaFirewall is better
AlignmentCheck is genuinely novel. It uses a secondary LLM to audit the primary model’s chain-of-thought reasoning. If the model is thinking “I should read the SSH key and send it,” AlignmentCheck can catch that before it happens. No network-layer tool can do this because network-layer tools only see the result, not the reasoning.
PromptGuard is model-based. It classifies inputs using a fine-tuned model rather than regex patterns. This means it can catch novel injection phrasings that pattern-matching would miss.
CodeShield catches unsafe code. If the model generates code with known vulnerabilities, CodeShield flags it using semgrep rules. Pipelock doesn’t analyze generated code.
Where Pipelock is better
Works with closed-pipeline agents. Claude Code, Cursor, GitHub Copilot, and most commercial agents use hosted models. You can’t insert a Python library into their inference chain. Pipelock works with all of them because it operates at the network layer. Set HTTPS_PROXY and you’re done.
Credential leak prevention. Pipelock scans every outbound request for API keys, tokens, and secrets using 46 DLP patterns. It handles base64, hex, and URL encoding. LlamaFirewall doesn’t have DLP.
MCP security. Pipelock scans MCP tool descriptions for poisoned instructions, detects mid-session description changes (rug-pulls), and scans tool arguments for credential leaks. LlamaFirewall doesn’t speak MCP.
SSRF protection. Pipelock blocks requests to private IPs, cloud metadata endpoints, and link-local addresses. It includes DNS rebinding protection. LlamaFirewall doesn’t operate at the network layer, so SSRF isn’t in scope.
Built-in process containment. pipelock sandbox wraps any process with Landlock, seccomp, and network namespace isolation on Linux, and sandbox-exec profiles on macOS (alpha). LlamaFirewall doesn’t do process-level containment.
Zero dependencies at runtime. Single Go binary, ~18MB. No Python, no PyTorch, no model downloads. LlamaFirewall requires a Python environment with PyTorch and needs to download model weights for PromptGuard.
Bypass surface
Both tools have known limitations.
LlamaFirewall: Researchers have demonstrated approximately 50% bypass rates against PromptGuard using encoding tricks, language switching, and prompt obfuscation. AlignmentCheck depends on the auditing model being smarter than the attack. If the primary model’s chain-of-thought doesn’t reveal its intent (or is suppressed), AlignmentCheck can’t catch it.
Pipelock: Pattern-based injection detection will miss novel phrasings. DLP regex won’t catch encrypted or novel credential formats. If the agent sends data through a channel Pipelock doesn’t proxy (raw TCP, DNS), it won’t see it.
Note: PromptGuard 2 claims significantly improved detection rates over v1. Independent benchmarks are still limited, so treat vendor numbers with appropriate caution.
Neither tool alone is a complete defense. That’s the whole point of defense in depth.
When to use each
Use LlamaFirewall if: You’re building a custom agent in Python, you control the model pipeline, and you want to catch unsafe reasoning before the model acts.
Use Pipelock if: You’re running any agent (commercial or custom) and you want to prevent credential leaks, scan MCP tools, and block SSRF at the network layer.
Use both if: You’re building a custom Python agent and want defense at both layers. LlamaFirewall catches bad intent. Pipelock catches bad traffic. Different failure modes, complementary coverage.
Further reading
- What is an agent firewall? : full definition and threat model
- Agent Firewall vs Guardrails : broader comparison of firewalls vs guardrails
- MCP Security : deep dive on MCP tool poisoning and rug-pulls
- LlamaFirewall on GitHub
- Pipelock on GitHub