K Kilasec
Private beta · invite-only Request access
Network-layer AI firewall

AI traffic doesn't belong on a SaaS API. It belongs on your firewall.

Kilasec inspects every AI call leaving your network — discovers shadow models, redacts secrets and PII before they cross the wire, and holds runaway agents for approval. No SDK. No endpoint agent. It lives where you already enforce policy.

$Drops in as a single container. One PAC/proxy push to your existing edge — decrypts, classifies, and decides in-line.
Inline at the edge

Every other AI security tool is a library. This one is a firewall.

The current crop asks you to integrate an SDK, run a sidecar, or rewrite your agents — which works right up until someone pastes an API key into ChatGPT, or a vendor tool you've never heard of starts calling a model from a finance laptop.

Discover

See every AI call

Decrypted inspection of OpenAI, Anthropic, Copilot, Gemini, Bedrock, Ollama and 30+ endpoints — classified on the fly, including ones not yet named.

Redact

Catch it at the wire

Secrets, credentials, customer PII and card numbers are masked the moment they leave the network — not when an SDK politely asks.

Attribute

Real identity

Map each request to a user and directory group — from AD, DHCP, or CSV. Write allow group:eng → api.anthropic.com.

Prove

Audit-grade history

Every admin change and blocked request, retained 30 days to 7 years. Export for SOC 2, HIPAA, or your own change control.

SDK / sidecar

Guards only what you remember to wrap

  • Every agent, tool and script has to import it
  • Shadow AI and browser paste-ins slip straight past
  • A new vendor's tool is invisible until it's too late
  • Coverage lives in application code you don't control
Kilasec · network layer

Sees the traffic itself — nothing to integrate

  • One collector on the network, one config push
  • Decrypts and inspects at the edge, in-line
  • Unknown providers surface on their first request
  • Policy enforced where you already enforce policy
Deployment

Deploys as one container. Gone in one command.

Built for the sysadmin who has to live with it. No endpoint agent to push, no application changes, no new box to rack — a single hardened container on hardware you already have.

01

One container, locked down

Runs read-only, non-root, --cap-drop=ALL, no-new-privileges. amd64 or arm64 — a mini-PC, a VM, or a spare NUC is plenty.

02

One config push

Point your existing PAC file or proxy at the collector. Nothing touches user devices. Roll it back by pointing them away.

03

Latency stays where it should

Only the model endpoints you scope get decrypted and inspected. Everything else routes direct, untouched — so the vast majority of traffic sees zero added hops. Inspected calls stream through a single in-line TLS-terminating proxy.

04

Fails safe, not silent

Buffers to disk if the cloud blips, drains cleanly on shutdown, and every decision is written to an audit log you own.

docker-compose.yml
# the entire deployment — one service
services:
  collector:
    image: ghcr.io/kilasec/collector:latest
    network_mode: host       # sees the edge
    read_only: true
    cap_drop: [ALL]
    security_opt: ["no-new-privileges"]
    environment:
      KILASEC_ENROLL: ${ENROLLMENT_CODE}
    restart: unless-stopped

# bring it up
$ docker compose up -d
# … and to remove it entirely
$ docker compose down
Watch it work

See a secret get stopped at the wire.

No logos to show yet — we're in closed beta. So here's the thing itself: an engineer sends a prompt with a live cloud credential in it, and Kilasec stops the request before it ever reaches the provider.

Illustrative replay of a real policy decision.

edge://tap · api.openai.com
Interactive demo
What it catches

The threats an AI firewall is built to stop

The exact event patterns Kilasec's policy engine detects and acts on — the everyday ways sensitive data, shadow AI, and runaway cost leave a network through model APIs.

Secret leakevt·a1f9

AWS credentials pasted into ChatGPT

An engineer asked for help debugging a script with a hardcoded access key and secret. Both would have left the network in the prompt body.

Blocked at the proxy, before TLS re-encrypt to OpenAI
PII redactionevt·b7c2

Customer SSNs sent to a support agent

A support team's AI agent received raw transcripts containing SSNs and card numbers. None of it should have reached the provider.

Replaced with placeholders inline, originals kept on-prem
Shadow AIevt·c3e8

Unknown vendor calling DeepSeek

A new vendor tool started reaching api.deepseek.com from a finance laptop. Nobody in IT had heard of it.

Surfaced on the first request — provider off the allowlist
Cost runawayevt·d5a1

Eval loop burned $300 in 18 minutes

A misconfigured QA agent kept re-running evals on a frontier model. At that rate, tens of thousands by morning.

Held for approval at $50, surfaced in the dashboard queue
vs the alternatives

Why the network layer wins

Capability
Kilasec
SDK / gateway
Covers agents with no code change
✓ inherent
✕ must integrate
Catches browser & desktop paste-ins
Discovers unknown providers
✓ on first call
Redacts before data leaves the network
✓ at the edge
~ in-app
Real user + AD-group identity
~ token-scoped
Deploys without touching endpoints
✓ one container
✕ per app
Private beta

Get on the beta

We're onboarding a small number of networks each week. Drop your work email and we'll reach out with an invite.

Free during the beta · no endpoint agent · SOC 2 track