Prompt and context inspection
Capture user prompts, retrieved context, hidden instructions, system prompts, model outputs, and policy decisions.
AI security operations
LLM security is operational security. IronSOC gives the SOC visibility into the AI transaction chain so agent behavior can be detected, constrained, and investigated.
Prompt injection, tool abuse, data leakage, and poisoned retrieval are not isolated app bugs. They are incident paths.
Capture user prompts, retrieved context, hidden instructions, system prompts, model outputs, and policy decisions.
Map every tool, API, token, and workflow an agent can touch, then detect excessive agency before damage happens.
Watch document ingestion, embedding drift, poisoned sources, sensitive retrieval, and context exfiltration.
Turn adversarial testing into detections, guardrail updates, playbooks, and executive risk reporting.
Control-plane posture
Out of band, on the full AI transaction chain — prompts, tool calls, retrieval context, and agent permissions. Never as a proxy between your users and your models.
An inline prompt firewall taxes every model call with latency, becomes a single point of failure, and judges prompt text in isolation — the easiest layer to evade. The durable choke point is the action layer: tool calls and permissions, where auto-contain actually stops damage.
We interoperate with the inline guardrail products your platform team already runs and treat their verdicts as one more signal — rather than duplicating them badly. Every containment action carries a declared mode: autonomous, approval-gated, or blocked.
OWASP LLM Top 10 · 2025
For each category, IronSOC defines what we watch, how we detect, what we contain, and which actions are autonomous, gated, or blocked. The default posture errs on the side of human approval when business impact is high.
Service tiers
Runtime monitoring stops prompt injection and tool abuse in production. AI red teaming finds the failure modes before production. We deliver both, on one operating model, so the same detections you ship to runtime also run as pre-deploy gates.
Continuous monitoring of prompts, retrieved context, tool calls, OAuth grants, and model outputs. Bounded automation with human approval on business-impacting actions.
Expert-led adversarial engagements against your models, agents, RAG corpora, and MCP/plugin surfaces. Findings ship back as runtime detections, not PDFs.
Model rotation & pinning policy
The AI we use to defend you is held to the same eval discipline as the detections we ship — and it is deliberately not one model. Detection rotates across a roster of pinned LLMs because variety is coverage: every model has blind spots, and they are different blind spots. Each model in the roster is pinned per detection, evaluated before promotion, escalated by documented rule, and rolled back through git when it regresses.
Every detection that uses an LLM declares the exact model, version, and prompt revision it was evaluated against. The pin lives in the detection file, in git — not in a console.
Detection review is spread across a roster of different pinned LLMs, not a single champion model. Different models have different blind spots — an evasion tuned against one routinely trips another, and the attacker cannot predict which model reviews which alert.
The rotation does not need every model to catch the attack. One suspicion flag — by skill or by luck — routes to a human with full context, and the surreptitious campaign behind it unravels from there. No single model is a single point of failure.
A model change is a code change. Candidate models are run against the eval set in CI; promotion requires precision, recall, FP rate, and runtime cost to meet or beat the incumbent.
Most analyst-assist work runs on smaller, cheaper models. Escalation to a larger reasoning model is gated by a documented rule (severity, tool-call class, ambiguity score) that lives next to the detection.
If a promoted model regresses, rollback is a git revert that re-pins the prior version. The prior eval is replayed automatically to confirm the rollback restored quality.
What we watch