FAQ

Do you see my prompts?

In memory, during the request — yes. Stored anywhere — no, never.

The gateway has to parse your request in order to screen it. That is what inspection means, and anyone claiming to filter content they cannot read is describing something other than what they built.

It is not persisted, not logged, and not sent anywhere except the provider you addressed. The log schema has no column that could hold a prompt. See zero data retention.

Do you train on my data?

No. We do not retain it, so there is nothing to train on.

What your provider does with the request after we forward it is governed by your contract with them — see the threat model.

Can you read my provider API key?

The gateway can decrypt it, because it must inject it upstream. It is stored as a KMS ciphertext bound by encryption context to your organisation and that provider, so a database breach yields blobs nobody can decrypt.

No API returns it — not the dashboard, not the CLI. There is no read path in the system. See key custody.

Why is it free?

Because we are not a middleman in your provider relationship. We do not pool your keys, mark up your tokens, or resell inference — you keep your own billing with each provider. That is what makes gateways expensive, and we do none of it.

Does it add latency?

A policy check and a regex pass. Microseconds. RE2 guarantees linear-time matching, so no pattern and no input can make it slow.

The network hop is real but small. Your latency is the provider’s.

Do I have to use the CLI?

No. Everything is available on the dashboard, and any client can be configured by hand. The CLI is faster, it wires your local coding agents for you, and it is the only way to manage policy as code.

Can I run different policies for different teams?

No. Policy is organisational: one Vulnetix API key, one policy, applied to every request. There is no per-team, per-project, or per-user policy, and no key scoping.

If you need genuinely different policies, you need different organisations. See limitations.

Can I block a model that does not exist yet?

Only with an allowlist. A model unknown to the catalog passes unless the provider is in allowlist mode — deliberately, so a model released this morning is not an outage.

A deny list cannot block what has not shipped. An allowlist can.

Does it stop prompt injection?

It helps. It does not stop it.

There is no ML classifier — guardrails are regexes, and you build injection defences out of pattern rules. That catches the common cases and is trivially evaded by someone who knows it is there. What actually contains injection is least privilege and human approval on consequential actions. See prompt injection, which is explicit about this.

Does it scan what the model says back?

No. Guardrails run on requests only. There is no output filtering. This is the largest gap in the product and we do not hide it — see guardrail limitations.

What happens if the firewall goes down?

Requests fail. They are not forwarded unscreened.

Authentication and provider/model policy are always fail-closed. Guardrail evaluation has a fail-open switch, off by default. A firewall that forwards traffic it could not screen is not a firewall.

Can a developer bypass it?

Yes — by not using it. Unset the environment variable and they are talking to the provider directly.

The firewall is a control, not a cage. That is what client-side configuration means. It is why vulnetix ai-firewall status has a bypasses_firewall check, and why you should verify rather than assume.

Is all my Cursor traffic firewalled?

No, and this one matters. Cursor’s tab completions never route through BYOK, and Auto mode may not either. That traffic goes to Cursor’s own models regardless of how you configure it.

If you have told someone all Cursor traffic is firewalled, correct it. See Cursor.

Are there rate limits or spend caps?

None. No rate limits, no budgets, no quotas, no cost tracking. If you got a 429, it came from the provider against your own account.

The only quantitative control is max_messages, which caps conversation length — not spend.

Why did my request succeed but the answer is about “[REDACTED]”?

A redaction rule rewrote your prompt. Redaction is silent by design: the request succeeds, and the client is never told.

Tell your developers you redact, or they will file bugs about the model being stupid.

Can I use it with a provider you do not list?

Providers are data, not code — anything speaking one of the three surfaces and authenticating with a header can be added without a code change. Ask us.

Does it work with LangChain / LlamaIndex / Vercel AI SDK?

Yes. Anything that lets you set a base URL and an API key works, because that is all the configuration there is. See the SDK tutorials.

Note the Vercel AI SDK ignores OPENAI_BASE_URL — you must set the base URL in code. For most providers that is true of every SDK.

How do I know it is actually working?

Add a canary guardrail and confirm you get a 403 instead of an answer. Verify walks through it. Do this rather than assume — an unenforced firewall you believe in is worse than none.