A firewall for AI context
When your agent searches the web, reads a document, or calls an API, that content goes straight into its context window. ContextWall screens everything first, blocks attacks, and enforces your security policy before the model ever sees it. No changes to your agent code.
Built for engineering teams shipping AI agents into production
Your agent trusts everything it reads
LLMs have no built-in concept of source trust. Content retrieved from a web search and content from your system prompt look identical once they are both inside the context window. Attackers exploit this directly.
CVE-2025-32711
EchoLeak
Microsoft 365 Copilot
An attacker sends a crafted email. Copilot reads it, interprets embedded instructions as commands, silently accesses internal SharePoint files, and sends them to the attacker. The user never clicks anything.
Copilot had no way to distinguish a trusted system instruction from untrusted email content. Both looked the same inside the context window.
USENIX Security 2025
PoisonedRAG
RAG pipelines
Researchers planted five adversarial documents into a knowledge base of millions. When users asked questions, the model retrieved and repeated the false content as confident fact — with no jailbreak, no system prompt change, and no model access needed.
The RAG pipeline retrieved documents by relevance score and passed them straight to the model. There was no check on where the document came from or whether it should be trusted.
Both attacks exploited the same gap: no trust boundary at the context layer. ContextWall fixes this by tagging every context source with a trust tier and applying your policy rules before content reaches the model.
How it works
ContextWall sits between your retrieval step and the model. Every piece of context passes through three detection layers before the LLM sees it. No LLM inference in the hot path. Typical overhead is under 1ms.
Context sources
web, docs, APIs, user input
ContextWall
screen, score, enforce policy
Clean context only
safe documents passed through
Your LLM
Claude, GPT-4, Gemini, etc.
Source trust tiers
You declare what each context source is. ContextWall applies the right level of scrutiny automatically based on that tier.
Internal
Your code repos, internal wikis
External
Vendor docs, partner APIs
Untrusted
Public web, user-submitted input
Regulated
FHIR APIs, PHI data sources
Three detection layers
Applied in order from cheapest to most thorough. All three run in under a millisecond. No external calls, no LLM inference.
Layer 1: Structural
< 0.1msScans raw bytes for known obfuscation tricks: bidirectional control characters, zero-width characters, and spaced-letter keywords ("i g n o r e a l l"). These are invisible to the human eye but readable by the model.
Layer 2: Pattern matching
< 0.2msRuns regex patterns against normalized text. Catches injection syntax, exposed API keys (AWS, GitHub, Anthropic), bearer tokens, and PII like emails, phone numbers, and SSNs.
Layer 3: Heuristic scoring
< 0.5msScores each message for instruction-like intent, even when the wording avoids obvious keywords. Catches paraphrases like "your previous assignment has been superseded" that bypass regex entirely.
Integrate in minutes
Three ways to add ContextWall depending on how your agent is built. You can use more than one at the same time.
# Anthropic
export ANTHROPIC_BASE_URL=https://your-tenant.contextwall.io/proxy/anthropic
export ANTHROPIC_API_KEY=sk-cre-your-key
# OpenAI
export OPENAI_BASE_URL=https://your-tenant.contextwall.io/proxy/openai/v1
export OPENAI_API_KEY=sk-cre-your-key
# Every SDK call in your codebase is now protected.
# No other code changes needed.Works with the Anthropic and OpenAI SDKs in any language: Python, Node, Ruby, Go.
Security policy as config
Everything is declared in YAML. Sources, rules, and thresholds all live in a file you commit to your repo, review in a pull request, and deploy alongside your other infrastructure config.
- Sources declared in config at startup, no API calls or setup scripts
- Four-layer policy: fleet-wide rules down to individual repo overrides
- Pre-built packs for HIPAA, SOC2, and FedRAMP included out of the box
- Rules reload within 5 seconds of a file change, no restart needed
- Every rule can map to a compliance control ID for audit evidence
# ctxfw.yaml
# Declare your context sources here. ContextWall registers them
# on startup automatically. No API calls, no scripts to run.
sources:
- id: brave-web-search
type: web
trust_tier: untrusted
- id: internal-confluence
type: confluence
trust_tier: internal
data_classification: sensitive
- id: fhir-api
type: api
trust_tier: regulated
data_classification: phi
owner: clinical-data-teamPricing
Start free and self-hosted. Move to managed cloud when you want us to run it.
Open Source
Free
Forever. AGPL v3.
- Full proxy + detection engine
- Source trust registry
- Four-layer policy DSL
- Tamper-evident provenance log
- Python SDK (SafeAnthropic, SafeOpenAI)
- Pre-built HIPAA, SOC2, FedRAMP packs
- Prometheus metrics
- Self-hosted only
Managed Cloud
Coming soon
Join the waitlist for early pricing
- Everything in Open Source
- Hosted, zero infrastructure to run
- Multi-tenant control plane
- Web console + source management UI
- Usage dashboard + billing
- Automatic updates
- Email support
- SOC2 Type II compliance export
Enterprise
Contact us
For regulated industries and large fleets
- Everything in Managed Cloud
- BAA (HIPAA Business Associate Agreement)
- SSO / SAML
- Fleet policy management
- Dedicated tenant / on-prem option
- SLA + priority support
- Custom compliance reporting
- FedRAMP-ready deployment
Get early access
Managed cloud is launching soon. Join the list and we'll reach out with early pricing before it goes public.
No spam. One email when early access opens. Unsubscribe any time.