AI security for teams that ship fast
Full visibility into every AI request your team makes. Secret detection, policy enforcement, and cost tracking — deployed in 5 minutes, running 100% locally.
Why teams choose CitrusGlaze over enterprise DLP
| Capability | CitrusGlaze | Enterprise DLP |
|---|---|---|
| Deploy time | 5 minutes | 208 days average |
| Data routing | 100% local — never leaves your network | Routed through vendor cloud |
| Price (50-person team) | $6,000/year | $10,000–$26,800/year |
| Secret detection | 349+ AI-specific patterns | Generic DLP rules |
| Source code | Scanner is open source (MIT) | Proprietary black box |
Verified capabilities
Every feature links to source code. Verify for yourself.
Cedar Policy Engine
Declarative policies with hot-reload. Control which tools can make which API calls.
9-Stage Inspection Pipeline
Every request passes through 9 security stages in under 10ms.
349+ Secret Detection Patterns
AWS keys, database URIs, API tokens, private keys. Real-time blocking and redaction.
Injection Detection
18 pattern groups plus heuristic analysis for prompt injection attempts.
Honey Token Detection
Exfiltration canary credentials that detect and block data theft attempts.
Kernel Sandbox
Seatbelt (macOS) and Landlock (Linux) kernel-level sandboxing via nono.
Sigstore Attestation
Supply chain integrity verification for every binary release.
Loop Attack Detection
5 identical tool calls in 60 seconds triggers automatic blocking.
Cost-Based Model Routing
Automatic model downgrade based on cost policies and usage caps.
9-stage inspection pipeline
Every request passes through these stages in under 10ms. Click any stage to view the source.
AppIdentification
Source app from SNI/process info
CedarPolicy
Evaluate action (may block/downgrade)
SecretScan
349+ secret patterns
InjectionDetect
18 pattern groups + heuristics
GuardrailCheck
Destination allowlist + content rules
LoopDetect
5 identical tool calls in 60s → block
HoneyTokenCheck
Exfiltration canary detection
ModelRouting
Cost-based model downgrade
Audit
Structured logging with timing
Frequently asked questions
How does deployment work? ▾
CitrusGlaze is a local MITM proxy that runs on each developer's machine. Install takes 5 minutes — no network infrastructure changes, no VPN routing, no cloud service to configure. The proxy intercepts AI API calls locally and enforces policies before requests leave the machine.
Where does my data go? ▾
Nowhere. All processing happens locally. Logs are stored in a local SQLite database on each machine. No data is sent to CitrusGlaze servers. No telemetry, no phone-home, no cloud processing. You can verify this in our open-source code.
Is the scanner really open source? ▾
The scanner is MIT licensed and fully open source. The proxy and enterprise features are proprietary. We believe in transparency — the scanner's 349+ detection patterns are auditable on GitHub.
What support is available? ▾
Enterprise customers get founder-direct support. We're an early-stage company — you'll talk to the people who built the product, not a support tier. Email [email protected] for response within 24 hours.
How do I evaluate CitrusGlaze? ▾
Start with the free scanner (pip3 install citrusglaze-scan) to see what secrets are in your team's AI history. Then install the proxy on a few machines for a proof-of-concept. No sales call needed to get started — but we're happy to walk you through the architecture.
Do you have compliance certifications? ▾
Not yet. We don't have SOC 2 Type II or FedRAMP authorization. We're transparent about where we are: early-stage, with an open-source scanner you can audit. See our /security page for our full honest assessment.
Ready to secure your team's AI traffic?
Deploy in 5 minutes. 100% local. No data leaves your network.