For teams that already use a VPN
Your VPN secures the tunnel. Who secures what's inside?
Your VPN encrypts the connection between your developers and the internet. Good. But it can't see what your developers are sending through it — AWS keys pasted into Claude, database passwords shared with Copilot, source code uploaded to ChatGPT. That's shadow agent traffic. And your VPN is blind to it.
Your VPN is doing its job. It's just not this job.
A VPN and a prompt firewall solve different problems. You need both.
| What it does | Your VPN | CitrusGlaze Prompt Firewall |
|---|---|---|
| Encrypts traffic | Yes ✓ | Not its job |
| Hides IP address | Yes ✓ | Not its job |
| Connects to corporate network | Yes ✓ | Not its job |
| Detects secrets in AI prompts | ✗ Can't see inside HTTPS | Yes — 349+ patterns ✓ |
| Blocks dangerous tool calls | ✗ Doesn't inspect payloads | Yes — 3-layer evaluation ✓ |
| Detects prompt injection | ✗ Not designed for this | Yes — 18 pattern groups ✓ |
| Tracks AI costs per team | ✗ | Yes — per-app attribution ✓ |
| Enforces AI usage policies | ✗ | Yes — Cedar policies ✓ |
| Sees shadow agent traffic | ✗ Encrypted, invisible | Yes — every request ✓ |
Think of it like airport security
Your VPN is the secure tunnel between the terminal and the plane. It ensures nobody intercepts you on the way there.
CitrusGlaze is the security checkpoint. It inspects what's in your bag before you board — credentials, secrets, dangerous payloads — and stops the ones that shouldn't fly.
You wouldn't skip airport security just because you have a jetbridge. You need both.
What your VPN can't see
Developer pastes AWS_SECRET_ACCESS_KEY into Cursor
AI agent runs DROP TABLE users via MCP tool call
Production database URI sent to Claude for debugging help
Employee uses personal ChatGPT with company source code
AI agent makes 47 API calls per hour — nobody knows the cost
All of this passes through your VPN encrypted. It looks like normal HTTPS traffic. Your VPN faithfully delivers it to the AI provider — secrets and all.
Better together: VPN + Prompt Firewall
Your VPN encrypts the connection
Your existing VPN continues to work exactly as it does today. It encrypts traffic, connects your team to corporate resources, and hides your network topology. Nothing changes.
CitrusGlaze inspects AI traffic locally
Before AI requests enter the VPN tunnel, CitrusGlaze's prompt firewall inspects them locally on each machine. Secrets are blocked. Dangerous tool calls are evaluated. Policies are enforced. All in under 10ms.
Clean traffic reaches AI providers
Only sanitized requests reach the AI provider. No credentials, no private keys, no database URIs. Your VPN delivers clean traffic through a secure tunnel. Defense in depth.
The threat your VPN wasn't built for: shadow agent traffic
51% of AI traffic is now automated. Agents run with your credentials, make tool calls, and send data to AI providers — no human in the loop. Your VPN sees encrypted HTTPS. CitrusGlaze sees the prompt.
9-stage prompt firewall. Under 10ms.
Works alongside your VPN. No network changes required.
AppIdentification
Source app from SNI/process info
CedarPolicy
Evaluate action (may block/downgrade)
SecretScan
349+ secret patterns
InjectionDetect
18 pattern groups + heuristics
GuardrailCheck
Destination allowlist + content rules
LoopDetect
5 identical tool calls in 60s → block
HoneyTokenCheck
Exfiltration canary detection
ModelRouting
Cost-based model downgrade
Audit
Structured logging with timing
Keep your VPN. Add a prompt firewall.
CitrusGlaze deploys alongside your existing security stack in 5 minutes. No network changes. No VPN replacement. Just AI Traffic Control where your VPN can't see.