A technical view of how Shield protects web inputs, existing AI chat, LLM proxy and MCP tools: architecture, decision flow, audit and comparison with WAF / reCAPTCHA.
Shield is an active and passive protection layer for forms, login, checkout, uploads, AI chat, MCP tools and APIs. The dashboard shows decisions and events so you can tune the defense — not as a log explorer. Events are operational signal, not analytics inventory.
Shield can sit in front of your web, AI chat or MCP tools. Each path has a clear decision point and an auditable result.
The JS widget and backend SDK protect contact forms, login, checkout and uploads. They collect security signals, attach an HMAC token and allow allow / challenge / block before a request reaches sensitive logic.
The prompt and response pass through an LLM firewall. Shield can anonymize sensitive data, block prompt injection, check for system-instruction leakage and work in front of the chat you already use.
MCP calls are evaluated by schema, permissions and action risk. Destructive or sensitive tool calls can require an approval gate. Every decision lands in a tenant-scoped audit log.
Shield does not replace your existing perimeter protection. It sits one layer deeper.
| Capability | Shield | WAF | reCAPTCHA / Turnstile |
|---|---|---|---|
| Headless bot detection | Yes — multi-signal scoring | Partial (IP reputation) | Yes — at the edge |
| Prompt injection against LLMs | Yes — semantic firewall | No | No |
| MCP agent abuse | Yes — policy engine | No | No |
| Form spam / disposable email | Yes — 5 languages | No | Partial |
| Upload malware scan | Yes — quarantine | Partial | No |
| SQL injection payloads | Yes — AST validation | Yes — regex | No |
| Credential stuffing (distributed) | Yes — per-account lockout | Partial (per-IP) | Partial |
| Tamper-evident audit log | Yes — exportable | Varies | No |
Complete categorized matrix. Exact thresholds, signal weights and detection internals are available to customers in the portal.
Keystroke dynamics, mouse trajectory R², scroll patterns, touch events, form-fill timing, page-dwell — multi-signal inputs fed into the local scorer and backend scoring pipeline.
Canvas, WebGL, audio context, font detection, navigator fingerprinting fused into a SHA-256 device hash. Detects headless browsers and anti-detect tools.
Short-lived cache snapshot of device_hash, webgl_renderer, user_agent, timezone, screen_resolution at session start. Sensitive events (login, form submit, checkout) compare the live fingerprint; drift adds significant risk signals respectively.
OpenAI- and Anthropic-compatible base URL. Shield scans every prompt before forwarding and every completion before returning, blocks on policy hit, strips PII / secrets on stream.
Embedding-based detection across many attack categories. "Disregard earlier directives" ≈ "Ignore previous instructions" at cosine similarity. Ollama-local embeddings — zero per-request API cost.
Tool-call interception for Claude / Cursor / IDE agents. JSON Schema validation of arguments, chain-step limit, domain allowlist, explicit approval gates on destructive tools. Inspects every invocation against agent-protection rules before execution.
40+ patterns scanning input + output + tool calls before / after the model runs. Runs alongside the Semantic Firewall for layered defence.
5 tools exposed via MCP: shield_get_stats, shield_get_threats, shield_add_rule, shield_get_events, shield_verify_token. Let your Claude / Cursor agent investigate and act on incidents without leaving the chat.
AST-parsed SQL validation. Blocks UNION, INTO OUTFILE, pg_sleep, information_schema. LIMIT capped. Sensitive columns (password, api_key, ssn) auto-redacted. Query fingerprinting and honeytoken trap tables.
Wallet detection: BTC (P2PKH/Bech32), ETH, SOL, TRX, XRP, LTC, DOGE. BIP-39 seed phrase scanning (12/24 word). Signing prompts (EIP-712). Mining domains blocked. Payment redirect patterns.
Bigram gibberish detection (EN / DE / CS / SK / ES), 100+ disposable email domains, spam patterns (repeated chars, ALL CAPS, URL flood), suspicious name detection. Phishing and bad-content corpus covers 9 languages (see Phishing card). Additive scoring with cluster bonuses.
Multi-layered email + attachment scanner. Detects Slovak/Czech/Polish/German/French/Spanish/Serbian bodies stripped of diacritics (the strongest real-world phishing signal), password-hint social engineering across 9 languages, mainframe-mimicry filenames, and password-protected PDF / Office files. Brand-agnostic cluster catches the same shape with any impersonated company name.
check_upload() accepts form_fields. When a file upload is accompanied by form data (title, description, name, message), Content Quality Scoring runs on those fields too. A clean PDF with gibberish metadata still gets rejected at high-confidence score.
Every file passes a quarantine gate — extension allowlist, magic-byte MIME sniffing, Office macro detection, PDF JavaScript / Launch / OpenAction, SVG / HTML script injection. Per-tenant max size and extension list.
Python (FastAPI / Django / Flask), Node.js (Express / Next.js), PHP (WordPress / Laravel). Validates X-Shield-Token on every request. No token → 403. HMAC verify is cached with a short-lived cache per (token, path).
3-state breaker (closed / open / half_open) in all three backend SDKs. After consecutive transport errors → OPEN for a brief interval → 1 HALF_OPEN probe. 4xx doesn't trip the breaker. PHP uses APCu for cross-FPM-worker state. No more timeouts on every request during an upstream incident.
Reason → (machine_code, human_hint) map. /shield/verify and all 3 SDK 403 bodies return remediation + remediation_code. Legit false-positive users see "Your session expired — please reload" instead of a silent 403.
Drop-in PHP plugin: auto-injects the widget, ships middleware that validates Shield tokens on /wp-login.php and admin endpoints. Fail-closed by default, configurable.
Multi-dimensional rate limiting: per-IP, per-device, per-endpoint, with progressive escalation. Server-side counters with sliding windows.
IP geolocation via ip-api.com (short-lived cache). Per-site blocked / allowed country lists. Datacenter and proxy / Tor score modifiers. Page-load hard block with access-denied overlay before widget initialises.
Widget prevents form submission at high-confidence score. Red overlay: "Blocked by Corpilus Shield". Server-signed HMAC-SHA256 tokens auto-attached to fetch() via interceptor.
278 compiled detection patterns scanned automatically on every event — covers all OWASP Top 10 2025 categories. Payload-level inspection happens before scoring.
AI analyzér analyses events continuously. RAG context grounded in a curated security knowledge base. Auto-creates threats and rules from real observations.
Pre-built threat-intel context (mini-CAG). Bot signatures, attack patterns, OWASP samples baked in — new sites are protected from the first page view.
Shield's Security Knowledge collection ships with curated docs (OWASP Top 10, bot detection, incident response). Admins can upload their own company playbooks, post-mortem reports, or domain-specific threat intel. Every upload runs through a multi-layer scan. Clean docs land as trust_state='pending' until an admin explicitly promotes them to 'active'. Only active docs reach the AI analyzer's RAG context.
Anonymised pattern sharing — IPs reduced to /24, PII stripped, maturity gating (experimental → candidate → confirmed). One tenant's confirmed attacker becomes everyone's known threat within minutes.
Widget MutationObserver snapshots all <script> tags at boot. Any subsequently injected script is reported as script_integrity_violation telemetry with src, external/same-origin, content length, stable hash. Capped per page-load. Tenant allowlist for trusted CDNs.
Redis counter per SHA-256(account_id). Each failure over the cap adds significant risk score. A distributed attack that spreads many attempts over thousands of IPs still lands on the same account bucket — the attempt on victim@corp.com triggers challenge regardless of which IP sent it. Counter resets on a successful login.
GET /shield/password/breach-range/{prefix} — client computes SHA-1(password) locally in the browser, sends only the 5-char hex prefix, Shield proxies to api.pwnedpasswords.com and streams back the suffix+count list. Client compares its own suffix locally. Server never sees plaintext OR the full hash.
A/AAAA + MX record check on signup. Fail-open on timeout. Short-lived per-domain cache so rapid signup waves from the same throwaway domain don't re-hammer DNS.
25+ protected brands (Google, Microsoft, Apple, PayPal, Stripe, Meta, LinkedIn, Revolut, SK/CZ banks & insurers). Three-tier detector: 1) normalised exact match via homoglyph map, 2) Levenshtein distance for long brands, 3) brand-substring + decorative suffix (secure/login/support/verify/auth/signin/account/official/help).
Velocity counters per IP and per device. Recent-login requirement: no successful login from this device recently → significant risk signal. Session Continuity: password_change is now in the SENSITIVE event set, so full fingerprint drift blocks immediately. The classic 'attacker grabs session → changes password → locks out user' chain needs to survive all three gates.
Email (HTML), Slack, Discord, generic JSON webhooks. Weekly security report with stats, top threats, block rate. Per-webhook severity gate (low / medium / high / critical).
Every rule change, site config edit, manual block, AI decision is recorded with actor, timestamp, before/after diff. Hash-chained, signed, and exportable as auditor-ready evidence bundle.
HMAC-SHA256 tokens are minted server-side from the per-site secret and returned via /shield/events. The widget never holds the signing secret — a leaked site_key cannot be used to forge valid tokens.
PostgreSQL Row-Level Security forced on all shield_* tables. Each request runs under a tenant-scoped role — no application-layer bypass possible even if the API has a bug.
Tracks attempts per card BIN across rolling windows. Burst patterns consistent with card-testing activate progressive challenge or block. Thresholds are tenant-tunable; defaults are conservative.
When the same PSP-provided card fingerprint appears across multiple devices, sessions or tenants in a short window, attempts are correlated and scored as a coordinated attack. Raw PAN never leaves your PSP.
Tenant-scoped baseline of issuer-country distribution. A sudden concentration of attempts against issuers from a small number of countries — well above baseline — flags probable carding traffic.
Aggregates multiple signals — diverse BIN spread, same device or session, high failure ratio — into a named carding verdict. Upgrades decision severity when confirmed by post-charge PSP feedback.
Slow-burn attacks no longer slip through. Shield watches the whole conversation arc, not just one message at a time. An attacker who chats innocuously for many turns and only then pivots to data extraction or credential phishing is caught at the moment the pattern emerges.
Before your agent runs a tool, Shield asks: is the user's actual intent consistent with calling this tool? A request to summarise a document should not trigger a database export. A travel-booking chat should not be calling a payments tool. Mismatches are gated for review.
Compromised agents and curious LLMs typically scan the environment before acting — listing directories, reading config paths, enumerating environment variables. Shield flags this reconnaissance pattern early, before any data leaves the box.
A single conversation can never quietly burn your whole monthly AI budget. Shield enforces a per-session ceiling on tokens, tool calls and elapsed time. When the cap is reached the session is paused or terminated and the operator is notified.
Shield learns what normal looks like for each user — typical hours, typical actions, typical pace — and quietly flags the day that pattern breaks. A logged-in session that suddenly behaves nothing like the real user is treated as a possible takeover.
Decoy records, files and credentials are planted in places only an attacker would dig. Real users never see them. The moment one is touched, accessed or used, Shield has a high-confidence breach signal with effectively zero false positives.
Attackers hide malicious payloads inside layered encodings — base64, hex, percent-encoding, unicode escapes — to slip past simple string filters. Shield unwraps these layers before scoring, so the underlying attack is matched against the same protections as a plain-text version.
Before any rule, model or scorer update ships, it is run against a continuously growing corpus of real-world attack scenarios. If a release accidentally weakens detection on a known threat shape, the change is blocked at CI — not after a customer is breached.
Every security decision and config change is written to a tamper-evident chain. Edits and deletions are mathematically detectable. Auditors, regulators and incident responders get a trustworthy timeline even in the worst-case scenario where an attacker reaches admin credentials.
When something happens, you do not want to spend hours collecting logs. One click produces an encrypted, time-stamped bundle of the relevant tenant state — events, rules, decisions, recent traffic — ready to hand to your security team, lawyer or regulator.
Shield does not lock you into one AI vendor. Bring your own OpenAI / Anthropic / Google key, point at a dedicated Ollama instance, or run fully local. Set hard cost caps and routing rules. Your data flows only to providers you explicitly approve.
For your highest-risk actions Shield can require a hardware-rooted gesture: Touch ID, Windows Hello, a hardware security key. These are physical-presence checks that an LLM-powered agent or remote attacker cannot solve, no matter how clever the prompt.
For regulated, classified or disconnected environments Shield ships as a self-hosted package with signed release artifacts and a fully offline install path. Nothing has to talk to the public internet, but you still get rule, model and intel updates on your own schedule.
Shield can flag form, message and document submissions that look machine-generated rather than human-typed. Combined with behaviour and timing signals, this gives operators a clear answer to "is this real?" on application forms, CVs, support tickets and reviews.
The widget snapshots fetch, XHR, navigator and userAgent at boot and re-checks periodically. If a browser extension, injected script or third-party tag flips navigator.webdriver, wraps fetch, replaces XHR or mutates navigator descriptors, Shield reports the tampering and can refuse to issue a token. Per-attribute form.action / hidden-input change tracking is roadmap, not wired today.
Every request is checked in O(1) against 48,000+ real-time threat indicators refreshed frequently. No customer setup — platform-funded. Adds score boost on match.
Premium reputation services lookup on suspicious events only. Per-tenant Fernet-encrypted keys; no platform-shared keys, lookups happen on your quota.
All ten 2025 OWASP categories addressed — A01 access control, A02 misconfig, A03 supply chain, A04 crypto, A05 injection, A06 design, A07 auth, A08 integrity, A09 logging, A10 exception handling. Pattern set sourced from OWASP CRS v4, nuclei templates, PayloadsAllTheThings.
Identifies bots from OpenAI, Anthropic, Google-Extended, Perplexity, ByteDance, CommonCrawl, Meta, Apple, Cohere, Mistral, AllenAI, You.com and more. Tenant chooses block / monitor / allow per vendor.
log4j JNDI gadgets (${jndi:ldap://...}), LDAP injection, XML External Entity, MongoDB-style NoSQL operator injection — all blocked at the /shield/events ingest before reaching your backend.
Read-only view of all 278 patterns Shield runs on every request, grouped by category. Customers see exactly what's protecting them — no marketing claims to verify.
Click any card to expand for the full description and threat model.
The audit log is the legal and forensic backbone of Shield. Designed so even a compromised admin cannot rewrite history without it being visible.
Every audit record carries the SHA-256 hash of the previous record plus the current event canonicalized. Removing or modifying any past event breaks every downstream hash and the chain refuses verification.
Each tenant has its own Ed25519 keypair. The public key is exposed for independent verification; the private key signs every audit record at write time. A leaked DB dump cannot be forged without the private key.
Chain heads are periodically anchored against an external RFC 3161 Time Stamp Authority. This binds the log to absolute wall-clock time and proves the chain existed in that form before the timestamp.
The shield_app role has INSERT only — UPDATE and DELETE are REVOKEd at the PostgreSQL level. Even an attacker with full app-context credentials cannot rewrite rows; they would need to escalate to a superuser DB role, which is itself audited at the platform layer.
GET /shield/audit/verify re-walks the hash chain and validates every signature; GET /shield/audit/export streams a signed, line-delimited JSON archive for internal or external auditors. Both are tenant-scoped and rate-limited.
Provides technical evidence common security frameworks ask for (immutable logging, signed integrity, monitoring, GDPR Art. 32 alignment). Shield itself is not externally certified — the export supports your audit, it does not replace one.
When something goes wrong, you need an immutable picture of the moment. Shield produces it in under a minute and seals it so only your private key can open it.
A single-use AES-256-GCM data key encrypts the payload. The data key is wrapped with RSA-OAEP-SHA256 against the tenant’s public key. Only the holder of the private key can recover the AES key and decrypt the bundle. Shield infrastructure cannot read past snapshots after they leave the producing container.
Snapshots upload to any S3-compatible store (AWS, Wasabi, MinIO, on-prem). Optional weekly cron auto-archives a fresh snapshot for continuous forensic readiness. MTTR target from trigger to sealed, uploaded archive is ~60 seconds.
POST /shield/forensic/snapshot triggers a new snapshot; GET /shield/forensic/snapshots lists existing ones with metadata, size and sealed status. Both are admin-scoped and produce platform-level audit events.
Shield provides technical evidence, logs and mappings. Formal certifications or customer attestations depend on the specific deployment scope.
Shield produces audit logs, decision reasons and exports that can support security and compliance review. Formal certification or attestation is confirmed individually based on customer scope.
The technical controls can be mapped to your internal audit framework. Shield itself is not externally certified.
Detections can be mapped to relevant MITRE ATT&CK techniques, especially Initial Access, Credential Access, Exfiltration and Command & Control.
Shield covers multiple classes of automated threats from OWASP OAT. Detailed mapping is provided to customers in technical materials.
Detailed technical document including integration diagrams, threat modeling and performance benchmarks.
Protection scope notice. Corpilus Shield is a real-time AI protection layer designed to extend standard security mechanisms for websites, e-shops and LLM applications, not replace them. It does not replace antivirus, firewall, penetration testing or a formal security audit. For comprehensive protection, we recommend combining several layers.