We built this page because every other comparison out there is written by a vendor trying to win. This one is written by us — and we still lose in some rows. Data here comes from each product's public docs, our own benchmark (see /benchmark), and reproducible tests. If something is wrong or out of date, email us and we'll fix it.
TL;DR. AgentShield wins on latency (p50 ≈ 2.4 ms), pricing (free tier + $29 entry), and deployment simplicity (one HTTPS call, no LLM dependency). Lakera Guard wins on enterprise features (RBAC, audit exports, EU private deployment). Rebuff and LLM Guard are strong open-source options if you want to self-host. NeMo Guardrails is a different beast entirely — a rules DSL, not a classifier — and is best used with something like AgentShield, not instead of it.
| AgentShield | Lakera Guard | Rebuff | LLM Guard | NeMo Guardrails | |
|---|---|---|---|---|---|
| Type | Hosted API (classifier) | Hosted API (classifier) | Library + optional hosted | Self-hosted library | Self-hosted DSL framework |
| Free tier | ✓ 100 req/day, no card | trial 14 days | ✓ OSS, self-host | ✓ OSS, self-host | ✓ OSS, self-host |
| Entry paid tier | $29/mo · 5K/day | Enterprise (talk to sales) | Free (self-host) | Free (self-host) | Free (self-host) |
| p50 latency | 2.44 ms | ~30–50 ms* | LLM-dependent (~400 ms+) | 5–20 ms (self-host) | LLM-dependent |
| Published benchmark | ✓ 5,972 samples, F1 0.921 | ✓ PINT (their own) | partial | ✗ | ✗ (not a classifier) |
| Open-source model | partial MIT wrappers, weights proprietary | ✗ | ✓ MIT | ✓ MIT | ✓ Apache-2.0 |
| Self-hosted option | enterprise only | enterprise only | ✓ | ✓ | ✓ |
| EU data residency | ✓ Frankfurt, DE only | ✓ Switzerland/EU | ✓ self-host anywhere | ✓ self-host anywhere | ✓ self-host anywhere |
| LLM dependency | ✓ none, own classifier | ✓ none | ✗ uses OpenAI | optional | ✗ LLM required |
| PII redaction | roadmap Q2 2026 | ✓ | ✗ | ✓ | via plugins |
| Audit logs / export | usage log only | ✓ full audit + SOC2 | ✗ | ✗ | ✗ |
| SOC 2 / ISO 27001 | ✗ (SOC 2 Type I targeted Q4 2026) | ✓ SOC 2 Type II | ✗ | ✗ | ✗ |
| SDKs | Python (cURL works everywhere) | Python, JS, Go | Python, JS | Python | Python |
| LangChain / LlamaIndex | via HTTP | ✓ official | ✓ official | via HTTP | ✓ official |
| Public status page | ✓ /status | ✓ | n/a (self-host) | n/a (self-host) | n/a (self-host) |
* Lakera latency is our own measurement against their public endpoint from Frankfurt, Apr 2026. Their official docs don't publish a p50. Your mileage will vary based on region.
You ship a user-facing app, you need sub-5 ms classification on every turn, and $29/mo beats what you'd pay to self-host the same throughput on a GPU box.
You need SOC 2 Type II signed, SSO, RBAC, detailed audit exports, and you have procurement time to navigate custom contracts.
You're already deep on OpenAI, you want an MIT-licensed library you can audit, and LLM-based classification latency is acceptable for your use case.
You want one library that does injection + PII + toxicity + secrets detection, and you're ok self-hosting on your own hardware.
You want to declaratively define conversational flows, forbidden topics, and routing logic in a DSL — on top of a classifier like AgentShield, not instead of it.
Feature rows come from each product's public documentation as of April 2026. Pricing reflects list prices — no volume discounts or promo codes. Latency for AgentShield is p50 from our public 5,972-sample benchmark. Latency for competitors is either (a) what's published in their docs or (b) our own measurement against their public endpoints — marked with an asterisk where measured. If a cell says "partial", it means the capability exists but with constraints we felt were worth flagging.
Disagree with a row? Email [email protected] with a link to the contradicting source and we'll update within 48 hours.
100 requests/day free, no credit card. If AgentShield doesn't fit, the other four are great too — we mean it.
Get Free API Key → See the Benchmark