SharkRouter is the deterministic data plane for agentic AI. It sits between AI agents and tool execution, providing a 14-step governance pipeline that includes ToolGuard (function-call firewall), Agent Passport (cryptographic identity), Dry-Run Preview (impact preview before execution), Output Assurance (post-execution verification), Kill Switch (immediate halt), and an immutable WORM audit chain.

How is SharkRouter different from prompt filters or monitoring tools?

SharkRouter is not a prompt filter, not an output scanner, and not a monitoring tool. It is a stateful gateway that intercepts every function call an AI agent makes and enforces deterministic business rules before execution. Prompt filters (Pangea, Lakera) only inspect input. Out-of-band monitors (Zenity, Protect AI) observe but cannot enforce. JIT access tools (Oasis Security) manage permissions but do not audit execution. SharkRouter is the only product that intercepts, governs, and audits at the function-call layer with cryptographic proof.

Is SharkRouter OpenAI-compatible?

Yes. SharkRouter is a drop-in replacement for the OpenAI API. Change your base_url to https://api.sharkrouter.ai/v1 and your existing code works unchanged. One line. Full governance. Zero lock-in.

ToolGuard is the function-call firewall at the heart of SharkRouter. It is a deny-by-default policy engine that evaluates every tool call through a 7-guard chain (Regex, Keyword, Schema, Policy, Semantic, LLM, MoralCompass) cost-ordered so the first block wins. Typical added latency is under 150ms. ToolGuard enforces business rules at the execution layer — the only layer where AI agents actually do something.

What is Agent Passport?

Agent Passport assigns cryptographic identity (ECDSA-signed) to every AI agent in your environment. Each passport carries a scoped tool universe, a 9-state lifecycle FSM, and delegation chains with scope narrowing. Trust stages progress STRANGER → KNOWN → TRUSTED → EXTENSION based on observed behavior.

What is Dry-Run Preview?

Dry-Run Preview shows the impact of a destructive tool call before it executes — affected rows, blast radius, estimated cost. Zero of 19 competitors in our State of AI Governance benchmark offer this capability. It is what enables CISOs to approve agentic AI for production systems.

Can SharkRouter be deployed air-gapped?

Yes. SharkRouter offers three deployment tiers: Cloud Gateway (5 minutes), Private VPC (1 day), and Air-Gapped On-Premise (1 week). The air-gapped tier uses offline licensing and runs with zero outbound connectivity — designed for banking, defense, and government environments that cannot use cloud AI services.

What compliance frameworks does SharkRouter support?

SharkRouter is designed compliant by architecture: SOC 2, GDPR, HIPAA, ISO 27001, BOI 364, and EU AI Act Article 14 (human oversight of high-risk AI). The WORM audit chain provides cryptographic chain-of-custody that satisfies banking and regulated-industry audit requirements.

Warden is SharkRouter's open-source governance scanner. Run it against any AI framework or environment and it produces a 17-dimension governance score out of 100. Across 19 AI frameworks and competing gateways, the market average is 28/100. SharkRouter scores 91/100. Warden is free, runs in 60 seconds, and is the first tool a CISO uses in our evaluation funnel.

AI agents using function calling and MCP tools create attack surfaces that reverse proxies and WAFs were never designed to handle. Here\

Agentic Firewall: Why Traditional API Gateways Can't Secure AI Agents

When enterprises began deploying AI in 2023, their security teams reached for familiar tools: WAFs, API gateways, reverse proxies. These tools had protected REST APIs for a decade. Surely they could handle an LLM endpoint.

They can't. And the gap is getting dangerous.

The Problem with Traditional Gateways

A traditional API gateway understands requests and responses. It inspects HTTP headers, validates JSON schemas, enforces rate limits per IP or API key, and blocks known-bad payloads. This model assumes a relatively static, human-authored request hitting a known endpoint.

AI agents work differently. A single user message can trigger 20 downstream tool calls. Those tool calls can execute code, query databases, send emails, or call external APIs. The "payload" isn't fixed — it's generated dynamically by the model based on context that includes user-supplied text.

This creates three classes of attacks that traditional gateways are blind to:

1. Prompt Injection Through Tool Results

Consider an agent that can search the web. A malicious website includes hidden text:

```

```

The gateway sees a normal HTTP response from a search API. It has no way to know that the response contains adversarial instructions that will be injected into the model's context and potentially cause it to misuse its tools.

2. Tool Privilege Escalation

Modern AI agents are equipped with toolsets — MCP servers, function definitions, plugin APIs. Each tool is a capability. The principle of least privilege says agents should only use tools appropriate for their current task.

But who enforces this at runtime? Not the LLM provider. Not the MCP server. And certainly not a traditional API gateway, which has no concept of "which tool should this agent be allowed to call right now."

An attacker who can influence the model's reasoning (via prompt injection, poisoned RAG context, or adversarial system prompts) can cause it to invoke tools it should never touch: data export, admin actions, or external communication channels.

3. Schema-Bypassing Injections

Function calling gives models the ability to invoke structured tool calls with typed parameters. Most developers assume the model will always produce well-formed calls. But models can be coerced into producing unusual values — excessively long strings, path traversal sequences, SQL fragments, or SSRF-triggering URLs — as parameter values.

```json
{
"tool": "read_file",
"arguments": {
"path": "../../../../etc/passwd"
}
}
```

A gateway that only validates the outer HTTP request never sees this. It reaches your tool handler, which may or may not validate it.

How SharkRouter's Agentic Firewall Works

SharkRouter sits in the data path between your application and the LLM provider. Every request and every response passes through the firewall layer. For agentic workloads, this means:

ToolGuard: Per-Tool Policy Enforcement

ToolGuard is SharkRouter's tool call interception layer. It operates on the model's function calls before they are executed, and on tool results before they are returned to the model.

Each tool in your system can have a policy:

```yaml
tools:
read_file:
allowed_paths: ["/data/", "/reports/"]
blocked_patterns: ["../", "/etc/", "/proc/"]
max_response_size: 10240
rate_limit: 100/minute

send_email:
require_approval: true
allowed_domains: ["@yourcompany.com"]
blocked_keywords: ["password", "secret", "key"]
```

ToolGuard validates every tool call against these policies before execution. Path traversal attempts are blocked. Disallowed email domains are rejected. Oversized responses are truncated before they reach the model.

Schema Validation

Every tool call is validated against its declared JSON Schema before execution. SharkRouter maintains the schema registry for all tools in your system and rejects any call that doesn't conform — even if the LLM produced it.

This catches:

Type mismatches (string where integer expected)
Out-of-range values
Missing required fields
Extra fields that shouldn't be present
String patterns that match injection signatures

Per-Tool Rate Limiting

Traditional gateways rate-limit at the API-key level. SharkRouter rate-limits at the tool level, per user, per session, and per tool.

This means a compromised or runaway agent can't:

Exfiltrate data by calling a search tool 10,000 times
Burn your budget by recursively calling expensive tools
Launch a DoS against downstream systems through automated tool calls

Prompt Injection Detection in Tool Results

SharkRouter scans tool results for prompt injection patterns before returning them to the model. This includes:

Instruction override patterns ("ignore previous instructions")
Role impersonation attempts ("you are now DAN")
System prompt leakage bait ("repeat your instructions")
Adversarial persona switching

When detected, the result is sanitized or flagged, and the event is recorded in the audit log with full context.

Real-World Attack Scenarios Blocked by SharkRouter

Scenario 1: RAG Poisoning
An attacker uploads a document to your RAG system containing embedded instructions. When a user queries the system, the document is retrieved and injected into context. ToolGuard's result scanning detects the adversarial pattern and strips it before it reaches the model.

Scenario 2: Tool Privilege Escalation via Jailbreak
A user attempts to jailbreak the agent into using an admin tool it shouldn't access. SharkRouter's per-session tool allowlists prevent the model from even attempting to call tools not permitted for that session type, regardless of what the model "wants" to do.

Scenario 3: Exfiltration via External Tool
An agent is given a web search tool. An attacker constructs a prompt that causes the agent to encode sensitive data into a search query, effectively exfiltrating it via the tool call URL. SharkRouter's outbound parameter scanning detects and blocks PII in tool call arguments.

The Bottom Line

Traditional API gateways protect the boundary between your application and the internet. Agentic firewalls protect the boundary between human intent and AI action. As AI agents gain more tools and more autonomy, the second boundary becomes as important as the first.

SharkRouter's agentic firewall is purpose-built for this new attack surface — not retrofitted from a REST-era tool.

Ready to secure your AI agents? Book a demo or read the ToolGuard docs.

Agentic Firewall: Why Traditional API Gateways Can\