Pillar Security
Primary category: ai-runtime-security. Also ai-spm.
One-liner — An Israeli startup selling an end-to-end platform that discovers an organization’s AI assets and agents, red-teams them, and then wraps them in adaptive runtime guardrails (an AI firewall) against prompt injection, data leakage, and tool abuse.
Categories — ai-runtime-security, ai-spm
What it does
Pillar pitches one platform spanning the AI application lifecycle, with three connected jobs:
- Discovery / inventory (AI-SPM): automatically maps AI assets — models, datasets, prompts, notebooks, frameworks, MCP servers, tools, and agents — including shadow AI and unapproved coding agents. Flags which agents touch sensitive data (PII, code repos, production DBs) and what each agent is permitted to do.
- Red teaming: simulates attacks against discovered AI surfaces. Pillar markets a “RedGraph” approach that uses environmental context to map exploitable surfaces and simulate multi-turn attacks, tool hijacking, and lateral movement across an agent ecosystem.
- Runtime guardrails (AI firewall): adaptive input/output guardrails calibrated per application/agent that block prompt injection (direct and indirect), jailbreaks, PII/PCI leakage, secret exposure, and toxic/inappropriate content in real time. Pillar emphasizes behavioral-deviation detection (flagging when an agent strays from its defined business purpose) and taint analysis that traces PII/secrets from source to destination, rather than only static rule matching.
The selling idea is that findings flow between the three: red-teaming and production telemetry feed the guardrails, which “continuously evolve.” (Capability claims here are vendor marketing; the gateway integration below is independently documented.)
Where it sits in the stack
Primary home is ai-runtime-security (the AI-firewall layer, model-prompt), with a
strong second foot in ai-spm (discovery/posture, governance-adjacent). Because it
also red-teams models, it overlaps the ai-red-teaming category, and its agent-behavior
monitoring overlaps agent-runtime-security.
Lethal-trifecta role: Pillar is one of the few single vendors that touches all three legs — it inspects untrusted input (prompt-injection / jailbreak detection on the way in), guards sensitive data (PII/PCI/secret detection and taint tracing), and constrains egress (blocking leakage and out-of-purpose tool/agent actions on the way out). It is relevant to the yellow (model/agent) zone where untrusted content meets privileged tools.
Deployment & architecture
SaaS control plane. The runtime guardrail is consumed primarily as an API — Pillar
exposes a guardrail API that AI gateways call on each request. It is natively integrated
into litellm/LiteLLM Proxy (via the Generic Guardrail API, api_base https://api.pillar.security/api/v1/integrations/litellm, with pre_call / post_call /
during_call modes) and into the TrueFoundry AI Gateway, so customers can turn protection
on with a config change rather than re-architecting traffic. SDK / code-side hooks support
the build-time discovery and red-teaming. It is not its own inline TLS-intercepting
network proxy — it rides on top of an existing ai-gateway. Integrations span code
repos, AI/ML and data platforms, MCP servers (connection mapping + allowlisting), and
audit/compliance logging; it also appears in the Wiz integration marketplace.
Positioning & differentiators
Pillar’s pitch is breadth across the lifecycle in one product — discover, test, then protect — versus point tools that do only one. Against nearest neighbors:
- vs lakera, prompt-security, enkrypt-ai — these center on the runtime guardrail / prompt-firewall; Pillar bundles that with discovery (AI-SPM) and red-teaming.
- vs splxai — SplxAI leans red-teaming/testing-first; Pillar offers red-teaming plus production runtime in one.
- vs prisma-airs and cisco-ai-defense — platform-scale incumbents (Palo Alto, Cisco) with broader security portfolios and channel; Pillar is a focused startup competing on depth in AI-native, agent-aware protection.
- vs witnessai — WitnessAI is more about employee/shadow-AI access governance (CASB-for-AI); Pillar targets the teams building AI apps/agents.
- vs hiddenlayer — HiddenLayer’s heritage is model/ML-supply-chain security (model scanning, MLDR); Pillar is more application/agent-runtime and prompt-centric.
- vs pangea — Pangea sells composable AI-security API building blocks; Pillar sells a more opinionated, integrated platform.
Differentiators it stresses: agent-centric behavioral monitoring (deviation from intended purpose), taint tracing of sensitive data, and a feedback loop from red-teaming + telemetry (claims ~50M+ AI application interactions of threat intel) into adaptive guardrails.
Ownership, funding & M&A
Independent, VC-backed. Founded 2023 by Dor Sarig (CEO; ex–Israeli MoD, Perimeter81, Cymulate) and Ziv Karliner (CTO). Raised a $9M seed announced 2025-04-16, led by Shield Capital, with Golden Ventures, Ground Up Ventures, and strategic angels. HQ Tel Aviv, with a US footprint in Miami. No M&A — not acquired, no acquisitions (no seed M&A flag). Ownership confidence: high (primary press release + multiple independent press).
CTO / hedge-fund lens
This is a Day-1 control if you are building or running your own AI applications/agents (internal copilots over fund data, RAG assistants, agentic workflows) — it provides the prompt-injection / data-leak / egress guardrail you cannot safely launch without, plus an inventory of what AI you actually have. For a fund that only consumes SaaS AI (ChatGPT/Copilot) and isn’t building, a CASB-for-AI like witnessai or a gateway-native guardrail may matter more, and Pillar is closer to Day-2/optional. SR 11-7 / model-risk relevance is indirect: its red-teaming evidence and runtime logs can feed model-risk and audit, but it is a security tool, not a governance/attestation platform like ai-governance-platform vendors. Fit: medium for a hedge fund — high if you have an in-house AI build team, lower if you don’t. Caveat: small, early-stage (seed) vendor — weigh vendor-risk and roadmap maturity against incumbents.
Competitors / alternatives
lakera, prompt-security, enkrypt-ai, splxai, prisma-airs, cisco-ai-defense, witnessai, hiddenlayer, pangea, calypsoai, trojai, aim-security
Open questions / to verify
- Exact pricing / packaging (per-app, per-request, platform) — not public.
- How much of the runtime is genuinely model-agnostic vs gateway-dependent.
- Customer count / production references — limited public evidence (seed-stage).
- Whether HQ is best described as Tel Aviv or dual Tel Aviv/Miami; both appear in sources.
- Any funding since the 2025-04 seed.
Sources
- Pillar Security Raises $9M to Help Enterprises Build and Run Secure AI Software (GlobeNewswire) — fetched 2026-06-28 — supports: $9M seed, 2025-04-16, Shield Capital + Golden/Ground Up, founders, Tel Aviv HQ, product scope; confidence: high
- Pillar Security Platform page — fetched 2026-06-28 — supports: discovery/AI-SPM, RedGraph red-teaming, runtime guardrails, agent/MCP focus (vendor marketing); confidence: med
- Pillar Security guardrail integration (LiteLLM proxy docs) — fetched 2026-06-28 — supports: API guardrail deployment behind AI gateway, scan categories (prompt injection, jailbreak, PII/PCI, secrets), pre/post/during-call modes; confidence: high
History
- [2026-06-28] Stub created from seed registry.
- [2026-06-28] Researched; established founded 2023 (Sarig/Karliner), Tel Aviv HQ (+Miami), independent with $9M seed led by Shield Capital (2025-04-16, no M&A), API/SaaS/SDK deployment as a gateway-integrated guardrail (LiteLLM/TrueFoundry), trifecta coverage on all three legs, hedge_fund_fit medium. Filled frontmatter and all body sections; cached 3 sources.