Skip to content
Home AI Security Tools Protect AI Guardian
Protect AI Guardian

Protect AI Guardian

ACQUIRED
Category: AI Security
License: Commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 16, 2026
4 min read
Key Takeaways
  • ML security gateway scanning 35+ model formats (PyTorch, TensorFlow, ONNX, pickle, safetensors) for deserialization attacks, backdoors, and malicious code.
  • Acquired by Palo Alto Networks in July 2025, now part of Prisma AIRS alongside Recon (red teaming) and Layer (runtime monitoring).
  • Has scanned 4M+ models on Hugging Face, with threat intelligence powered by huntr's 17,000+ security researchers.
  • Built on open-source ModelScan (Apache 2.0, 640+ GitHub stars), with Guardian adding policy enforcement, access controls, and compliance dashboards.

Protect AI Guardian is an AI security gateway that scans ML models for malicious payloads and enforces security policies before models reach production.

Protect AI Guardian platform hero showing model security scanning interface

Guardian was built by Protect AI, a Seattle-based company backed by threat intelligence from huntr, an early AI/ML bug bounty platform with 17,000+ security researchers. As of April 2025, Guardian has scanned over 4 million models on Hugging Face through its partnership with the platform. Palo Alto Networks completed its acquisition of Protect AI in July 2025, integrating Guardian into the Prisma AIRS platform alongside two companion products: Recon (automated AI red teaming) and Layer (runtime security monitoring).

What is Protect AI Guardian?

Guardian addresses a specific problem: ML models are executable code, and organizations download them from public repositories on trust. Pickle files can execute arbitrary code during deserialization. Model architectures can contain hidden layers that act as backdoors. Even formats marketed as safe, like safetensors, warrant verification.

Guardian sits between your model sources (Hugging Face, MLflow, S3, SageMaker, Git repositories) and your production environment. It scans every model against 35+ format-specific checks, applies your security policies, and blocks anything that doesn’t pass.

The platform builds on ModelScan, Protect AI’s open-source model scanner (Apache 2.0 license, 640+ GitHub stars). Guardian extends ModelScan with configurable policies, access controls, compliance dashboards, and enterprise integrations.

Model Scanning
Scans 35+ formats for deserialization attacks, architectural backdoors, malicious operations, and runtime threats. Detects code execution payloads in pickle files, hidden layers, and suspicious TensorFlow/PyTorch operations.
Policy Enforcement
Configurable security policies with granular rules for model metadata, approved formats, verified sources, and scan findings. Blocks non-compliant models from entering production.
Supply Chain Visibility
Tracks model provenance, creators, and licensing. Provides dashboards showing model origins and security status across your registry.

Key Features

FeatureDetails
Model Formats35+ including PyTorch, TensorFlow, ONNX, Keras, pickle, joblib, dill, GGUF, GGML, safetensors
Threat DetectionDeserialization attacks, architectural backdoors, malicious operations, runtime threats
Policy EngineGranular rules for formats, sources, metadata, and scan findings
Hugging Face Scanning4M+ public models scanned continuously
Deployment OptionsCloud platform, local scanning via Docker containers, CLI, SDK
IntegrationsHugging Face, MLflow, S3, SageMaker Model Registry, Git, Dataiku
Open-Source BaseBuilt on ModelScan (Apache 2.0, 640+ stars)
Threat IntelligencePowered by 17,000+ huntr security researchers

Scanning capabilities

Guardian scans models across four threat categories:

  • Deserialization attacks — Detects code execution payloads embedded in pickle, joblib, dill, and cloudpickle files. These are the most common ML supply chain attack vector.
  • Architectural backdoors — Identifies hidden layers or modified weights that could alter model behavior without changing visible outputs.
  • Malicious operations — Flags suspicious TensorFlow Lambda layers, PyTorch operations, and other framework-specific threats.
  • Supply chain risks — Tracks model provenance, dependencies, and licensing to identify upstream risks.

Guardian model scanning feature showing vulnerability detection results

Policy enforcement

Guardian lets you define security policies with granular rules. Policies can specify approved model formats, required source verification, severity thresholds, and custom rules based on scan findings. Models that violate policies are blocked from deployment.

Policies are configurable per security group, allowing different rules for development, staging, and production environments.

Guardian policy configuration interface

Deployment options

Guardian offers three deployment methods:

  • Cloud platform — Managed scanning through the Guardian web console and API
  • Local scanner — Lightweight Docker container for CI/CD pipelines and air-gapped environments
  • CLI and SDK — The guardian-client Python package (Apache 2.0) provides both command-line and programmatic access

The local scanner is particularly useful for organizations that can’t send model files to external services. It runs as a Docker container and integrates into existing CI/CD workflows.

ModelScan (open-source)
ModelScan is Protect AI’s open-source model scanner. It supports PyTorch, TensorFlow, Keras, Scikit-learn, and XGBoost formats. Install with pip install modelscan and scan with modelscan -p /path/to/model.pkl. Guardian extends ModelScan with policy enforcement, access controls, and enterprise features.

huntr bug bounty community

Guardian’s threat intelligence comes from huntr, an early AI/ML bug bounty platform. The community includes 17,000+ security researchers who discover vulnerabilities in open-source AI/ML tools. Huntr is one of the world’s five largest Certified Naming Authorities (CNAs) for CVEs. Vulnerability findings flow back into Guardian’s scanning rules.

Getting Started

1
Get access — Contact Protect AI (now Palo Alto Networks) for Guardian access. The platform is available as part of Prisma AIRS.
2
Connect your model sources — Integrate Guardian with your model registries: Hugging Face, MLflow, S3, SageMaker, or Git. For local scanning, deploy the Docker container.
3
Configure policies — Set up security groups and policies defining which model formats are approved, which sources are trusted, and what severity levels should block deployment.
4
Scan and enforce — Run scans via the web console, CLI (guardian-client scan), or SDK. The CLI returns exit code 0 for passed scans, 1 for policy violations, and 2 for failures — making it easy to integrate into CI/CD gates.

When to use Guardian

Guardian is built for organizations that consume ML models from external sources and need to verify them before deployment. If your team downloads models from Hugging Face, maintains internal model registries, or purchases models from vendors, Guardian adds a security gate that catches threats traditional tools miss.

The local scanning option makes it practical for air-gapped environments and regulated industries where model files can’t leave the network.

Best for
ML platform teams that need automated security scanning and policy enforcement for models from public repositories, vendor sources, and internal registries.

For background on AI supply chain threats, see our AI security guide. For open-source model scanning without the enterprise platform, use ModelScan directly. For broader AI security covering runtime defense and adversarial attacks, look at HiddenLayer. For prompt injection detection, see Lakera Guard or LLM Guard. For LLM red teaming, try Garak or Promptfoo.

Note: Acquired by Palo Alto Networks in July 2025. Now part of the Prisma AIRS platform.

Frequently Asked Questions

What is Protect AI Guardian?
Protect AI Guardian is an ML security gateway that scans 35+ model formats for deserialization attacks, architectural backdoors, and malicious code. It enforces security policies on models before they enter production. Guardian was acquired by Palo Alto Networks in July 2025 and is now part of Prisma AIRS.
Is Protect AI Guardian free or commercial?
Guardian is a commercial platform. It builds on the open-source ModelScan project (Apache 2.0, 640+ GitHub stars) but adds policy enforcement, access controls, compliance dashboards, and enterprise integrations.
Does Guardian protect against prompt injection?
No. Guardian focuses on ML model supply chain security — scanning model files for malicious payloads, backdoors, and deserialization attacks before deployment. For prompt injection detection, look at Lakera Guard or LLM Guard.
What ML model formats does Guardian scan?
Guardian scans 35+ formats including PyTorch (.pt, .pth), TensorFlow (SavedModel, .h5), ONNX, Keras, pickle, joblib, dill, cloudpickle, GGUF, GGML, safetensors, and models from Hugging Face Transformers, Scikit-learn, XGBoost, and LightGBM.
What is the relationship between Guardian and ModelScan?
ModelScan is Protect AI’s open-source model scanner (Apache 2.0 license). Guardian is the commercial platform built on top of it, adding policy enforcement, enterprise integrations, access controls, and compliance dashboards.
How we review tools Suggest an edit

Other AI Security Tools

Garak
Garak

NVIDIA's LLM Vulnerability Scanner

Promptfoo
Promptfoo

LLM Evaluation & Red Teaming CLI

DeepTeam
DeepTeam

LLM Red Teaming Framework

HiddenLayer AISec
HiddenLayer AISec

ML Model Security Platform — 48+ CVEs, 25+ Patents

AR
Arthur AI

AI Observability and Bias Detection

MI
Mindgard

DAST-AI Continuous Red Teaming

See all AI Security tools

Complement with SAST

Pair AI security with static analysis for broader coverage.

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

See all SAST tools

Learn More

What is API Security? What is AI Security? OWASP Top 10 Prompt Injection Attacks API Security Testing LLM Red Teaming

Explore our API & AI Security resource hub