DEV Community

Cover image for Why I Rebuilt AI Security from Scratch in Pure C
Dmitry Labintcev
Dmitry Labintcev

Posted on

Why I Rebuilt AI Security from Scratch in Pure C

#security #ai #opensource #c

The AI Security Gold Rush

Everyone's building AI security solutions now.

In the past 18 months, I've analyzed over 30 different AI security tools. Lakera Guard, Prompt Security, Robust Intelligence, HiddenLayer, Pangea, Cloudflare AI Gateway... the list goes on.

Here's what I noticed:

They're all remarkably similar:

  • Python-based
  • ML classifiers for detection
  • REST API wrapper
  • 50-200ms latency
  • Dozens of dependencies
  • Deployed as cloud services

And here's the uncomfortable truth:

They're becoming attack vectors themselves.

The Irony of Python Security Tools

When your security layer:

  • Has 50+ dependencies (each a potential CVE)
  • Adds 50-200ms to every request (inviting DDoS)
  • Runs as an interpreted language (memory vulnerabilities)
  • Requires cloud connectivity (single point of failure)

...you haven't secured your AI. You've added another attack surface.

I watched security scanners flag vulnerabilities in the very tools meant to protect AI systems. I saw "guardrails" become bypass opportunities. I observed overhead that made production deployment impractical.

Something had to change fundamentally.

A Different Mental Model

I asked a simple question:

What if we applied network security principles to AI?

Networks have firewalls. DMZs. Zone-based architectures. Cisco IOS commands. Hardware-accelerated filtering.

LLMs have... regex?

The gap was glaring.

So I built SENTINEL Shield — an AI security layer designed like network infrastructure:

  • Pure C — not Python, not Rust, not Go. C.
  • Zero dependencies — nothing to CVE-scan
  • Sub-millisecond — faster than your database
  • Cisco-style CLI — familiar to every network engineer
  • Zone-based — proper trust boundaries
  • Protocol-driven — enterprise integration patterns

Why Pure C?

"But C is dangerous!"

Yes. And so is securing AI systems with slow, bloated, dependency-heavy code.

Here's the comparison:

Property Shield (C) Typical Python Tool
Dependencies 0 50-200
Latency < 1ms 50-200ms
Memory footprint 50MB 500MB+
Throughput 10K req/s/core 50 req/s
Attack surface Minimal Large
Container size 20MB 500MB+

C forces discipline. Every allocation is explicit. Every buffer has a size. There's no garbage collector hiding memory bugs — they crash immediately in development, not silently in production.

I've written 23,113 lines of C. Not a single malloc without a corresponding free. Every string operation bounds-checked. Static analysis on every commit.

The result? A security layer that doesn't become a security liability.

Architecture: The 8-Layer Model

Shield implements a proper security stack:

┌─────────────────────────────────────────────────────────┐
│  Layer 8: API (REST, gRPC, FFI)                         │
│  Layer 7: CLI (194 Cisco-style commands)                │
│  Layer 6: Guards (LLM, RAG, Agent, Tool, MCP, API)      │
│  Layer 5: Zone Management (Trust boundaries)            │
│  Layer 4: Rule Engine (ACL, Policies)                   │
│  Layer 3: Analysis (Pattern, Semantic, ML)              │
│  Layer 2: Protocols (20 enterprise protocols)           │
│  Layer 1: Core (Memory pools, Threading)                │
└─────────────────────────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

This isn't a wrapper around an ML model. It's infrastructure.

The Six Guards

Instead of one monolithic classifier, Shield has specialized guards:

1. LLM Guard

Protects language model interactions:

  • Prompt injection detection
  • Jailbreak pattern matching
  • Token abuse prevention
  • Exfiltration blocking

2. RAG Guard

Protects retrieval-augmented generation:

  • Document poisoning detection
  • Provenance verification
  • Context integrity checking

3. Agent Guard

Protects autonomous AI agents:

  • Infinite loop detection
  • Privilege escalation prevention
  • Chain depth limits
  • Tool misuse detection

4. Tool Guard

Protects external tool access:

  • Scope validation
  • Rate limiting
  • Dangerous operation blocking

5. MCP Guard

Protects Model Context Protocol:

  • Schema validation
  • Capability verification
  • Resource enumeration prevention

6. API Guard

Protects API endpoints:

  • Authentication
  • Rate limiting
  • Input validation

Each guard focuses on one domain. Together, they cover the entire attack surface.

20 Enterprise Protocols

Real enterprise deployment needs more than HTTP:

Category Protocols Purpose
Discovery ZDP, ZRP, ZHP Zone management, health
Traffic STP, SPP, SQP, SRP Secure data flow
Analytics SAF, STT, SEM, SLA Metrics, telemetry
HA SHSP, SSRP, SMRP Clustering, failover
Integration SBP, SGP, SIEM External systems
Security STLS, SZAA, SSigP TLS, auth, signatures

These are binary protocols, not JSON-over-HTTP. They're designed for:

  • Low latency
  • High throughput
  • Reliability
  • Enterprise features (HA, SIEM, etc.)

Cisco-Style CLI

Network engineers don't learn new DSLs for every tool. Neither should security operators:

Shield# show zones
Zone        Type    Trust   State
--------    ----    -----   -----
external    api     1       active
internal    llm     10      active
dmz         rag     5       active

Shield# configure terminal
Shield(config)# class-map match-any THREATS
Shield(config-cmap)# match injection
Shield(config-cmap)# match jailbreak
Shield(config-cmap)# match exfiltration
Shield(config-cmap)# exit

Shield(config)# policy-map SECURITY-POLICY
Shield(config-pmap)# class THREATS
Shield(config-pmap-c)# block
Shield(config-pmap-c)# log
Shield(config-pmap-c)# alert
Shield(config-pmap-c)# exit
Shield(config-pmap)# exit

Shield(config)# zone external
Shield(config-zone)# service-policy input SECURITY-POLICY
Shield(config-zone)# exit

Shield(config)# end
Shield# write memory
Building configuration...
[OK]
Enter fullscreen mode Exit fullscreen mode

194 commands. Familiar syntax. Zero learning curve for network teams.

Use Cases

1. API Gateway Integration 

                    ┌─────────────┐
User Request ──────►│   Shield    │─────► LLM API
                    │   (Filter)  │
                    └─────────────┘
                           │
                    Block / Allow / Log
Enter fullscreen mode Exit fullscreen mode

Shield sits at your API gateway, filtering every request before it reaches your AI.

2. Sidecar Deployment (Kubernetes) 

spec:
  containers:
    - name: your-app
      image: your-app:latest
    - name: shield
      image: sentinel/shield:1.2.0
      ports:
        - containerPort: 8080
Enter fullscreen mode Exit fullscreen mode

Zero code changes. Shield runs alongside your application.

3. Embedded Library 

#include "sentinel_shield.h"

shield_context_t ctx;
shield_init(&ctx);
shield_load_config(&ctx, "config.json");

// Before calling LLM
evaluation_result_t result;
shield_evaluate(&ctx, input, len, "external", DIRECTION_INBOUND, &result);

if (result.action == ACTION_BLOCK) {
    return error_response(result.reason);
}

// Call LLM
char *response = call_llm(input);

// Before returning to user
shield_filter_output(&ctx, response, strlen(response), filtered, &filtered_len);

return filtered;
Enter fullscreen mode Exit fullscreen mode

Direct integration for maximum control.

4. eBPF Kernel Filtering

For extreme performance requirements:

SEC("xdp")
int shield_xdp_filter(struct xdp_md *ctx)
{
    // Check blocklist
    if (is_blocked(src_ip)) {
        return XDP_DROP;
    }

    // Rate limit
    if (over_rate_limit(src_ip)) {
        return XDP_DROP;
    }

    return XDP_PASS;
}
Enter fullscreen mode Exit fullscreen mode

Filtering at 10M+ packets per second, before packets even reach userspace.

SENTINEL Academy

I didn't just build a tool. I built a curriculum.

24 training modules covering:

Level Duration Topics
SSA (Associate) 23 hours Concepts, installation, basic config
SSP (Professional) 90 hours Guards, protocols, HA, monitoring
SSE (Expert) 180 hours Internals, custom guards, eBPF, plugins

Available in both English and Russian.

Because security tools without training are just false confidence.

The Numbers

After 11 sprints:

  • 23,113 lines of C code
  • 99 source files
  • 64 header files
  • 20 protocols
  • 194 CLI commands
  • 6 specialized guards
  • 24 Academy modules
  • 100% OWASP LLM Top 10 coverage
  • 100% OWASP Agentic AI Top 10 coverage

What's Next

Shield is the foundation. The roadmap includes:

  1. More guards — Multimodal, vector DB, fine-tuning
  2. More protocols — A2A, extended MCP
  3. Hardware acceleration — DPDK, SmartNIC offload
  4. SENTINEL Guard LLM — AI model trained on our 201 detection engines

Get Started 

git clone https://github.com/DmitrL-dev/AISecurity.git
cd AISecurity/sentinel-community/shield
mkdir build && cd build
cmake ..
make -j$(nproc)

./shield-cli
Shield> show version
SENTINEL Shield v1.2.0
Shield>
Enter fullscreen mode Exit fullscreen mode

GitHub: github.com/DmitrL-dev/AISecurity

Conclusion

The AI security space is crowded with similar solutions — Python wrappers around ML classifiers, adding latency and attack surface.

I chose a different path: treat AI security like network security. Build it in C. Make it fast. Make it familiar. Make it infrastructure.

The result is SENTINEL Shield — the DMZ your AI deserves.

Star ⭐ the repo if you believe AI systems need proper security infrastructure.

Built solo. Open source. Apache 2.0.

Have questions? Find me on Telegram or email.

Top comments (0)