Implementing CrowdStrike AIDR Guardrails at the LLM Gateway with Bifrost

Deploy Bifrost with CrowdStrike AIDR guardrails to enforce inline prompt security, block prompt injection, redact sensitive content, and stream AI threat telemetry to CrowdStrike's detection console.

According to the OWASP Top 10 for LLM Applications, prompt injection stands as the leading security risk, yet many production systems route prompts directly to models without any inline inspection. Bifrost, the open-source AI gateway built in Go by Maxim AI, supports CrowdStrike AI Detection and Response (AIDR) as a guardrail provider that lets security teams apply CrowdStrike AIDR guardrails to every request and response before content reaches an LLM or returns to a caller. This post explores what this integration delivers, how it operates, configuration steps, and how Bifrost enforces AIDR decisions at the gateway layer.

What CrowdStrike AIDR Guardrails Provide

CrowdStrike AIDR guardrails are real-time security filters that scan LLM inputs and outputs against AIDR detection policies, then execute block decisions, apply redaction, and transmit AI security events to the CrowdStrike AIDR console. In Bifrost, AIDR functions as a third-party guardrail provider within the request and response processing pipeline.

The responsibility model is straightforward: CrowdStrike manages the detection policy, and Bifrost manages where and how to invoke AIDR and what to do with the response. Bifrost decides when AIDR evaluation runs, transmits the relevant content, then applies the block or redaction verdict that AIDR returns. Typical applications for CrowdStrike AIDR guardrails span:

• Catching and rejecting prompt injection or jailbreak attempts
• Blocking credentials, PII, or domain-specific sensitive data from reaching an LLM
• Applying redaction or sanitization when an AIDR policy returns modified text
• Running different policy rules on input prompts versus output completions
• Evaluating tool definitions, model tool calls, and tool response content in agent flows
• Forwarding AI security findings and event metadata to the AIDR console

The Value of Gateway-Level AI Guardrails

The AI interaction layer now constitutes a primary attack surface. When CrowdStrike announced Falcon AIDR in December 2025, the company framed prompts as the new malware, grounding that claim in more than 180 documented prompt injection patterns. The OWASP framework arrives at the same conclusion from an application security angle: preventing prompt injection at the model layer is challenging because models inherently struggle to distinguish trusted directives from untrusted data.

Placing guardrails at the gateway gives security teams a unified control surface. Every application that channels traffic through Bifrost applies the same inspection, policy, and audit logging without per-app integration complexity. For enterprises operating in regulated sectors, Bifrost Enterprise pairs this enforcement with broader governance capabilities so AI access control and security policy share a single administration layer.

Gatewary-level enforcement also standardizes protection across provider boundaries. Whether a request goes to OpenAI, Anthropic, or any alternative provider, Bifrost enforces identical CrowdStrike AIDR guardrails before content exits the gateway and before responses return to the application.

How CrowdStrike AIDR Guardrails Work Inside Bifrost

Bifrost translates each AIDR response into a specific enforcement action in the request flow. The sequence is:

1. A guardrail provider is created with provider_name: "crowdstrike-aidr" and connected to one or more policy rules.
2. When a rule matches, Bifrost pulls text and tool information from the incoming request or response.
3. Bifrost sends the payload to AIDR at {base_url}/v1/guard_chat_completions with event_type: "input" or event_type: "output".
4. AIDR evaluates the submission using the policy attached to your collector.
5. If AIDR returns blocked: true, Bifrost halts the path and returns GUARDRAIL_INTERVENED.
6. If AIDR returns transformed: true alongside guard_output, Bifrost substitutes the original text with the transformed output.
7. If neither flag is set, Bifrost permits the content to pass unchanged.

Bifrost transmits an OpenAI Chat Completions-formatted payload. Text is pulled from chat endpoints, completion APIs, text-only requests, reranking inputs, image-based prompts, and other content-bearing payloads, plus tool definitions and tool invocations when available. Therefore, CrowdStrike AIDR guardrails apply across traditional chat patterns and tool-executing agent patterns common in MCP-driven automation.

Detection signals on their own do not trigger blocks. Bifrost respects the AIDR policy decision, so content is rejected only when AIDR's configured action is block and AIDR returns blocked: true. To cause Bifrost to stop a request, configure that rule to block in CrowdStrike.

Setting Up CrowdStrike AIDR in Bifrost

To deploy CrowdStrike AIDR guardrails, you require Bifrost Enterprise with the guardrails plugin active, and a CrowdStrike Falcon deployment in a supported AIDR region (US-1, US-2, or EU-1). Gateway and application traffic require the AIDR for Agents subscription tier. You also need Falcon admin privileges for AIDR collector management and network paths from Bifrost to AIDR's API endpoints over HTTPS. Full CrowdStrike-side setup is in the CrowdStrike AIDR documentation.

How do I set up the AIDR provider in Bifrost?

After creating an Application collector in Falcon, assigning a policy, and obtaining the collector token and base URL, register the provider in Bifrost via the dashboard at Guardrails > Providers or via the management API:

curl -X POST http://localhost:8080/api/guardrails/crowdstrike-aidr \
  -H "Content-Type: application/json" \
  -d '{
    "name": "crowdstrike-aidr-prod",
    "enabled": true,
    "config": {
      "api_key": "env.CS_AIDR_TOKEN",
      "base_url": "env.CS_AIDR_BASE_URL",
      "app_id": "bifrost-production",
      "collector_instance_id": "prod-us-east-1",
      "timeout": 30
    }
  }'

The api_key field is required; all others are optional. Without an explicit base_url, Bifrost uses https://api.crowdstrike.com/aidr/aiguard. Tenants in US-2 or EU-1 specify their regional base URL. Including app_id and collector_instance_id improves correlation in AIDR logs. The provider timeout defaults to 30 seconds. Store the collector token in an environment variable or vault system rather than hardcoded.

How do I attach AIDR to a policy rule?

Guardrail rules use CEL (Common Expression Language) expressions to control when AIDR evaluation triggers. Reference the provider configuration ID in selectedGuardrailProfiles and specify the evaluation phase via applyTo:

curl -X POST http://localhost:8080/api/guardrails/rules \
  -H "Content-Type: application/json" \
  -d '{
    "name": "crowdstrike-aidr-all-chat",
    "description": "Run CrowdStrike AIDR on prompts and completions",
    "enabled": true,
    "celExpression": "true",
    "applyTo": "both",
    "samplingRate": 100,
    "timeout": 60,
    "maxTurnsToSend": 8,
    "selectedGuardrailProfiles": ["crowdstrike-aidr:12"]
  }'

Because profiles are reusable, the same CrowdStrike AIDR configuration can support multiple rules. A common approach combines CrowdStrike AIDR with native checks like secrets detection and custom regex for layered protection on the same traffic.

Outcomes: Blocking, Redacting, and Allowing

Bifrost maps each AIDR result to one of three actions at the gateway layer:

• Block: When AIDR returns result.blocked: true, Bifrost responds with GUARDRAIL_INTERVENED. The error uses AIDR's display message, top-level summary, or result summary. An input-phase block prevents the LLM from ever receiving the request.
• Redact: When AIDR returns result.transformed: true with valid guard_output, Bifrost forwards the request or response but substitutes transformed text. Redaction occurs only when the output text count matches the original count.
• Allow: When neither flag is present, the original content proceeds unmodified.

A blocked interaction responds with HTTP 400, type: "guardrail_intervention", and a message like "Blocked by CrowdStrike AIDR policy: Malicious Prompt was detected and blocked." Note that AIDR output inspection and redaction today apply only to non-streaming response bodies. Input guardrails continue to execute before streaming requests exit Bifrost, yet streaming response redaction remains unsupported.

Traceability and Audit

Every CrowdStrike AIDR check generates metadata that Bifrost captures in logs and traces, including the AIDR policy evaluated, whether blocking occurred, whether transformation was applied, detector count, and detector identities. This enables mapping each enforcement action from a Bifrost log to the corresponding AIDR Findings entry.

This information feeds into Bifrost's observability ecosystem. Deployments already exporting spans via OpenTelemetry can observe guardrail verdicts alongside performance and token metrics, and immutable audit logs from Bifrost Enterprise support compliance reporting for SOC 2, GDPR, HIPAA, and ISO 27001. Paired with virtual keys, this framework provides per-project visibility into which teams or workflows triggered which AIDR policies.

Common Rule Patterns

CEL rules let you apply CrowdStrike AIDR guardrails selectively, keeping latency and service costs in check on high-volume systems. Practical examples include:

• Inspect only external-user requests: headers["x-user-type"] == "external"
• Enforce only for production keys: headers["x-bf-vk"] == "prod"
• Target a specific provider or model: provider == "openai" && model.startsWith("gpt-4")
• Reduce conversation history sent with maxTurnsToSend to cap request size

For wide deployments, reduce samplingRate on busy endpoints, set appropriate rule and provider timeouts, and combine AIDR with governance controls so security policy and cost management sit together. If blocks aren't working as expected, verify your AIDR policy action is set to block; Bifrost doesn't block on detector signals alone.

Next Steps

CrowdStrike AIDR guardrails deliver inline security enforcement at the LLM gateway: stopping prompt injection, redacting sensitive data, and enforcing policy across every request-response pair. Since the detection stays in CrowdStrike and enforcement stays in Bifrost, your security team keeps its existing threat model while gaining consistent, provider-neutral protection.

To explore CrowdStrike AIDR guardrails and the broader Bifrost resource collection, reach out to the Bifrost team for a conversation about your AI infrastructure and security strategy.