Veto vs Lakera
Lakera Guard is a Check Point-owned prompt-security product. It classifies model inputs and outputs as policy-compliant or non-compliant, with a strong focus on prompt-injection detection. Veto is a runtime authorization SDK. It does not classify prompts; it intercepts the tool calls an agent emits and decides whether each one is allowed to run. One scores malicious inputs. The other governs disallowed actions. Defense in depth needs both.
Honest assessment
Lakera focuses on prompt-injection detection; its Gandalf game crowdsourced jailbreak attempts, and Guard is tuned for that problem. If your worry is "what if a user (or a poisoned document) tricks the model into taking a disallowed action," Lakera is optimized for that control point. Veto solves a different problem: regardless of how the model reached its decision, can it execute this tool call? Lakera detects intent. Veto controls outcomes. Production agents may need both.
What each product does
Lakera
A Check Point-owned AI security product line. Guard is a low-latency classifier API that scores prompts for injection, jailbreak, PII, off-topic content, and similar risks. The product sits at the prompt and content-filtering layer.
Core capability:
A REST API that takes a prompt and returns a classification with risk scores. Plug it in front of your model, or before/after the LLM call, and reject inputs that exceed a confidence threshold. Continuously updated against new attack patterns from their red-team and bug-bounty data.
- Prompt-injection and jailbreak classifier
- PII and sensitive-data detection in inputs
- Continuously trained against fresh attack data
- Red-team automation (Lakera Red)
- Low-latency API
Veto
An open-source runtime authorization SDK. Intercepts tool calls inside the agent process and evaluates them against YAML policies before execution.
Core capability:
Deterministic policy decisions on tool name, arguments, and user context. Outcomes are allow, deny, or escalate to human review. Policy evaluation runs in-process near process. Policies live as YAML in your repo and are versioned with your code.
- Tool-call interception before execution
- Deterministic YAML policies, no classifier
- Human review for review-required actions
- Per-decision record with rule citations
- Apache-2.0 SDK, self-hostable engine
Feature comparison
These products live at different points in the request lifecycle. Most rows are not "missing features." They are out of scope by design.
| Capability | Veto | Lakera |
|---|---|---|
| Tool-call authorization | ||
| Prompt-injection classifier | ||
| Deterministic policy engine | ||
| Probabilistic content scoring | ||
| Human review approvals | ||
| PII detection in inputs | ||
| Red-team simulation suite | ||
| Decision record | ||
| Framework integrations (LangChain, MCP) | ||
| In-process SDK path | ||
| Open-source core | ||
| Self-hosted option |
Choose by control point: prompt or action
A precise frame: agent failures usually have at least two breakable points, the instruction that reached the model and the action the model produced. Different tools defend different points.
Defending the instruction
A user pastes a malicious prompt. A retrieved document contains a hidden injection. A tool result contains adversarial content. Lakera Guard scores these inputs and lets you drop or sanitize them before they reach the model. This is appropriate, especially for high-volume consumer-facing agents.
Defending the action
The model decided to call refund(order_id, amount=999999). The classifier did not flag the prompt because the prompt looked normal -- "process this refund." Veto evaluates the call itself: is this amount in policy? Is this user authorized to issue refunds over $500? Should it be escalated to a human?
Both, ideally
Lakera lowers the rate at which malicious instructions reach the model. Veto enforces a deterministic policy on what the model can do. Defense in depth: classifier + policy. Either alone has gaps.
Pricing
Open Source runs locally. Core adds shared approvals, decision records, export, and retention. See the pricing page for price, retention, and action limits.
Commercial pricing depends on usage and deployment. Use the vendor quote for procurement. Enterprise deployment is quote-led.
Decision framework
Choose Veto when
- Your agent calls tools that have real-world side effects
- You need deterministic allow, deny, or escalate decisions
- Auditors want a log of each governed action and the rule that allowed it
- You want policies in version control alongside your code
- Review teams treat probabilistic detection as insufficient
Choose Lakera when
- You run a consumer LLM app and worry about prompt-injection volume
- You need to score and drop suspicious inputs before they reach the model
- Red-team simulation and continuous attack monitoring matter to your security team
- Your stack mostly talks to the LLM directly, not tools
- You want a managed classifier rather than running your own model
Frequently asked questions
Does Lakera Guard stop tool calls?
If Lakera catches the injection, do I still need Veto?
Can I use both Lakera and Veto?
Is Veto's policy engine open source?
Related comparisons
Model security vs action control
Veto vs Guardrails AIOutput validation vs authorization
Veto vs Cloudflare AI FirewallEdge vs application-layer control
Going deeper: AI agent permissions, Runtime authorization, Blog: MCP security guide.
Input security is necessary. Runtime authorization is required.