AI Governance

CrowdStrike AIDR Guardrails for LLMs with Bifrost

CrowdStrike AIDR Guardrails for LLMs with Bifrost
Bifrost integrates CrowdStrike AIDR as a guardrail provider, enforcing CrowdStrike AIDR guardrails on every prompt and completion to block prompt injection, redact sensitive data, and stream AI security telemetry.

Prompt injection ranks as the top security risk in the OWASP Top 10 for LLM Applications, and most production AI systems still send prompts straight to a model with no inline inspection. Bifrost, the open-source AI gateway built in Go by Maxim AI, integrates CrowdStrike AI Detection and Response (AIDR) as a guardrail provider so security teams can enforce CrowdStrike AIDR guardrails on every prompt and completion before content reaches an LLM or a user. This post covers what the integration does, how it works, how to configure it, and how Bifrost enforces AIDR block and redaction decisions at the gateway.

What CrowdStrike AIDR Guardrails Do

CrowdStrike AIDR guardrails are inline security checks that inspect LLM inputs and outputs against AIDR detection policies, then block policy violations, redact sensitive content, and send AI security telemetry to the CrowdStrike AIDR console. In Bifrost, AIDR runs as a third-party guardrail provider inside the request path.

The division of responsibility is clean: CrowdStrike owns the detection policy, and Bifrost owns the enforcement path. Bifrost decides when to call AIDR, sends the relevant AI traffic, then blocks or rewrites the request or response based on the verdict that AIDR returns. Typical use cases for CrowdStrike AIDR guardrails include:

  • Detecting and blocking prompt injection or jailbreak attempts
  • Preventing credentials, PII, or custom sensitive entities from being sent to an LLM
  • Redacting or defanging content when an AIDR policy returns transformed text
  • Evaluating input prompts and output completions with different policy rules
  • Inspecting tool definitions, assistant tool calls, and tool results in agent flows
  • Streaming AI security findings and metadata into the AIDR console

Why Inline AI Guardrails Matter at the Gateway

The AI interaction layer is now a primary attack surface. CrowdStrike, announcing the general availability of Falcon AIDR in December 2025, described prompts as the new malware and built AIDR on intelligence from more than 180 known prompt injection techniques. OWASP reaches the same conclusion from a different direction: prompt injection is hard to prevent at the model level because models cannot reliably separate trusted instructions from untrusted content.

Enforcing guardrails at the gateway, rather than inside each application, gives security teams a single control point. Every team that routes through Bifrost inherits the same inspection, the same policy, and the same audit trail, with no per-application integration work. For regulated industries and strict enterprise requirements, Bifrost Enterprise pairs this enforcement with the wider governance stack, so AI security and access control share one configuration surface.

This gateway-level model also keeps detection consistent across providers. Whether a request targets OpenAI, Anthropic, or any of the other supported providers, the same CrowdStrike AIDR guardrails apply before the request leaves Bifrost and before the response returns to the caller.

How Bifrost Enforces CrowdStrike AIDR Guardrails

The Bifrost AI gateway maps each AIDR verdict to a concrete enforcement action in the request path. The flow is:

  1. A guardrail provider is created with provider_name: "crowdstrike-aidr" and attached to one or more rules.
  2. When a rule matches, Bifrost extracts text content and tool context from the request or response.
  3. Bifrost calls AIDR at {base_url}/v1/guard_chat_completions with event_type: "input" or event_type: "output".
  4. AIDR evaluates the payload against the policy assigned to your collector.
  5. If AIDR returns blocked: true, Bifrost returns GUARDRAIL_INTERVENED and stops that request or response path.
  6. If AIDR returns transformed: true with guard_output, Bifrost applies the transformed text in place of the original.
  7. If AIDR returns neither flag, Bifrost allows the original content through unchanged.

Bifrost sends AIDR an OpenAI Chat Completions-shaped payload. The text fields are extracted from chat, Responses API, text completions, rerank queries, image prompts, and other text-bearing objects, alongside tool definitions and tool calls when present. This means CrowdStrike AIDR guardrails cover both conventional chat traffic and the tool-calling patterns common in MCP-based agent workflows.

Detector findings on their own do not block traffic. Bifrost follows the AIDR policy response, so a request is stopped only when the policy action is set to block and AIDR returns blocked: true. To make Bifrost reject a request, configure the relevant AIDR policy rule action to block on the CrowdStrike side.

Configuring CrowdStrike AIDR in Bifrost

Setting up CrowdStrike AIDR guardrails requires a Bifrost Enterprise deployment with the guardrails plugin enabled and a CrowdStrike Falcon tenant in a supported AIDR cloud (US-1, US-2, or EU-1). For gateway and application traffic, the relevant subscription is AIDR for Agents. You also need a Falcon user with permission to manage AIDR collectors, and network egress from Bifrost to the AIDR API over HTTPS. CrowdStrike-side policy and collector setup is documented in the CrowdStrike AIDR overview.

How do I create the AIDR provider in Bifrost?

Create an Application collector in the Falcon console, assign it a policy, then copy the collector token and base URL into Bifrost. You can configure the provider through the dashboard under Guardrails > Providers, or through the management API:

curl -X POST <http://localhost:8080/api/guardrails/crowdstrike-aidr> \\
  -H "Content-Type: application/json" \\
  -d '{
    "name": "crowdstrike-aidr-prod",
    "enabled": true,
    "config": {
      "api_key": "env.CS_AIDR_TOKEN",
      "base_url": "env.CS_AIDR_BASE_URL",
      "app_id": "bifrost-production",
      "collector_instance_id": "prod-us-east-1",
      "timeout": 30
    }
  }'

Only api_key is required. The base_url defaults to https://api.crowdstrike.com/aidr/aiguard; US-2 and EU-1 tenants use their regional base URL. Setting app_id and collector_instance_id improves attribution in AIDR logs. The provider timeout defaults to 30 seconds. Store the collector token in an environment variable or a secrets manager rather than inline.

How do I attach AIDR to a rule?

Guardrail rules use CEL (Common Expression Language) to decide when AIDR runs. Reference the provider configuration ID in selectedGuardrailProfiles and set the phase with applyTo:

curl -X POST <http://localhost:8080/api/guardrails/rules> \\
  -H "Content-Type: application/json" \\
  -d '{
    "name": "crowdstrike-aidr-all-chat",
    "description": "Run CrowdStrike AIDR on prompts and completions",
    "enabled": true,
    "celExpression": "true",
    "applyTo": "both",
    "samplingRate": 100,
    "timeout": 60,
    "maxTurnsToSend": 8,
    "selectedGuardrailProfiles": ["crowdstrike-aidr:12"]
  }'

Because the AIDR profile is reusable, the same configuration can back several rules. A common pattern pairs CrowdStrike AIDR guardrails with native checks such as secrets detection and custom regex for defense in depth across the same request.

Policy Outcomes: Block, Redact, or Allow

Bifrost maps each AIDR response to one of three behaviors at the gateway:

  • Block: When AIDR returns result.blocked: true, the Bifrost AI gateway responds with GUARDRAIL_INTERVENED. The error reason uses the AIDR display message, top-level summary, or result summary, in that order. For an input guardrail, the LLM request is never sent to the model.
  • Redact: When AIDR returns result.transformed: true with a valid guard_output, Bifrost allows the request or response but substitutes the transformed text. Redaction applies only when the transformed output count matches the original text count.
  • Allow: When AIDR returns neither flag, the original content passes through unchanged.

A blocked interaction returns HTTP 400 with type: "guardrail_intervention" and a message such as "Blocked by CrowdStrike AIDR policy: Malicious Prompt was detected and blocked." One current limitation is worth planning around: AIDR output inspection and redaction apply to non-streaming response bodies only. Input guardrails still run before a streaming request reaches the LLM, but streaming output redaction is not supported.

Observability and Audit for AI Security

Every CrowdStrike AIDR evaluation produces metadata that the Bifrost gateway records for logs and spans, including the evaluated AIDR policy name, whether AIDR blocked the interaction, whether it transformed the content, the detector count, and the detector names. This makes each enforcement decision traceable from a Bifrost request log to the matching entry in the AIDR Findings page.

That telemetry flows into the broader Bifrost observability stack. Teams already exporting traces through OpenTelemetry see guardrail decisions alongside latency and token data, and the immutable audit logs in Bifrost Enterprise support SOC 2, GDPR, HIPAA, and ISO 27001 reporting. Combined with virtual keys, this gives security teams per-consumer attribution for which projects triggered which AIDR policies.

Rule Patterns and Best Practices

CEL rules let you scope CrowdStrike AIDR guardrails to the traffic that needs them, which keeps latency and AIDR cost under control on high-volume endpoints. Useful patterns include:

  • Run AIDR only for external-user traffic: headers["x-user-type"] == "external"
  • Run AIDR only for production virtual keys: headers["x-bf-vk"] == "prod"
  • Run AIDR for a specific provider or model: provider == "openai" && model.startsWith("gpt-4")
  • Limit historical context with maxTurnsToSend to cap how much conversation history each call sends to AIDR

For broader rollouts, lower the samplingRate on noisy endpoints, set realistic rule and provider timeouts, and layer AIDR with native governance controls so policy enforcement and budget control live in one place. If AIDR is not blocking when expected, confirm the policy action is set to block; Bifrost does not independently block on detector findings.

Getting Started with Bifrost

CrowdStrike AIDR guardrails give enterprise teams an inline control point for AI security: prompt injection blocking, sensitive-data redaction, and policy enforcement applied to every prompt and completion that passes through the gateway, with full telemetry into both Bifrost and the AIDR console. Because the policy stays in CrowdStrike and the enforcement stays in Bifrost, security teams keep their existing detection model while gaining consistent, provider-agnostic protection.

To see how CrowdStrike AIDR guardrails and the wider Bifrost resources hub fit your AI security and governance requirements, book a demo with the Bifrost team.

Read next