What Sets Them Apart
LLM security breaks cleanly into two problems: finding the vulnerabilities before an attacker does, and stopping attacks at runtime when they slip through. Lakera and garak map onto those two halves almost perfectly. garak is the offensive scanner you point at your model during development; Lakera Guard is the defensive proxy that sits in front of it in production. Teams building customer-facing AI features usually need both, but the decision of which to adopt first depends on where in the lifecycle you are.
Hono, Elysia, and Fastify at a Glance
garak is a pre-deployment vulnerability scanner in the same spirit as nmap or Burp Suite, but aimed at language model endpoints. It ships with a large probe catalogue covering prompt injection, data leakage, PII extraction, jailbreak families, encoding-based bypasses, toxicity and hallucination triggers, and takes any HTTP LLM endpoint as a target. Reports are reproducible and version-pinnable, which makes garak a natural fit for CI pipelines — you run the scan against a staging model, diff the results against the previous release, and block merges when a regression introduces a newly exploitable attack family. Because garak is Apache-licensed and runs locally, there is no data-sharing concern when scanning sensitive internal models. The weak spot is speed and coverage: runs can take hours depending on probe scope, and garak's catalogue lags behind the latest zero-day style attacks by weeks.
Lakera Guard solves the opposite problem: what do you do with attacks that were not caught before launch? It deploys as a thin API proxy between your users and your LLM provider, screening every prompt and every response for prompt injection, jailbreak patterns, PII leakage, toxic content, and data-extraction attempts. The latency budget is under 2 milliseconds per call, which matters because anything heavier is the difference between a feature shipping and not. Lakera's detection models are trained on what is effectively the world's largest labelled prompt-injection dataset — millions of attack attempts collected from Gandalf, the company's public red-teaming game. That data moat is Lakera's primary differentiator; no open-source scanner currently has comparable adversarial training data. The trade-off is commercial: Lakera is a paid SaaS, calls leave your infrastructure, and teams with strict data-residency requirements may find the deployment model awkward.
Use garak when you are still in development, when you self-host your models and care about keeping the red-teaming artefacts in-house, or when you need a reproducible, versionable scan you can gate CI on. Use Lakera Guard when you are operating customer-facing AI features and cannot accept a runtime attack surface — the moat of Gandalf-trained detectors is worth the proxy cost for any product where a successful injection leaks customer data or executes unintended actions. These tools are not really in competition: a mature LLM security posture uses garak to harden the model and the prompts before deployment, and Lakera Guard to catch whatever still gets through in production. Our pick of Lakera as the default reflects the reality that most teams shipping LLM features are feeling the production pain first and need runtime protection before they have the bandwidth for formalised red-teaming cycles.