Image injection detection
Catches FigStep, AgentTypo, and typographic PI hidden in rendered glyphs — including anti-OCR fonts, low-res composites, and multi-layer steganography.
Glyphward
Glyphward
Glyphward catches prompt injection hidden in images and audio — the modality every text-only scanner ignores.
The problem
Lakera Guard, LLM Guard, Azure Prompt Shields, Promptfoo — all of them read strings. None of them read pixels or waveforms. FigStep, AgentTypo, and WhisperInject walk straight past those defences, and Lakera's Check Point acquisition has pushed the only credible self-serve contender upmarket. If you ship an avatar SaaS, a chatbot that takes image uploads, a screenshot-reading agent, or a voice product, your text-layer filter is watching the wrong door.
How it works
POST an image URL, image bytes, or audio file to /v1/scan. The free web scanner accepts drag-and-drop — no account required for the first ten scans a day.
CLIP embedding, Tesseract OCR, and a small text-in-image head read the pixels. Whisper-small plus a waveform anomaly classifier read the audio. Both cross-reference a curated corpus of known-malicious payloads.
You get a 0–100 risk score, modality-tagged reasons, and bounding boxes on the offending pixels or waveform windows — in under 200 ms at the 95th percentile.
What you get
Catches FigStep, AgentTypo, and typographic PI hidden in rendered glyphs — including anti-OCR fonts, low-res composites, and multi-layer steganography.
Whisper-small transcript filter plus a waveform anomaly classifier. Catches spoken instructions, ultrasonic carriers, and payloads Whisper drops before transcript.
One HTTPS call or one npm install. Node, Python, and a raw REST endpoint. No custom infrastructure, no model hosting, no GPU bill.
Every scan that fires enriches the detector. Pro subscribers get an email the moment a new attack vector is added to the corpus — not six months later.
Pricing
$0/mo
Hobbyists, researchers, tire-kickers.
Most popular
$29/mo
Indie AI apps shipping images or voice.
$99/mo
Small teams with compare + governance needs.
Questions
No. OCR finds readable text; detection requires knowing which text is adversarial. Glyphward combines OCR with a CLIP visual embedding, a small text-in-image head, and a curated payload corpus — so it catches glyph-rendered instructions that OCR misses outright (low-res, anti-OCR fonts, multi-layer composites) and ignores benign text.
Yes — two detectors. A Whisper-small transcript filter catches spoken instructions. A waveform anomaly classifier catches out-of-band carrier payloads (ultrasonic prompts, inter-word steganography) that Whisper silently drops before it reaches your transcript filter.
On our curated FigStep, AgentTypo, and WhisperInject payload set we target recall ≥ 80% at under 1% false positives. The free scanner is the public benchmark — run your own samples and we publish the confusion matrix per release.
Not at v1. The compounding corpus works because scans cross-reference shared signatures across customers. Self-hosted offline mode is on the roadmap for Team customers with compliance needs; if that's a blocker, write in and we'll tell you where it sits in the queue.
Free tier: we extract a perceptual hash and detector features, then discard the bytes. Paid tiers: you choose — day-1 deletion, or 30-day opt-in retention so you can build compare reports. We never train third-party models on user uploads, and we never sell the corpus.
Free scanner ships first. The $29/mo API follows. Join the waitlist and we'll email the day you can paste an image in.
Get early access