Compare · Glyphward vs Azure Prompt Shields
Glyphward vs Azure Prompt Shields
Microsoft's Azure AI Content Safety shipped Prompt Shields to GA in 2024 as a first-party text guardrail for direct and indirect prompt injection. It is well-built, absurdly cheap per call, and deeply tied into Azure. It is also a text-only product. If your threat model includes payloads hidden inside images or audio — the modality FigStep, AgentTypo and WhisperInject live in — you need something purpose-built.
TL;DR
Use Azure Prompt Shields if you are on Azure, your risk surface is text, and cost-per-record matters more than multimodal coverage. Use Glyphward if you accept image or audio uploads, if you are not on Azure, or if you want a scanner decoupled from your model provider. The two compose: Prompt Shields on the text path, Glyphward on the upload path.
What Prompt Shields actually does
Per Microsoft's public documentation, Prompt Shields is one of several detectors inside Azure AI Content Safety. It analyses text — both direct user prompts and text extracted from grounding documents — and flags jailbreak attempts and indirect prompt-injection patterns. It ships alongside Groundedness detection and the Protected Material detector, and is priced per 1,000 text records through standard Azure subscription metering.
Image scanning in the Azure Content Safety family lives in a different service — the image moderation API for sexual, hate, violence, and self-harm content categories. That is not a prompt-injection detector. It is a moderation classifier for policy violations in the pixel content, not a scanner for hidden instructions embedded typographically or adversarially in the image. Audio PI is not a first-class Prompt Shields feature as of the time of writing.
What Glyphward does instead
Glyphward is a single-purpose multimodal PI scanner. You POST an image or audio payload and receive a 0–100 risk score plus bounding-box coordinates on the flagged pixels or waveform windows. Our image stack is OCR + CLIP embedding + a text-in-image head benchmarked against a curated FigStep and AgentTypo corpus. Our audio stack is a waveform anomaly classifier ensembled with a Whisper-small transcript filter, designed for WhisperInject-class attacks.
We do not try to replace Prompt Shields. We cover the modality it was never designed for.
Honest feature table
| Azure Prompt Shields | Glyphward | |
|---|---|---|
| Direct text PI (user prompts) | First-class | Out of scope |
| Indirect text PI (grounding docs) | First-class | Out of scope |
| Image PI (typographic, FigStep) | Not a Prompt Shields capability | OCR + CLIP + text-in-image ensemble |
| Audio PI (WhisperInject) | Not a Prompt Shields capability | Waveform + transcript ensemble |
| Deployment friction | Azure subscription + region + RBAC | Signup, API key, first call in minutes |
| Pricing | Per 1,000 text records, Azure metered | Free 10/day · $29/mo Pro · $99/mo Team |
| Vendor coupling | Azure tenant | Model-agnostic, provider-agnostic |
| Free benchmark tier | Azure free credits during trial | 10 scans/day, no card, no tenant |
Where Glyphward wins
- Multimodal coverage. Image and audio PI are not Prompt Shields features. If uploads are your exposure, Prompt Shields is the wrong tool and a per-record price does not fix that.
- No Azure tenancy required. Teams on AWS, GCP, Modal, Render, Cloudflare Workers, their own VPS — any of them can hit our API in minutes without spinning up an Azure subscription, resource group, region, and RBAC.
- Provider-agnostic. If you move your model from Azure OpenAI to Anthropic, Google, or a self-hosted open weight, Glyphward keeps working. Prompt Shields is tied to your Azure stack.
- Bounding-box output. We return coordinates on offending pixels or waveform windows. Useful for human-in-the-loop review and for audit logs. Prompt Shields returns text-level verdicts.
Where Azure Prompt Shields wins
- First-party text PI on Azure AI. If you already run Azure OpenAI, bolting Prompt Shields onto the same content-safety pipeline is a one-click integration.
- Cost per text record. Azure's pricing for the text PI detector is cheap per 1,000 records at scale. If you send enormous text volumes, Prompt Shields is the cheapest line item you will ever see.
- Microsoft compliance posture. Azure's security and compliance certifications are deep. If your buyer needs FedRAMP, HIPAA, or region-pinned sovereignty, Azure's paperwork is already done.
- One invoice. Content Safety rolls up into the same Azure bill as the model you are guarding.
When to pick which
Pick Azure Prompt Shields if you are on Azure AI, your attack surface is text, and you want a first-party detector bundled with your model provider's safety posture.
Pick Glyphward if your attack surface is user-uploaded images or audio, or if you want a PI scanner that does not depend on your cloud provider. Common case: an avatar SaaS on Render accepting image uploads; a voice agent on Modal accepting audio; a screenshot-reading agent accepting pixels.
Run both if you are on Azure AI and you accept uploads. Prompt Shields handles the text I/O; Glyphward handles the upload ingress. They do not overlap.
Integration pattern (running both)
The clean pattern: in your upload handler, call Glyphward's POST /v1/scan on the raw image or audio bytes before passing them to your vision or audio model. If the risk score exceeds your threshold, block or route to human review. Once the file has been cleared, let the downstream model extract text as usual and send that text through Prompt Shields. You get two independent layers of defence, neither of which is doing the other's job. See our free-tier API reference for the exact payload and response shape.
FAQ
Does Azure Prompt Shields scan images?
Not in the prompt-injection sense. Image scanning in Azure AI Content Safety is a separate moderation service for policy categories (sexual, hate, violence, self-harm). It is not designed to catch instructions hidden in image pixels such as FigStep or AgentTypo. We have yet to see Microsoft position Prompt Shields as a multimodal PI detector in public docs; if that changes, we will update this page.
What about Azure's Groundedness detector?
Different problem. Groundedness detection flags LLM outputs that are not supported by the grounding documents you provided. Useful and complementary, but it is not a PI scanner and does not cover image or audio ingress.
Can I run Glyphward from inside an Azure Function?
Yes. Glyphward is a plain HTTPS API. Any Azure Function, App Service, Container App, or AKS pod can call it with an API key. No special Azure integration is needed or built in.
Do I need to strip the image content before sending it to Glyphward?
No. On the free tier we extract a perceptual hash and detector features, then discard the bytes. On paid tiers you choose between day-1 deletion and 30-day opt-in retention for compare reports. We do not train third-party models on user uploads.
Further reading
- FigStep detection and Audio prompt-injection detection — the attack classes Prompt Shields does not cover.
- Full multimodal PI scanner pricing comparison.
- Glyphward vs Lakera Guard · Glyphward vs LLM Guard.