Compare · Azure Prompt Shields
Azure Prompt Shields alternative for teams not on Azure
Azure AI Content Safety Prompt Shields is a strong text prompt-injection detector — and it ships as part of Azure's tenant-bound stack with per-call pricing tied to your Azure subscription. If your runtime lives on AWS, GCP, Cloudflare Workers, Fly, Vercel, or your own metal, you have three options: spin up Azure just for the scanner, build your own, or pick a cross-cloud detector. This page is for the third path.
TL;DR
Glyphward is a cross-cloud, flat-rate, multimodal alternative to Azure Prompt Shields. One HTTPS endpoint, no tenant binding, no Azure-AD round-trip, and image plus audio bytes as first-class inputs — not just text strings. Use Glyphward if your stack is not Azure-native, or if you are Azure-native but need image and audio coverage that Prompt Shields does not provide.
What Prompt Shields actually does
Prompt Shields is Azure AI Content Safety's prompt-injection detector. It accepts user prompts and (optionally) document context, and returns a verdict for two attack classes: direct user-prompt jailbreaks (called userPromptAttack) and indirect attacks injected through retrieved documents (called documentAttack). It is text-in, text-verdict-out, served from Azure regions, billed under your Azure Cognitive Services subscription with a per-1k-text-records meter on top of your data egress.
Worth a clarifying note up front, because this is the most common confusion we hear in this buyer conversation: Azure also ships an image moderation API under the same Content Safety umbrella, but that is a content moderation classifier (violence, sexual content, self-harm, hate), not a prompt-injection detector. It will happily pass a clean-looking screenshot containing a hidden FigStep payload because such payloads are not what it is trained to flag. Our /compare/vs-azure-prompt-shields page walks through that distinction in more detail; it bites everyone at least once.
Where the Azure-only constraint hurts
Three concrete operational frictions make Prompt Shields a poor fit for non-Azure deployments:
- Tenant binding — you need an Azure subscription, a Cognitive Services resource, and Entra ID (Azure AD) to issue a key. For a team whose entire stack is on AWS or GCP, that is an extra cloud to bill, secure, and audit just to get a single endpoint.
- Cross-cloud egress — every detector call is a round-trip from your runtime region to an Azure region. For latency-sensitive paths (voice agents, real-time avatar SaaS) the geography matters, and you cannot collapse the hop without moving the runtime.
- Per-call meter complexity — Prompt Shields prices per 1,000 text records, and the cost lands in the same Azure invoice as the rest of your Cognitive Services usage. For a self-serve SMB buyer comparing a $29/mo flat-rate to a metered line item with no flat ceiling, the comparison is harder than it should be.
Architectural difference
| Azure Prompt Shields | Glyphward | |
|---|---|---|
| Hosting | Azure-tenant-bound, Azure regions | Cloud-portable HTTPS endpoint, Cloudflare-fronted |
| Auth | Azure subscription key + Entra ID | Single API key, optional HMAC |
| Modalities | Text (user prompt + doc context) | Image bytes + audio bytes + text fallback |
| Multimodal PI | Not in scope (image moderation is separate, different purpose) | FigStep / AgentTypo / WhisperInject / typographic / indirect-via-image |
| Pricing model | Per 1k text records, billed via Azure subscription | Flat $29/mo or $99/mo, free tier 10/day |
| SDK lock-in | Azure SDK ecosystem encouraged | Plain REST, no SDK required |
| Region story | Pick from Azure regions | Single global anycast endpoint |
The architectural difference matters less than the deployment one. Prompt Shields is the right detector for an Azure-native stack with text-only PI surface and procurement that already knows Azure billing. Glyphward is the right detector for everyone else — and the right second detector for Azure-native shops whose attack surface includes image and audio uploads.
Run-both for Azure-native teams
If you are on Azure and Prompt Shields covers your text path satisfactorily, the multimodal half is still uncovered. The clean composition:
- Text path — keep Prompt Shields. It is right where it should be.
- Image upload path — call Glyphward before the image hits Azure OpenAI's vision endpoint. Block on score > threshold; pass on clean.
- Audio path — call Glyphward before STT (whether you are using Azure AI Speech, Whisper, or a third-party provider). Audio PI bypasses transcript-only filters by construction; the detector has to see the waveform.
You keep the Azure billing relationship, you do not introduce a new vendor for the part of the stack Prompt Shields already handles, and you close the multimodal gap without rebuilding anything.
When to pick which
- Pick Prompt Shields if you are Azure-native, your PI surface is text, and consolidating vendors under one cloud invoice is a hard requirement from procurement.
- Pick Glyphward if you are on AWS, GCP, Cloudflare, Fly, Vercel, or self-hosted, and you need a cross-cloud detector with image and audio as first-class inputs.
- Run both if you are Azure-native but accept image or voice input. Prompt Shields covers the text path; Glyphward covers the upload path. The composition is layered, not adversarial.
What a switch costs
Migrating off Prompt Shields onto Glyphward — for a non-Azure team that ended up there for the detector but never used Azure for anything else — is roughly an afternoon of work: replace the SDK call with a single POST /v1/scan, point the API key at our endpoint, and remove the Cognitive Services resource. For a hybrid run-both, the work is even smaller: add the call on the upload path, leave Prompt Shields on the text path, ship.
Related questions
Doesn't Azure already have an image API?
Yes — Azure AI Content Safety has an image moderation classifier. It is trained for content moderation (violence, sexual, self-harm, hate categories), not for prompt-injection. A FigStep payload is not in any of those categories, and the moderation API is not designed to flag it. Treat image moderation and image-PI detection as different products with different training objectives.
Can I call Prompt Shields from a non-Azure runtime?
You can — the API is HTTPS — but you still need an Azure subscription to issue the key, the call still hits an Azure region, and your invoice still lives in Azure. The friction is operational, not technical.
What's your latency story vs Prompt Shields?
We target sub-200ms p95 from a single global anycast endpoint. Prompt Shields latency depends on which Azure region you pick relative to your runtime; cross-region calls can add 50–200ms on their own. For voice agents and other latency-sensitive paths, the geography matters.
Are you on the Azure Marketplace?
Not currently. Marketplace listing is on the long-term roadmap once self-serve revenue justifies the listing and certification cost. If your procurement requires Marketplace transactions today, Prompt Shields is the right answer.
How do you handle data residency?
Image and audio bytes are processed and discarded — no retention by default. Aggregated detection statistics are kept for corpus improvement but are detached from any identifiable upload. If you have a stricter residency requirement than that (e.g. EU-only processing), email hello@glyphward.com and we will tell you honestly whether we can meet it today.
Further reading
- Glyphward vs Azure Prompt Shields — head-to-head feature table and the full image-moderation-vs-PI clarification.
- Multimodal PI scanner pricing comparison (2026) — Lakera, LLM Guard, Azure, Promptfoo, Glyphward in one matrix.
- Multimodal LLM security API — what a multimodal PI API looks like in practice.
- Prompt-injection scanner for voice agents · …for screenshot agents — concrete ICP integration patterns.