OrcaRouter has published The AI Threat Report 2026 and made its agent Firewall and input\/output Guardrails free for every user \u2014 same API key, one switch, no code changes. The report argues that AI systems have become the attack surface, with prompt injection now the #1 risk to LLM applications and one that cannot be patched. OrcaRouter’s answer is architectural: gateway-level controls that bind to credentials, so any team can enforce them without rewriting their agents.<\/p>\n
Prompt injection ranks as the top risk
\nto LLM applications and, the company says, cannot be fully patched. OrcaRouter
\nSecurity Research has made its agent Firewall and input\/output Guardrails
\navailable at no cost to all users, attached to an existing API key.<\/b><\/p>\n
SINGAPORE \u2014 June 18, 2026 \u2014 <\/b>OrcaRouter<\/a>, the OpenAI-compatible LLM The AI Threat Report 2026 \u2014 14 The report states that AI systems have themselves become an By OrcaRouter Security Research \u00b7 June In June 2025, attackers exfiltrated corporate data from Microsoft According to the report, EchoLeak was not an isolated case but an The report’s 2026 incident record spans cases that challenged \u2022\u00a0\u00a0\u00a0\u00a0 Chat & Ask AI<\/b> left roughly 300 \u2022\u00a0\u00a0\u00a0\u00a0 Sears Home Services<\/b> exposed 3.7 million \u2022\u00a0\u00a0\u00a0\u00a0 An attacker chained a single CVE (CVE-2026-39987<\/b> in the \u2022\u00a0\u00a0\u00a0\u00a0 Microsoft and Salesforce<\/b> both shipped \u2022\u00a0\u00a0\u00a0\u00a0 Denial-of-wallet<\/b> \u2014 a hijacked or runaway Three years of public Traditional security assumes a boundary: trusted inside, untrusted That is why prompt injection holds the #1 position in the OWASP The report concludes that AI security is not a model-training The 14 key risks across four Every attack above succeeds against unscoped authority and fails \u2022\u00a0\u00a0\u00a0\u00a0 The content plane<\/b> \u2014 what the model reads \u2022\u00a0\u00a0\u00a0\u00a0 The action plane<\/b> \u2014 what the agent does: The report notes that the most damaging incidents cross both planes: \u2022\u00a0\u00a0\u00a0\u00a0 Scoped identity<\/b> \u2014 every agent calls \u2022\u00a0\u00a0\u00a0\u00a0 Input guardrails<\/b> \u2014 injection and \u2022\u00a0\u00a0\u00a0\u00a0 The action firewall<\/b> \u2014 every tool call, \u2022\u00a0\u00a0\u00a0\u00a0 Output guardrails<\/b> \u2014 the reply is \u2022\u00a0\u00a0\u00a0\u00a0 Anomaly detection<\/b> \u2014 behavioral baselines \u2022\u00a0\u00a0\u00a0\u00a0 Signed audit<\/b> \u2014 every match, verdict, The decisive property is placement. These controls live at the Observed prevalence versus The company says Guardrails and Firewall ship with an evaluation \u2022\u00a0\u00a0\u00a0\u00a0 HarmBench<\/b> (MIT; ICML 2024), JailbreakBench<\/b> \u2022\u00a0\u00a0\u00a0\u00a0 NVIDIA’s garak<\/b> (Apache-2.0), the open \u2022\u00a0\u00a0\u00a0\u00a0 AgentDojo<\/b> (NeurIPS 2024) \u2014 the agent \u2022\u00a0\u00a0\u00a0\u00a0 TruthfulQA<\/b> and others for grounding and OrcaRouter integrates open tooling directly: OSV<\/b> for On August 2, 2026, the EU AI Act becomes fully applicable<\/b>, OrcaRouter Firewall + Guardrails are now free for every user.<\/b> The controls attach to an API key already in use and do not require The company said it made the controls free deliberately, citing the Guardrails and a Firewall policy attach to an existing key, and the The report frames the 2026 threat landscape not as a reason to slow Availability: <\/b>The \u00a0<\/p>\n About OrcaRouter<\/b><\/p>\n OrcaRouter is an OpenAI-compatible LLM gateway from Continuum AI Media contact: <\/b>Yi Shi \u00b7
\ngateway, today published The AI
\nThreat Report 2026<\/i><\/a> and made two of its security controls available at
\nno cost to all users: the agent Firewall and input\/output Guardrails. According
\nto the company, the controls can be attached to an API key already in use,
\nwithout a separate integration or purchase.<\/p>\n
\nkey risks across four threat categories.<\/i><\/p>\n
\nattack surface, and that most organizations cannot see the attacks directed
\nagainst them.<\/b> Telemetry from production LLM applications shows the average
\nsuccessful attack completing in 42 seconds<\/b>, with 90% of them leaking
\nsensitive data<\/b> (Pillar Security). Prompt-injection attacks rose 340%
\nyear over year<\/b> (OWASP, Q1 2026). And 13% of organizations<\/b> have
\nalready been breached through an AI model or application \u2014 97% of those
\nlacked basic AI access controls<\/b> (IBM, 2025).<\/p>\n
\n2026<\/i><\/p>\n
\n365 Copilot. The victim did nothing wrong \u2014 no link clicked, no attachment
\nopened, no prompt approved. They received an email. Their AI assistant later
\nread it, and obeyed the instructions hidden inside. Disclosed by Aim Security
\nas EchoLeak (CVE-2025-32711)<\/b>, the attack gathered sensitive context from
\nmail, files, and chat history and smuggled it out through an auto-loading image
\nURL. Zero clicks.<\/p>\n
\nearly example of a broader pattern.<\/b><\/p>\nA year of escalating, increasingly automated incidents<\/h2>\n
\nlongstanding assumptions in enterprise security:<\/p>\n
\nmillion private chat messages from more than 25 million users exposed through a
\nFirebase misconfiguration (404 Media; Malwarebytes, Jan 2026).<\/p>\n
\nAI chat transcripts and call recordings \u2014 names, addresses, emails \u2014 spanning
\n2024\u20132026 (ExpressVPN; Cybernews, Mar 2026).<\/p>\n
\nmarimo notebook tool) into a live LLM agent that extracted cloud credentials,
\npulled an SSH key from AWS Secrets Manager, and exfiltrated an entire internal
\nPostgreSQL database in under two minutes (Sysdig; The Hacker News, May 2026).<\/p>\n
\npatches for AI-agent data-leak flaws. In CVE-2026-21520, a poisoned SharePoint
\nfield steered Copilot into emailing customer data to an attacker \u2014 and the data
\nleft even after a safety mechanism flagged the attack (Dark Reading).<\/p>\n
\nagent that simply spends \u2014 has been observed burning $46,000 a day (Sysdig,
\n\u201cLLMjacking\u201d). No data is stolen. There is only a bill.<\/p>\n
\nincidents, research, and regulation \u2014 2023 to 2026.<\/i><\/p>\nWhy traditional security tools miss these attacks<\/h2>\n
\noutside, controls at the seam. Language models dissolve that boundary, because a
\nmodel’s input is also its programming.<\/b> Every email, document, web page, and
\ntool result an agent reads can carry instructions it will follow. There is no
\nreliable, general mechanism by which today’s models separate content to process
\nfrom commands to obey.<\/p>\n
\nTop 10 for LLM Applications<\/b> \u2014 and why, the company argues, it will not be
\n\u201cpatched\u201d the way a buffer overflow is. It is described as a structural
\nproperty of the medium: a web application firewall inspects the request and
\nsees a perfectly valid API call, because the attack is in the words.
\nPer-request checks pass every step of a chained attack, because the damage
\nlives in the sequence \u2014 volume, repetition, and spend against time \u2014 not in any
\none call.<\/p>\n
\nproblem. It is an architecture problem<\/b> \u2014 and it is solvable with the same
\ndiscipline enterprises already apply to every other production system.<\/p>\n
\nthreat categories: content plane, action plane, economic, and trust &
\nsupply chain.<\/i><\/p>\nA gateway-level approach: two planes, six layers<\/h2>\n
\nagainst scoped, policed, audited authority. Containing them requires
\ncontrolling two distinct planes:<\/b><\/p>\n
\nand writes. This is the job of Guardrails.<\/p>\n
\nthe tools it calls, the networks it reaches, the money it spends. This is the
\njob of the Firewall.<\/p>\n
\nan injection arrives as content, then executes as an action. OrcaRouter’s
\ndesign places six independent, auditable layers between a request and its
\nexecution:<\/p>\n
\nthrough its own key carrying allowed models, an IP allow-list, a hard spend
\ncap, and an expiry. An out-of-scope request dies before any content is read.<\/p>\n
\njailbreak rules, PII detection and masking, secret blocking, and a semantic
\nLLM-judge that catches what regex cannot.<\/p>\n
\nMCP dispatch, and network egress is judged against ordered, default-deny policy
\nwith six verdicts: allow, audit, deny, sanitize, pending-approval, and
\ncap-cost. A hijacked agent cannot reach a tool, a host, or a spend limit that
\nwas not explicitly listed.<\/p>\n
\nscreened on the way out for unsafe output, PII, and secrets, with grounding
\nchecks. This is the layer that catches EchoLeak’s exfiltration URL before it
\nleaves.<\/p>\n
\nflag what static rules can’t predict: the same call hammered in a tight window,
\nspend spiking against a learned baseline, a tool-to-tool transition the
\nworkspace has never made.<\/p>\n
\napproval, and policy change lands in a tamper-evident trail, correlated by
\nagent run and session, exportable as evidence.<\/p>\n
\ngateway, in the request path, so they bind to credentials rather than
\napplication code<\/b> \u2014 enforceable across every team and framework, with no
\nagent rewrites.<\/p>\n
\npotential business impact, mapped by threat plane.<\/i><\/p>\nEvaluation against open red-team benchmarks<\/h2>\n
\nharness that scores them against more than 80 open-source red-team corpora,
\neach cited and licensed:<\/p>\n
\n(NeurIPS 2024), and AdvBench<\/b> (Zou et al., 2023) for harmful-behavior and
\njailbreak robustness;<\/p>\n
\nLLM vulnerability scanner, for injection and encoding attacks;<\/p>\n
\nprompt-injection benchmark the US and UK AI Safety Institutes used in joint
\nred-teaming \u2014 to grade the action-plane firewall specifically;<\/p>\n
\nhallucination.<\/p>\n
\ndependency CVEs and Semgrep<\/b> for code that transits a prompt.<\/p>\nAligning with incoming regulation<\/h2>\n
\nand \u201cshow me\u201d replaces \u201ctell me\u201d as the regulatory baseline. The same
\nevidentiary instinct is spreading through SOC 2 scopes, cyber-insurance
\nquestionnaires, and procurement reviews. OrcaRouter ships 36 compliance
\nframework packs<\/b> \u2014 including OWASP LLM Top 10, NIST AI RMF, ISO\/IEC 42001,
\nEU AI Act, SOC 2, HIPAA, PCI DSS, and GDPR \u2014 that apply controls within a
\nworkspace and generate signed evidence. According to the company, one control
\nlayer can produce attestation for all of them at once.<\/p>\nWhat is being released<\/h2>\n
\na separate integration.<\/p>\n
\nreport’s finding that restricting AI use without an approved alternative tends
\nto increase unsanctioned, or \u201cshadow,\u201d AI rather than reduce it \u2014 and that
\nshadow AI already drives one in five breaches at a $670,000 premium<\/b>
\n(IBM, 2025). The company argues that the response is as much economic as
\ntechnical: make the governed path the easiest path.<\/b> A control that
\ncarries an extra cost, requires manual integration, and must be justified to a
\nbudget committee is, it says, one that many teams will skip.<\/p>\n
\ncompany recommends a staged rollout: observe<\/b> (run in audit mode and let
\nreal traffic write the baseline), shadow<\/b> (run the real policy in
\nwould-block mode until false positives approach zero), then enforce<\/b>
\n(flip verdicts live, with human approval reserved for the genuinely
\nirreversible). Most teams convert in weeks \u2014 and keep the controls on.<\/p>\nOutlook<\/h2>\n
\nAI adoption but as a guide to managing it. Its central argument is that the
\ndocumented attacks succeed against unscoped authority and fail against scoped,
\npoliced, and audited authority \u2014 a property the company says can be implemented
\nat the gateway level.<\/p>\n
\nFirewall and Guardrails are available now to all OrcaRouter users. The AI
\nThreat Report 2026 is published on the OrcaRouter documentation site.<\/p>\n
\nPte. Ltd. (Singapore), routing across 200+ models with around 40% cost
\nreduction, sub-millisecond routing overhead, and zero token markup. A
\nself-hosted edition, OrcaRouter-Lite, is available under the MIT license.<\/p>\n
\nyi@continuum01.ai<\/p>\n