Verified pilot runtime for internal APIs

Secure
execution for
modern
automation.

A policy enforcement runtime that inspects requests before they reach upstream APIs. Built for the current pilot deployment path and the operational controls that go with it.

Request Pilot AccessSee How It Works
Initialize
Guard Rail
Payload Signed
Pilot-verified runtime path
// Risk Vector

Automation is scaling.
Control is not.

Operations now move through Zapier, Make, custom scripts, and AI agents. Those flows still need request-level inspection because perimeter controls do not understand what happens inside the workflow.

When an unverified third-party app executes a workflow across your internal API, you don't have a firewall problem. You have a runtime problem.

Fast-moving sprawl
More routes, more blind spots
New integrations and workflow tools arrive faster than teams can review them, which makes audit trails harder to trust.
Unverified third-party logic
External steps still need inspection
External webhooks and partner automations can move critical data without any payload-level check unless the runtime is in line.
Shadow Workflows
Operations bypassing central review and control.
// The Primitive

Zero-Trust Execution.

Change the webhook URL. Add a YAML policy file. Guard Rail sits between and inspects every payload before it reaches your enterprise core.

Untrusted Trigger
Webhook · Partner API
Zapier · AI Agent
POST /v1/execute
Guard Rail
Inspect · Sanitize · Log
ALLOW
BLOCK
Forward to Enterprise Core
403 + Violation Details
upstream response
Enterprise Core
Internal DBs
Core Banking · ERP
01 / Intercept
Your webhook, our endpoint
Configure your automation tool to POST to gw.guardrail.co.za/v1/execute/{route} instead of your internal system. No other code changes.
01
02 / Inspect
Policy engine evaluates the payload
Every policy is evaluated against the request body using JSONPath field extraction. Domain checks, regex patterns, size limits, field presence — all in microseconds.
02
03 / Verdict
Allow or block — with full context
Allowed requests forwarded with Guard Rail headers. Blocked requests return a 403 with exactly which policy matched, which field triggered it, and the value that failed.
03
// Policy Engine

YAML policies.
Version-controlled.
Hot-reloaded.

Define security rules as YAML files alongside your infrastructure config. Guard Rail watches for changes and reloads without downtime. Bad syntax keeps the previous valid set active.

domain_not_indomain_inregex_matchregex_not_matchequalsnot_equalscontainsnot_containssize_exceedsfield_existsfield_not_exists
policies/security.yaml
# Block payloads with external callback URLs policies: - name: block-external-callbacksrules:- field: "$.callback" condition: domain_not_in values: ["*.internal.bank.za"] action: block · severity: critical - name: pii-detectiondescription: Block SA ID numbers in payloadrules:- field: "$..**" condition: regex_match pattern: "\b\d{13}\b" action: block · severity: critical - name: payload-size-limitrules:- field: "$" · condition: size_exceeds max_bytes: 102400 · action: block
// Capabilities

Designed for
Resilience.

Sandboxed Runtime
Payload Inspection

Guard Rail receives your webhook, inspects the payload against every configured policy using JSONPath field matching, and either forwards or blocks the request. No custom application code runs inside the policy path.

env.inspect() → execution_context_id: GR-8922x
Policy Engine
Declarative YAML Rules

Block malicious payloads at the field level. 11 condition types, JSONPath targeting, hot-reload on file change.

Audit Trail
Cryptographic Audit Logs
[INFO] Checksum verified
[WARN] PII detected, masking...
[PASS] Block #9924 committed
[BLOCK] domain_not_in triggered
[INFO] upstream → 200 OK
Replay Engine
Deterministic Replay

Capture full request state. Replay exact execution for debugging — against current or modified policies.

Safety
Fail-Closed by Design

Guard Rail refuses to start if policy files reference a missing name. On hot-reload, a syntax error keeps the last valid set active so an invalid update does not silently disable inspection.

Compliance
Deployment Boundaries That Support POPIA

On-premise or single-region ZA AWS VPC deployment gives teams a path to keep payload handling within their chosen boundary. Final compliance still depends on deployment, policy, and operational controls.

// The Shift in Paradigm

What standard
gateways miss.

CapabilityLegacy API GatewaysIn-house MiddlewareGuard Rail
Header & Token Auth
Deep Payload Logic InspectionPartial
Sandboxed Execution Environment
Deterministic Error Replay
ZA Residency ControlsVendor-specific
// Value Extraction

Predictable compute pricing
aligned to enterprise scale.

Proof of Value
POV Pilot
R95k/mo
12-week engagement · 1 environment
  • //1 Sandbox Environment
  • //Up to 1M executions
  • //14-day log retention
Start Pilot
Current ICP
Core Production
Enterprise Node
Custom
Annual contract · multi-environment
  • //Multi-tenant isolation
  • //Unlimited execution volume
  • //On-premise / VPC deployment
  • //Cryptographic auditing SDK
Model ROI
Infrastructure
OEM License
Rev-Share or Flat
Embed in your iPaaS
  • //White-labeled runtime
  • //Embed in your iPaaS
  • //Source code escrow
Talk to us

Join the infrastructure.

Book a 30-minute call and we'll configure your first policy live. No SDK. No agents. No infrastructure overhaul.

Pilot Docs