Comparison · July 2026

Cloudflare AI Gateway alternatives: the 2026 comparison

Six credible options compared by security depth, self-host, data residency and pricing — including when AI Gateway is exactly what you need.

Yohann Sidot·July 2026·Facts verified July 15, 2026

The short answer

Cloudflare AI Gateway is an operations gateway, not a security firewall. Its core features — analytics, caching, rate limiting, model fallback — are free and genuinely good. But its Guardrails feature is content moderation (Llama Guard), prompt-injection detection is a separate Enterprise WAF add-on, there is no self-hosting, and AI Gateway is listed as not compatible with Cloudflare's Regional Services. If you hit one of those walls, the alternatives are Senthex (EU-hosted security proxy with a verifiable audit trail), Lakera Guard (enterprise detection, Check Point), NeuralTrust (European open-source gateway), LLM Guard (open source, archived in 2026) or HiddenLayer (AI supply-chain platform). This page compares all six.

$0
AI Gateway core features
analytics, caching, rate limiting — free
Enterprise
plan needed for injection detection
separate WAF add-on, paid
Not compatible
with Regional Services
per Cloudflare's data-localization table

Why teams outgrow Cloudflare AI Gateway

Let's start by being fair: for what it is designed to do, AI Gateway is excellent. One URL change puts your LLM traffic on Cloudflare's edge, and you get usage analytics, caching, rate limiting, retries and fallback across providers — with the core features free on any account. If your problem is "we have no visibility into our LLM spend and no protection against a runaway loop", AI Gateway solves it in an afternoon.

The teams searching for alternatives have usually hit one of three structural walls. Security depth: AI Gateway's Guardrails feature evaluates prompts and responses for harmful-content categories using Llama Guard 3 8B — that is content moderation, not attack defense. Prompt-injection detection exists at Cloudflare, but in a different product: the AI security module of the WAF ("AI Security for Apps", formerly Firewall for AI), a paid add-on gated to Enterprise plans. Deployment: AI Gateway is managed-only; there is no self-hosted version of it to run inside your perimeter. Residency: Cloudflare's own Data Localization Suite compatibility table lists AI Gateway as not compatible with Regional Services — so you cannot pin its processing to the EU the way you can for some other Cloudflare products.

One more distinction worth naming, because the product names invite confusion: Cloudflare's "AI prompt protection" (August 2025) is a Cloudflare One / DLP feature that watches what your employees paste into ChatGPT or Claude. It does not protect your application's LLM endpoints. And note that "alternative" here often really means "complement" — several of the options below sit happily behind or beside AI Gateway.

The six options at a glance

OptionType & deploymentSelf-hostData residencyPricingBest for
Cloudflare AI GatewayManaged LLM gateway on Cloudflare’s network — analytics, caching, rate limiting, fallback [1]NoCloudflare network; listed not compatible with Regional Services [6]Core features free; prompt-injection detection is a separate Enterprise WAF add-on [2],[5]Teams on Cloudflare whose need is operational: observability, cache, cost control
SenthexRuntime LLM proxy (firewall) + verifiable, tamper-evident audit trail (pilot capability, v1.1.7)Yes (incl. Azure)EU-hosted (Hetzner Falkenstein, Germany) or your infrastructurePublic pricing with a free tier — see pricingTeams needing security + EU residency + EU AI Act record-keeping (Articles 12 & 19)
Lakera Guard (Check Point)Runtime GenAI security — SaaS or self-hosted (Kubernetes/Helm, Docker, air-gapped) [8],[9]Yes — Enterprise licence [9]Via self-host; SaaS regions not publicly documentedFree tier; paid plans on quoteEnterprises wanting detection depth from the category leader [8]
NeuralTrustEuropean AI gateway + security platform; TrustGate gateway is open source (Apache-2.0, Go) [10],[11]Yes — TrustGate: Docker, Kubernetes or single binary [10]Self-host, or managed by an EU company (Barcelona & London) [11]TrustGate free (open source); platform on requestTeams wanting gateway features AND self-host — the closest self-hostable analogue
LLM Guard (Protect AI / Palo Alto Networks)Open-source Python library, 15 input / 20 output scanners [12]Yes — that is the modelYour infrastructure; nothing leavesFree (MIT)In-code scanning — but the repo was archived July 9, 2026 and is no longer maintained [12]
HiddenLayerBroad AI-security platform: model scanning, red teaming, runtime detection (AIDR) [13]Not publicly documentedNot publicly documentedSales-led, no public pricing; AWS/Azure/GCP marketplaces [13]Enterprises whose risk is the model supply chain, not gateway traffic

Facts verified against the sources listed at the bottom of this page on July 15, 2026. “Not publicly documented” means exactly that — we did not find an official public statement, so we do not guess.

When to choose which

When Cloudflare AI Gateway is exactly right

Honest answer: if your need is operational, keep it — or adopt it. Usage analytics across providers, caching that actually cuts your bill, rate limiting that stops a retry storm, fallback when a provider degrades: AI Gateway does all of this well, at the edge, for free at its core. None of the security-focused options on this page replicates that ops feature set. The mistake is not using AI Gateway; the mistake is believing it is a security layer. Its own docs are clear on the split: Guardrails handles harmful-content moderation via Llama Guard, and injection detection is sold separately, in the Enterprise WAF add-on. If you are on an Enterprise plan already and your residency requirements allow it, that combination may be all you need.

When Senthex fits — and when it doesn't

Disclosure: Senthex is us — judge this section accordingly, and check the claims against the linked pages.

Senthex is the mirror image of AI Gateway: security-first where AI Gateway is ops-first. It is also a one-line integration — a proxy in front of OpenAI, Anthropic, Mistral or Gemini via a base-URL swap — but what sits behind that line is a firewall (prompt-injection detection, PII redaction, leak detection) plus the part AI Gateway does not attempt: a verifiable, tamper-evident audit trail. In the v1.1.7 pilot, every record is chained with SHA-256 and anchored to an RFC 3161 timestamp, so it can be verified offline — try it on a real bundle — which is what EU AI Act record-keeping (Articles 12 & 19) asks you to be able to show. On precisely the three walls above: Senthex is EU-hosted (Hetzner Falkenstein, Germany), self-hostable including on Azure, and raw request/response bodies are excluded from storage by default (data minimisation). And the two are composable: teams keep AI Gateway for caching and spend analytics and route through Senthex for the security and audit layer. Our detection research is published — ATLAS and RELAY — so you can inspect behaviour before buying. Pricing is public, with a free tier.

When Senthex is not the right choice: if your need is purely operational (stay on AI Gateway); if you want gateway load-balancing features as open source (NeuralTrust's TrustGate); if you need enterprise-scale adversarial red-teaming (Lakera/Check Point); or if your risk is model files, not traffic (HiddenLayer). See also what we do and do not claim on EU AI Act compliance.

When Lakera (Check Point) is the better fit

If what pushed you off AI Gateway is detection depth — you want the vendor with the largest published adversarial dataset in the category — Lakera is the reference: Check Point's acquisition announcement cites over 80 million adversarial patterns from the Gandalf game, there is a published benchmark (PINT), and self-hosting is documented down to air-gapped deployments. It has been part of Check Point since late 2025, with the usual consequences: quote-based pricing and a roadmap oriented to the acquirer's platform. We wrote a full page on that decision: Lakera alternatives, compared honestly.

When NeuralTrust is the closest substitute

If you like the gateway model — one entry point, routing, policies — but need what AI Gateway will not give you (self-hosting, open source, an EU vendor), NeuralTrust is the most direct substitute on this page. TrustGate is an open-source AI gateway (Apache-2.0, written in Go) deployable as Docker, Kubernetes or a single binary, and the commercial platform adds runtime protection and red teaming (TrustTest). The company (Barcelona and London) raised a $20M seed in June 2026 and is independent as of this writing. Counterpoints: platform pricing is on request, and the open-source community is still young. Full comparison: NeuralTrust alternatives.

LLM Guard — read the date before choosing it

LLM Guard takes the opposite architectural stance to a gateway: an MIT-licensed Python library you embed in your own code, with 15 input and 20 output scanners. It used to be the default answer to "AI Gateway doesn't do security scanning — what do I bolt on?". It no longer is: the repository was archived on July 9, 2026, following Palo Alto Networks' acquisition of Protect AI, and its README says the project and models are no longer maintained. Use it today only if you are prepared to fork and maintain it. If you were considering LLM Guard, we compared the live options: LLM Guard alternatives.

When HiddenLayer is the better tool

If the reason AI Gateway feels insufficient is not the traffic layer at all — it is that you are shipping third-party model files, fine-tunes and registries you cannot vouch for — then no gateway fixes that, and HiddenLayer's MLSecOps platform (model scanning, AI asset discovery, attack simulation, plus AIDR runtime detection) is aimed at exactly that problem. Pricing is sales-led with no public numbers and the deployment model is not publicly documented, so budget a procurement cycle.

How this comparison was made

All competitor facts on this page are public, and were verified against the official documentation listed below on July 15, 2026 — including Cloudflare's own docs for the free core features, the Guardrails/Llama Guard design, the Enterprise gating of the WAF AI add-on, and the Data Localization Suite compatibility table. Where something is not publicly documented, we say so instead of guessing. Senthex is one of the six vendors compared, which is a bias you should factor in; if you find an error, tell us and we will correct it.

Frequently asked questions

Does Cloudflare AI Gateway detect prompt injection?

Not within AI Gateway itself. Its Guardrails feature is content moderation — it evaluates prompts and responses for harmful-content categories using Llama Guard 3 8B. Prompt-injection detection at Cloudflare lives in a separate product: the AI security module of the WAF ("AI Security for Apps", formerly Firewall for AI), which is a paid add-on available on Enterprise plans.

Can you self-host Cloudflare AI Gateway?

No. AI Gateway is a managed service on Cloudflare's network; there is no self-hosted version. If self-hosting a gateway is a requirement, the self-hostable options in this comparison are NeuralTrust's TrustGate (open source), Senthex, Lakera Guard (Enterprise licence) and — as an embedded library — the archived LLM Guard.

Does Cloudflare AI Gateway guarantee EU data residency?

No. Cloudflare's Data Localization Suite compatibility table lists AI Gateway as not compatible with Regional Services, so its processing cannot be pinned to the EU the way some other Cloudflare products can. If EU residency is a hard requirement, look at EU-hosted or self-hosted options (Senthex, NeuralTrust, or Lakera self-host).

Can I combine AI Gateway with an LLM firewall?

Yes, and it is often the right architecture: both integrate via a base-URL change, so they can be chained — AI Gateway for caching, analytics and fallback; a security proxy such as Senthex (or a detection API such as Lakera) for injection defense, PII redaction and audit logging. "Alternative" and "complement" overlap heavily on this page.

Is Cloudflare's "AI prompt protection" the same thing as securing my LLM app?

No. AI prompt protection, launched in August 2025, is part of Cloudflare One (Zero Trust / DLP): it monitors what your employees type into public AI tools like ChatGPT, Claude or Gemini. It does not inspect or protect the LLM API traffic of applications you build.

Trying Senthex costs nothing

If the security-first, EU-hosted option fits your shortlist — alongside or instead of AI Gateway: the free tier needs one base-URL swap, and you can verify the audit trail yourself before talking to anyone.

Sources

  1. Cloudflare — AI Gateway docs
  2. Cloudflare — AI Gateway pricing (core features free)
  3. Cloudflare — Guardrails in AI Gateway (docs; uses Llama Guard 3 8B)
  4. Cloudflare — Guardrails in AI Gateway (launch post)
  5. Cloudflare — AI Security for Apps, formerly Firewall for AI (WAF docs, Enterprise add-on)
  6. Cloudflare — Data Localization Suite product compatibility (AI Gateway: not compatible with Regional Services)
  7. Cloudflare — AI prompt protection in Cloudflare One (Aug 2025; employee-facing DLP, not app-endpoint defense)
  8. Check Point — press release, acquisition of Lakera (Sept 16, 2025)
  9. Lakera docs — self-hosting (Kubernetes/Helm, Docker, air-gapped)
  10. NeuralTrust — TrustGate (GitHub, Apache-2.0)
  11. NeuralTrust — $20M / €17.2M seed announcement (June 2026)
  12. LLM Guard — GitHub repository (MIT, archived July 9, 2026)
  13. HiddenLayer — AISec Platform