Skip to main content
The one question your security team will ask is “where does our data go?” Shadow AI gives you three answers, and you keep the same dashboard in all of them. Clients point at whichever you choose with a single setting (base_url).
ModeWhere scanning happensWhere you review itYour prompts leave your network?
Cloud (default)PromptGuard cloudpromptguard.coYes — to our cloud engine
Hybridyour serverspromptguard.coNo — only verdicts/metadata (configurable)
Air-gappedyour serversa local copy of the dashboardNever — no outbound at all
Cloud is the fastest way to start. Most security-conscious buyers run hybrid: scanning stays on their infrastructure, but they still get one clean cloud dashboard. Pick air-gapped only if you truly can’t allow outbound traffic.

Hybrid — scan on your servers, review in the cloud

Run the engine on your own infrastructure and let only the results flow to the cloud dashboard. On the engine, set: 
DEPLOYMENT_MODE=data_plane
CONTROL_PLANE_URL=https://api.promptguard.co
INSTANCE_TOKEN=<your per-instance token>
FORWARD_MODE=content      # or "metadata" — send only counts/decision/threat, never prompt text
Each scanned event is recorded locally first, then reliably forwarded to the cloud (ordered, retried automatically if the link drops — nothing is lost during an outage). Policies you author in the cloud are pulled down automatically. Each engine authenticates with its own token and can only write events for your organization.
Set FORWARD_MODE=metadata to keep per-request visibility and billing in the cloud dashboard while guaranteeing no prompt content ever leaves your network — only the verdict, threat type, and counts do.

Air-gapped — fully offline

The engine and a local copy of the dashboard run entirely inside your network with no outbound connection. You move data in and out deliberately, as tamper-proof signed files on physical media: 
# On the offline engine — export recent events:
python scripts/airgap_export.py events --days 7 > events.bundle.json

# On a connected machine — import them (signature + tenant are verified):
curl -X POST $CLOUD/internal/v1/events/import \
  -H "X-Instance-Token: $TOKEN" -d @events.bundle.json
In air-gapped mode your dashboard is the local instance — not promptguard.co. Combining data across sites is done with these signed bundles, not a live link. A tampered bundle is rejected.

Which one is right for you

Cloud

Fastest to deploy, full real-time dashboard. Great for getting started.

Hybrid

Scanning on your infra, one cloud dashboard. The common choice for security-sensitive teams.

Air-gapped

No outbound at all — local dashboard, signed bundles. For regulated or isolated environments.