ML6's independent benchmark of four out-of-the-box AI guardrail providers gives teams a useful result: on 80,000 Dutch-language prompts, Cisco AI Defense led that cohort. Cisco followed on July 17 with its own evidence about multilingual conversations, multi-turn intent classification, and runtime latency.
The production decision is narrower than choosing the name at the top of either result. Before a guardrail enters the live path of a customer or employee assistant, the organization needs evidence that it catches the relevant attacks in the languages and conversations people actually use, without blocking too much legitimate work or adding unacceptable delay. This article explains how to produce that evidence with one representative replay.
ML6 measured a Dutch security workload, not universal leadership
A few terms make the benchmark readable. Precision is the share of prompts flagged as harmful that were actually harmful. Recall is the share of all harmful prompts that the guardrail caught. F1 is the harmonic mean of precision and recall, a single score that falls when either measure is weak; it is useful for comparing their balance, though it does not say whether that balance fits a particular business.
False-positive rate, or FPR, answers a different question: among benign examples, what fraction did the guardrail incorrectly flag? This rate has to stay attached to its test definition and threshold. The number of false alarms, and the share of all production traffic that gets blocked, also depend on benign traffic volume, attack prevalence, and the chosen operating threshold.
ML6 published its benchmark on June 22 and updated it on June 24. Its dataset contained about 80,000 Dutch prompts with a 63/37 benign-to-harmful split. The test emphasized prompt injection and policy-bypass attempts, with a smaller set of safety and ambiguous-interaction cases, and used default or near-default configurations for AWS, Azure, Cisco, and Google guardrails.
Cisco recorded precision of 0.847 and recall of 0.843, producing the cohort's highest F1 at 0.845. Its FPR was 8.9% in that test. Google recorded slightly higher recall at 0.846, along with a higher FPR of 15.5%, which shows why a single detection measure cannot settle the choice. ML6 did not claim a universal winner; it concluded that organizations should benchmark guardrails in the languages and domains where they plan to deploy them.
Cisco adds multilingual and runtime evidence, with first-party limits
Cisco's July 17 post describes AI Defense as a control outside the model that validates production inputs and outputs. Cisco says the product classifies the conversation's intent and active direction, so the decision can use the exchange rather than only the surface wording of one message.
Cisco also reports a separate evaluation derived from augmented LMSYS Chat-1M and WildChat conversational data. It covered nine languages, with roughly 5,800 to 5,900 conversations per language and an adversarial subset of about 14%. Cisco reports F1 values ranging from 0.796 in Arabic to 0.860 in Portuguese, with FPR values from 2.3% to 5.8% under that evaluation's labels and thresholds.
This evidence broadens the language and conversation coverage, but Cisco generated the ground-truth labels using its own security and safety taxonomy and reported the results itself. Cisco explicitly says its multilingual dataset is separate from ML6's Dutch-specific benchmark and that the results are not directly comparable. The figures do not establish leadership in every language, business domain, attack class, or deployment.

Cisco's latency figures require the same boundary. A percentile describes the distribution rather than an average: p90 is the time at or below which 90% of measured requests completed, while p99 is the equivalent boundary for 99% of requests. Cisco reports p90 latency of 40 milliseconds and p99 of 250 milliseconds per request. Those are first-party product claims, not independent measurements or guarantees for another region, traffic pattern, configuration, or full application path.
The public sources also leave practical questions open. They do not establish pricing, total cost, integration effort, independently measured latency, or results on a reader's traffic. They support a credible candidate for local testing, not a blanket production approval.
Language and conversation length change what the guardrail sees
Language changes more than vocabulary. Ordinary words can resemble blocked terms in another language, domain phrases can carry meanings absent from general training data, and frustrated customers may use emphatic language without hostile intent. A multilingual average can hide a weak required language, so results should be reported separately for every language that matters to the service.
Conversation length changes the classification target. An isolated turn may look harmless while several turns gradually redirect the assistant, probe a refusal, or assemble instructions that become unsafe only in combination. The opposite also happens: a suspicious sentence can be legitimate when earlier turns establish an approved task and later output stays within policy.
For a multi-turn assistant, test cases therefore need complete ordered threads, including assistant responses and tool-relevant context where the guardrail is expected to inspect them. Record turn depth and the turn on which a correct block should occur. A test made only of detached prompts cannot show whether the system understands accumulating intent, blocks too early, or misses an attack that develops across the exchange.
One representative replay can expose the production tradeoff
Start with a sanitized sample of recent conversations from the intended workflow. Preserve the language, turn order, message lengths, common misspellings, and domain terms, while removing or replacing personal data, credentials, customer secrets, and anything else the test does not need. Include ordinary traffic as well as known attacks, because benign work is where false positives become an operating cost.
Have qualified reviewers label each full thread against the policy the guardrail is meant to enforce. The label should identify whether the case is benign or harmful, the relevant attack or policy category, and the first turn where intervention is justified. Resolve disagreements before scoring; otherwise the evaluation mixes guardrail error with an unclear policy.
Run the provider's default configuration first, then any proposed production threshold against a separate validation portion. Keep a holdout set untouched until the configuration is fixed. This is the same discipline needed in a fair AI model bake-off: the evaluation setup should not absorb the quirks of the cases used to tune it.
Report precision, recall, F1, and FPR by language, domain, attack class, and turn-depth band, along with the raw false-positive and false-negative counts. Review the misses rather than stopping at the aggregate. A strong overall F1 can still conceal a guardrail that blocks legitimate billing disputes in Dutch or misses gradual prompt injection in long support threads.
Measure added latency on the full path at realistic concurrency. Capture p90 and p99 for input checks, output checks, and the end-to-end assistant response, then test timeout and guardrail-unavailable behavior. The security decision is incomplete if the integration silently bypasses the guardrail under load or leaves users waiting beyond the service's response-time budget.
Finally, translate errors into operating consequences. False positives may block customers, create appeals, or send routine employee work into review. False negatives may expose data or allow unsafe tool use, which is why guardrails still belong beside scoped permissions, action validation, and the access controls covered in an AI workflow security review. If threshold changes are needed, the queue effects should be evaluated explicitly rather than optimized around F1 alone; the threshold-tuning guide explains that tradeoff.
Production requires every critical slice to pass
Put the guardrail in a narrowly scoped live path only if every required language, domain, attack class, and turn-depth slice clears predeclared recall and false-positive limits, while p99 added latency and failure behavior stay within the workflow's operating budget. If any required slice fails, keep that traffic out of the automated path, revise the configuration or permissions, and replay the same holdout test before reconsidering production.
BaristaLabs can help a team test one guardrail on representative, sanitized conversations before it reaches live customer or employee traffic. The useful scope is one assistant, its required languages, its real turn patterns, and a written tolerance for misses, false alarms, and added delay.
Sources
- Cisco, "Cisco AI Defense: Built for the Way AI Is Actually Used", July 17, 2026.
- ML6, "Inside AI Guardrails: a benchmark on enterprise LLM security", published June 22 and updated June 24, 2026.
Production guardrail evaluation
Test one guardrail on the conversations your assistant actually handles
BaristaLabs helps teams replay representative, sanitized conversations across required languages and turn depths, then measure detection, false positives, and added latency against a written production bar.
Best fit when a guardrail is being considered for the live path of a customer or employee assistant.
Practical AI Workflow Notes
Want more practical AI operations ideas?
Get short notes on applying AI inside real small-business workflows — from document handling and customer follow-up to internal reporting, compliance, and automation guardrails.
Turn this idea into a pilot
Which workflow should go first?
Use the readiness check to compare impact, effort, risk, owner, and next step before booking a call.
- 3-5 minutes
- Deterministic score
- No sensitive data
