Logan Kelly

Langfuse Alternative: Open-Source Engineering Loop vs. Runtime Governance

Langfuse Alternative: Open-Source Engineering Loop vs. Runtime Governance

Looking for a Langfuse alternative with runtime enforcement, not just tracing? Waxell enforces policy at runtime while Langfuse observes.

Waxell blog cover: Why production AI teams choose Waxell over AGT

A team picks Langfuse for a reason that has nothing to do with feature checklists: they don't want their trace data locked in someone else's cloud. They self-host it — Docker Compose to start, later Kubernetes — and it works exactly as advertised. Full platform features, no crippled community tier, MIT-licensed, billions of events a month at Fortune 50 companies running the same code. Prompts get versioned, evals run against production traffic, a human annotation queue turns real incidents into golden datasets. It's a genuinely complete AI engineering loop, and they own every part of it.

Then an agent with write access to an internal ticketing system does something it shouldn't — a bad tool call, triggered by a malformed upstream response, issues an update to hundreds of records it had no business touching. Langfuse shows the whole thing: the trace, the tool call, the input that caused it, the output. Every span is there, in the team's own database, exactly as promised. What isn't there is anything that could have stopped the call before it executed. Self-hosting solved the data-control problem. It didn't solve the "should this action have been allowed to happen" problem, because that was never Langfuse's job.

That's the shape of this comparison. It isn't open-source-vs-proprietary, or cheap-vs-expensive. It's engineering loop vs. runtime governance, and Langfuse is unusually good at the first one.

Langfuse is an open-source AI engineering platform — tracing, prompt management, evaluation, a model playground, and experiments, unified into one self-hostable loop with genuinely broad framework and language coverage. Waxell is a runtime governance control plane: it enforces policies before tool calls and outputs execute, controlling what an agent is allowed to do, not just recording what it did. Langfuse answers "how do I build and keep improving this agent?" Waxell answers "is this specific action allowed to happen right now?" Owning your trace data and controlling what your agent can do are two different guarantees. Langfuse gives you the first. Waxell gives you the second.

What is Langfuse built for?

Langfuse is built around the full AI engineering loop, not a single point in it: observability (hierarchical traces capturing every LLM call, tool invocation, and retrieval step), prompt management (versioning with one-click deploy and rollback), evaluation (LLM-as-judge, heuristic scorers, human annotation), a playground for testing prompts against real production inputs, and experiments for comparing configurations side by side. It's explicitly positioned as one connected platform rather than point tools bolted together, and the pieces genuinely do connect — evaluation scores flow back into the same dataset that prompt versioning and experiments draw from.

Framework and language reach is broader than "OSS observability" implies. Native SDKs for Python and TypeScript, OpenTelemetry support for Go, Java, .NET, Ruby, PHP, and Swift, and 100+ pre-built integrations — LangChain, Vercel AI SDK, LiteLLM, CrewAI, Google ADK, LlamaIndex, AutoGen, Pydantic AI, LiveKit, and many others — with an explicit "no framework lock-in" position. For teams whose stack isn't pure Python, or isn't pure anything, that coverage is a real advantage over platforms with a single first-class framework.

Self-hosting is a first-class path, not a stripped tier. Langfuse is MIT-licensed, and self-hosting gets you every platform feature at any scale — no feature gate that only unlocks on the managed cloud. Deployment options include Docker Compose, Kubernetes via Helm, and Terraform modules for AWS, GCP, and Azure. Langfuse's own numbers: 2,300+ customers, 19 of the Fortune 50, 50M+ SDK installs per month, 10+ billion observations processed per month, 100,000+ engineers building on it, 22,000+ GitHub stars, and a claimed 99.9% uptime on the managed cloud.

Compliance posture is more substantial than a typical open-source tool. From the Pro tier ($199/month) up, Langfuse offers SOC 2 Type II and ISO 27001 audit reports plus a HIPAA-ready data region — real third-party attestations, not just a security page.

ClickHouse acquired Langfuse on January 16, 2026, alongside a $400M Series D that took ClickHouse's own valuation to roughly $15B. Per Langfuse's own announcement, there were no licensing or pricing changes, and the full Langfuse team joined ClickHouse to keep building the product — which tracks, since Langfuse's v3 architecture already ran on ClickHouse as its core data layer before the acquisition, for the high-throughput ingestion and fast analytical reads that a system like Postgres struggles with at Langfuse's scale.

Langfuse also ships a Platform MCP Server, a CLI, and an installable Agent Skill (SKILL.md), specifically so coding agents like Claude Code, Cursor, and Codex can manage Langfuse's prompts, traces, and evals through natural language — "made for developers, loved by agents," in Langfuse's own framing. That's Langfuse exposing itself as an MCP server for coding-agent convenience during development, not Langfuse governing the MCP tool calls that a production agent makes.

Where does Langfuse fall short?

Nothing here is a flaw in what Langfuse set out to build — it's the boundary of an AI engineering platform, drawn precisely where runtime governance would need to start.

No runtime policy enforcement. Nothing in Langfuse's product surface claims to intercept a tool call, halt a session at a cost threshold, or filter an output before it leaves the system. Langfuse's evaluation and monitoring tools tell you, with excellent fidelity, what an agent did — including whether it did something wrong. They don't have a mechanism to stop it from doing that thing in the first place.

No tool access control. An agent instrumented with Langfuse and passing every eval you've written can still call any tool it has credentials for in production. There's no scope, no approval gate, no per-tool restriction layer — tracing captures the call after it happens, not a checkpoint before it.

MCP support exists, but it's the same shape as every other observability platform's. Langfuse's Platform MCP Server, CLI, and Agent Skill let your coding agent manage Langfuse's own data — prompts, traces, evals — through natural language during development. It's a genuinely useful developer-experience feature. It is not a mechanism for governing the MCP tool calls that your production agents make against your own systems, and Langfuse doesn't claim it is.

Compliance reports and access controls, not enforcement records. The SOC 2 Type II and ISO 27001 attestations and the HIPAA-ready region are real and worth taking seriously — but they document Langfuse's own security posture and access controls, not evidence that a specific policy was evaluated and enforced before a specific agent action. For a compliance audit that needs the latter, Langfuse's certifications answer a different question than the one being asked.

No rate limiting or cost enforcement at the session level. Langfuse tracks cost and latency in real time and will show you a spike in the dashboard. It doesn't have a mechanism to halt a session that crosses a per-session cost threshold mid-execution — the visibility is there; the brake isn't.

What Waxell adds

Waxell's execution tracing instruments the full agent workflow across any framework — LangChain, CrewAI, LlamaIndex, custom Python — capturing LLM calls, tool invocations, external requests, timing, and cost. That's the observability layer, and it's the part of the story that looks structurally similar to what Langfuse does well.

The difference is what sits on top: runtime governance policies, managed in Waxell's governance plane, evaluate before each tool call and output — not after. A tool access policy blocks a write operation that's out of scope before it runs. A cost policy halts a session before it crosses its threshold, not after the dashboard shows the spike. A content policy intercepts an output containing sensitive data before it leaves the system. For the internal-ticketing scenario above: a tool-scope policy requiring the write operation to match an allowed pattern would have blocked the bad update before it touched a single record — the same trace data Langfuse would have captured, but with an enforcement decision embedded in it instead of just a record of what happened.

Policies live at the infrastructure layer, independent of the agent's own code or reasoning. They can't be bypassed by the agent behaving unexpectedly, and they can be updated without a redeploy — the same operational property that makes Langfuse's prompt versioning useful for iteration also makes Waxell's policy updates useful for governance: change the rule centrally, and it applies everywhere immediately.

Feature comparison

Capability

Waxell

Langfuse

Observability



Trace collection

✅ Yes (3-line SDK)

✅ Yes (native SDKs + OTel, 100+ integrations)

Cost & latency dashboards

✅ Yes

✅ Yes

Session/user tracking

✅ Yes

✅ Yes

Engineering Loop



Prompt management (versioning, rollback)

✅ Yes (core strength)

Built-in evaluation (LLM-as-judge, heuristic)

⚠️ Manual

✅ Yes (built-in)

Human annotation queues

✅ Yes

Playground / experiments

✅ Yes

Governance & Runtime Control



Runtime policy enforcement

✅ Yes (core capability)

❌ No

Tool access control

✅ Yes

❌ No

Output filtering / guardrails

✅ Yes

❌ No

Rate limiting / session cost enforcement

✅ Yes

❌ No

Compliance enforcement record

✅ Yes

⚠️ SOC 2 Type II + ISO 27001 reports, HIPAA-ready region — certification, not an enforcement record

Human-in-the-loop approval gates

✅ Yes

❌ No

Framework & Stack



Framework/language breadth

✅ Yes (framework-agnostic by design)

✅ Yes (100+ integrations, OTel-native, "no lock-in")

MCP support

✅ Yes (governs agent MCP tool calls)

⚠️ Platform MCP Server exposes Langfuse's own data to coding agents — not governance

Deployment



Cloud SaaS

✅ Yes

✅ Yes

Self-hosted, fully featured

✅ Yes

✅ Yes (MIT-licensed, free at any scale)

Pricing



Free tier

✅ Yes

✅ Yes (Hobby: 50k units/mo, 30-day retention, 2 users)

Entry paid tier

Flexible

$29/mo (Core: 100k units, 90-day retention, unlimited users)

Compliance-tier pricing

Included in governance

$199/mo (Pro: SOC 2, ISO 27001, HIPAA-ready region)

Two guarantees, not one comparison axis

The cleanest way to think about Langfuse and Waxell is as two different guarantees a production agent needs, not two competing answers to the same question.

Scenario: An agent's tool call writes to records it shouldn't have access to.

  • Langfuse: The trace captures exactly what happened — the call, the input, the output, in your own self-hosted database if you want it there. You find out after the write completed.

  • Waxell: A tool-scope policy evaluates the call against what that agent is allowed to touch. If it's out of scope, the call is blocked before it executes. The write never happens.

Scenario: You need to prove, to an internal reviewer or an external auditor, that your agents operated within defined data-handling constraints.

  • Langfuse: You can show SOC 2 Type II and ISO 27001 reports covering Langfuse's own security posture, plus complete trace history if you're on a long-retention plan. That documents what Langfuse itself does to protect your data, and what your agents did.

  • Waxell: The execution trace includes policy evaluation records alongside every tool call — which policy applied, what condition was checked, what the outcome was. That documents that a specific control was enforced before a specific action, not just that the platform storing the record is itself secure.

Scenario: You're self-hosting for data control, and want the same control over agent behavior.

  • Langfuse: Self-hosting is genuinely full-featured — every platform capability, no gate, MIT-licensed. But self-hosting the observability layer doesn't add an enforcement layer; it just means you own the servers recording what happened.

  • Waxell: Self-hosted deployment extends the same governance guarantee — policies still evaluate and block before execution, on infrastructure you control end to end.

When to use Langfuse

  • Your team values open-source and self-hosting as a real operational requirement, not a checkbox — Langfuse's self-host path is fully-featured and free at any scale, not a limited community tier.

  • Prompt management, evaluation, and human annotation as one connected loop is core to how you iterate, not something you'll bolt on separately.

  • Your stack spans multiple languages and frameworks, and you want native or OpenTelemetry-based coverage without picking a single first-class integration.

  • You want third-party audit attestations (SOC 2 Type II, ISO 27001) and a HIPAA-ready hosting region at a mid-tier price point, without runtime enforcement being a requirement yet.

When to use Waxell

  • You need runtime enforcement — blocking a tool call, halting a session on cost, requiring human approval — which Langfuse doesn't provide at any tier, self-hosted or managed.

  • You need governance over MCP tool calls specifically: scoping, rate-limiting, or blocking them before they execute, not tracing them or running an MCP server that manages your observability platform itself.

  • You need a compliance package that documents policy enforcement — evidence that a control fired before an action, not audit reports about the platform that recorded the action afterward.

  • You want the observability guarantees Langfuse provides — self-hostable, framework-agnostic tracing — paired with an enforcement layer above the agent, rather than choosing between the two.

How Waxell handles this: Waxell's governance plane operates above agent code, independent of the agent's own logic — evaluated before each tool call and output, the same way Langfuse's prompt versioning operates independent of any single deployment. Governance policies enforce tool access scope, cost limits, output filters, and approval gates at runtime. Execution tracing captures the full session record — including policy evaluations and enforcement actions — producing an audit trail that documents both what the agent did and what the governance layer allowed or blocked. Framework-agnostic and self-hostable, the same three-line integration works across LangChain, CrewAI, and custom Python agents.

Already self-hosting Langfuse for the engineering loop and want the same control over what your agents are allowed to do at runtime? Get started with Waxell.

Frequently Asked Questions

Is Waxell a Langfuse alternative?

Partially. For observability — tracing, cost tracking, session monitoring — Waxell covers similar ground across any framework, self-hosted or cloud. For Langfuse's engineering-loop strengths — prompt versioning with rollback, built-in LLM-as-judge and heuristic evaluation, human annotation queues, a playground for testing prompts against production data — Waxell doesn't replicate those features and isn't trying to. The core difference is governance: Waxell adds runtime policy enforcement, tool access control, and enforcement records that Langfuse's product doesn't offer at any tier. Teams that need governance need Waxell; teams whose priority is the engineering loop and open-source self-hosting may find Langfuse sufficient on its own.

Can I use Waxell and Langfuse together?

Yes, and it's a natural pairing precisely because the two platforms don't overlap much. Langfuse handles prompt iteration, evaluation, and the development loop — including fully self-hosted if that's a requirement. Waxell handles runtime governance in production — policy enforcement before tool calls and outputs execute. Running both means you get Langfuse's engineering workflow during development and Waxell's enforcement layer once agents are live.

Does Langfuse support MCP (Model Context Protocol)?

Langfuse ships a Platform MCP Server along with a CLI and an installable Agent Skill, but they're built for coding agents like Claude Code, Cursor, and Codex to manage Langfuse's own data — prompts, traces, evaluations — through natural language during development. That's not the same claim as governing the MCP tool calls a production agent makes against its own tools and data sources. Waxell's MCP support is the latter: every MCP tool call an agent makes is evaluated against policy before it reaches the model or the downstream server.

Is self-hosted Langfuse really free, with no feature limitations?

Yes — Langfuse is MIT-licensed, and self-hosting includes every platform feature at any scale, with no separate "community edition" that's missing capabilities the cloud version has. Deployment options include Docker Compose, Kubernetes via Helm, and Terraform modules for AWS, GCP, and Azure. What self-hosting doesn't add is a runtime enforcement layer — it changes who owns the observability data, not whether an agent action can be blocked before it executes.

What does Langfuse's compliance posture actually cover?

From the Pro tier ($199/month) up, Langfuse offers SOC 2 Type II and ISO 27001 third-party audit reports and a HIPAA-ready data region — genuine attestations about Langfuse's own security practices as a vendor. What this doesn't provide is a record that a specific governance policy was evaluated and enforced before a specific agent action, which is a different kind of evidence than a platform-security certification. Teams that need to demonstrate runtime enforcement to an auditor — not just vendor security posture — need a governance layer like Waxell's policy evaluation records in addition to, or instead of, Langfuse's compliance tier.

Sources

Waxell

Waxell provides observability and governance for AI agents in production. Bring your own framework.

© 2026 Waxell. All rights reserved.

Patent Pending.

Waxell

Waxell provides observability and governance for AI agents in production. Bring your own framework.

© 2026 Waxell. All rights reserved.

Patent Pending.

Waxell

Waxell provides observability and governance for AI agents in production. Bring your own framework.

© 2026 Waxell. All rights reserved.

Patent Pending.