Llama Guard 3

Llama Guard 3 classifies text inputs and outputs across 13+ risk categories (violence, sexual content, criminal planning, etc.) using a fine-tuned transformer-based safety classifier. The model operates as a standalone inference layer that can be deployed upstream (pre-generation) or downstream (post-generation) in LLM pipelines, returning structured risk assessments with category-level confidence scores rather than binary safe/unsafe verdicts.

Llama Guard 3 detects textual prompt injection attacks through classification patterns learned from CyberSecEval v2 benchmark datasets containing adversarial prompts designed to manipulate LLM behavior. The model identifies injection attempts that try to override system instructions, extract sensitive information, or trigger unintended capabilities, returning confidence scores for injection risk separate from other harm categories.

PurpleLlama's core infrastructure includes an LLM abstraction layer that provides unified interfaces for multiple LLM providers (OpenAI, Anthropic, Google, Together, Ollama) and local models. The abstraction handles provider-specific API differences, authentication, rate limiting, caching, and error handling, enabling CyberSecEval benchmarks to run against any LLM without provider-specific code. Supports both API-based and local inference with automatic fallback and retry logic.

PurpleLlama's core infrastructure includes caching and batch processing mechanisms that reduce evaluation time and cost by avoiding redundant LLM API calls. The cache handler stores prompt-response pairs with provider-specific keys, enabling reuse across benchmark runs. Batch processing groups multiple prompts into single API calls where supported, reducing API overhead and improving throughput for large-scale evaluations.

Llama Guard 3 supports multiple quantization formats (int8, int4, GPTQ) enabling deployment on edge devices, mobile platforms, and cost-constrained cloud instances with 50-75% memory reduction. The quantized models maintain classification accuracy within 1-2% of full precision while reducing inference latency by 30-40%, using post-training quantization techniques compatible with vLLM, ONNX Runtime, and TensorRT inference engines.

Llama Guard 3 integrates natively with LlamaFirewall, a security framework that orchestrates safety scanning across multiple stages (input scanning, output scanning, code execution monitoring). LlamaFirewall provides scanner components that wrap Llama Guard 3 classification logic with caching, batching, and policy enforcement, enabling declarative safety policies that trigger actions (block, log, escalate) based on risk thresholds without custom integration code.

PurpleLlama includes CyberSecEval, a comprehensive benchmark suite for evaluating LLM security risks across multiple attack vectors: prompt injection, code interpreter abuse, vulnerability exploitation, spear phishing, and autonomous cyber operations. The framework provides standardized datasets, evaluation metrics, and orchestration code to measure LLM compliance with security frameworks (MITRE ATT&CK) and false refusal rates, enabling comparative security assessment across models and safety interventions.

CyberSecEval v2+ includes specialized benchmarks for prompt injection testing across textual and visual modalities. The framework provides datasets of adversarial prompts designed to override system instructions, extract sensitive information, or trigger unintended capabilities, plus visual prompt injection test cases (images with embedded text instructions). Evaluation measures LLM susceptibility to these attacks and tracks false refusal rates to ensure safety interventions don't over-block legitimate requests.

CyberSecEval v2+ includes benchmarks for evaluating LLM security in code execution contexts, testing whether models can be manipulated to generate malicious code, exploit code interpreter vulnerabilities, or abuse code execution for unauthorized access. The framework measures both the propensity to generate insecure code and the ability to exploit vulnerabilities through code execution, with datasets covering memory corruption, privilege escalation, and data exfiltration scenarios.

CyberSecEval v3 includes benchmarks for evaluating LLM capability to function as autonomous agents in offensive cybersecurity scenarios, testing whether models can plan and execute multi-step cyber attacks, maintain state across attack phases, and adapt to defensive measures. The framework measures LLM ability to perform reconnaissance, exploitation, persistence, and lateral movement tasks, providing metrics for assessing autonomous cyber threat potential.

CyberSecEval v3 includes benchmarks for evaluating LLM capability to generate convincing spear phishing emails and social engineering content. The framework measures LLM ability to craft personalized, contextually appropriate phishing messages, impersonate trusted entities, and exploit psychological vulnerabilities. Evaluation includes metrics for message authenticity, personalization sophistication, and social engineering success probability.

CyberSecEval includes benchmarks that map LLM security evaluation to the MITRE ATT&CK framework, a standardized taxonomy of adversary tactics and techniques. The framework measures LLM compliance with security best practices and false refusal rates (legitimate requests incorrectly blocked by safety systems), enabling nuanced assessment of safety intervention effectiveness. Evaluation produces compliance scores against specific MITRE techniques and tracks over-blocking that degrades user experience.