Prompt Guard

Prompt Guard implements a lightweight transformer-based binary classifier that analyzes input text to detect prompt injection and jailbreak attempts before they reach the target LLM. The model uses a fine-tuned encoder architecture trained on adversarial prompt datasets to distinguish between benign user inputs and malicious injection patterns, operating as a preprocessing filter that can be deployed independently of the underlying LLM provider.

Prompt Guard extends injection detection across multiple languages by leveraging machine-translated versions of adversarial prompt datasets from the CyberSecEval benchmarks. The model processes non-English inputs through the same transformer encoder, enabling detection of injection attempts crafted in languages other than English without requiring separate language-specific models or retraining.

Prompt Guard operates as a component within the broader LlamaFirewall security framework, which orchestrates multiple scanner modules (including Prompt Guard, Llama Guard for output filtering, and CodeShield for code-specific threats) into a coordinated defense pipeline. The architecture allows Prompt Guard to be deployed as the first-stage input filter, with results passed to downstream scanners for comprehensive threat assessment across the full LLM interaction lifecycle.

Prompt Guard's detection capabilities are grounded in and evaluated against the CyberSecEval benchmark suite, which includes MITRE-mapped prompt injection tests, visual prompt injection attacks, and adversarial patterns from multiple attack categories. The model's performance is measured against these standardized benchmarks, providing transparency into which attack types it can detect and which remain out-of-scope, enabling users to understand coverage gaps and make informed deployment decisions.

Prompt Guard is optimized as a lightweight model (~1B parameters) designed for real-time inference in request preprocessing pipelines, with minimal latency overhead added to LLM API calls. The model uses efficient transformer architecture patterns (likely distilled or pruned variants) to enable sub-100ms inference on standard hardware, allowing deployment as a synchronous preprocessing step without requiring asynchronous queuing or significant infrastructure investment.

Prompt Guard outputs logits or confidence scores (in addition to binary classification) that can be thresholded to adjust the precision-recall tradeoff based on application requirements. Users can configure detection sensitivity to prioritize either false-positive reduction (higher threshold, fewer blocks) or false-negative reduction (lower threshold, more blocks), enabling tuning for specific threat models and user experience requirements without retraining.

Prompt Guard includes comprehensive model card documentation (MODEL_CARD.md in repository) that specifies the threat model, training data sources, evaluation methodology, performance metrics, and known limitations. This documentation enables users to understand the model's design assumptions, evaluate its suitability for their use case, and make informed decisions about deployment and complementary safeguards.

Prompt Guard is released as open-source with publicly available model weights and inference code, enabling users to download, inspect, and deploy the model in their own infrastructure without reliance on external APIs or vendor lock-in. The model can be deployed on-premises, in private cloud environments, or at the edge, with full control over data flow and inference infrastructure.

Prompt Guard is evaluated and can be integrated with the Purple Llama LLM abstraction layer, which provides unified interfaces to multiple LLM providers (OpenAI, Anthropic, Google, Together, Ollama). This enables consistent evaluation of prompt injection detection across different LLM backends and facilitates deployment in heterogeneous environments where multiple LLM providers are used.