Skip to content
in/guard/out
in/guard/out

Injection defense

Untrusted text should never steer your model

Prompt injection is not a prompt-engineering problem – it is an input-trust problem. Any text your model reads can carry instructions aimed at it: a user message, a web page, a support ticket, a tool result. For agents the stakes are higher, because a hijacked model holds tools.

The proxy scans inputs at the boundary. A zero-cost deterministic layer catches the classic patterns – ignore-your-instructions, DAN-style jailbreaks, developer-mode, system-prompt extraction. A dedicated classifier (Prompt Guard 2) adds model-based recall on top. And because agent loops feed tool results back into context, those results are scanned too, before they can steer the next iteration.

A canary seeded into the system prompt closes the loop: if the model ever echoes it back, your instructions leaked, and the response is flagged or redacted. In PREVENT mode injections are blocked with a 422; in FIX mode they are flagged and recorded, so you can observe before you enforce.

§01 Defense in layers

Deterministic pattern check

Regex-class detection of instruction-override, jailbreak personas, developer-mode and prompt-extraction attempts on the input – zero model cost.

Prompt Guard 2

A dedicated injection classifier scores the input for higher recall than patterns alone. Opt-in, metered like every guard call.

Tool-result scanning

Agent tool results – order notes, web pages, emails – are untrusted input. They are injection-scanned before re-entering the model’s context on the next loop iteration.

Canary leak detection

A unique marker is seeded into the system prompt; if it appears in output, the instructions leaked and the response is flagged or the marker redacted.

§02 Frequently asked questions

Can prompt injection be fully prevented?

No single layer can – which is why the proxy stacks deterministic patterns, a dedicated classifier, tool-result scanning, and canary leak detection, and why agent actions are additionally checked by action-level invariants even if an injection gets through.

What about injection hidden in tool results?

Tool results are treated as untrusted input and scanned before they re-enter the model context – the classic path where a poisoned order note or web page hijacks the next loop iteration.

How do I know if my system prompt leaked?

The canary: a unique marker seeded into the system prompt. If the model echoes it back, the leak is detected deterministically and flagged or redacted.

Will it block legitimate messages that mention these topics?

The deterministic patterns are intentionally conservative, the classifier provides a score rather than a keyword match, and FIX mode lets you observe what would be caught before you turn on blocking.

§03 Related guardrails

Watch injection defenses work in real time

Send a crafted attack, hidden jailbreak, or poisoned data through the proxy and see which layers catch it. We are running a limited demo - sign up and we will get you in as soon as we can.