Skip to Content

What does layered prompt-injection defense look like end-to-end?

Category: Security & Compliance

Answer

Layer 1: regex blacklist on known patterns (decode tricks, “ignore previous”). Layer 2: Presidio redacts PII. Layer 3: Lakera scores jailbreak risk. Layer 4: low temperature and constrained decoding at the LLM step. Each layer can fail; redundancy catches the rest.

Concrete examples from the fca project context

Example 1

Regex: “ignore previous” pattern -> reject.

Example 2

Presidio: redact emails/phones before model sees them.

Example 3

Lakera: classifier score < 0.85 -> reject.

Example 4

LLM step: temperature=0, max_tokens=200, JSON-mode constrained output.

Data flow / flow chart

input -> regex -> presidio -> lakera -> low-T constrained LLM
  Each layer reduces attack surface

Takeaway

No single defense catches everything. Layered + low temperature + constrained output is robust.