DEV.co
AI Frameworks · protectai

llm-guard

LLM Guard is an open-source Python toolkit that provides input and output scanning for large language models to detect and prevent security issues like prompt injection, data leakage, and harmful content. It offers 15 prompt scanners and 20 output scanners that can be deployed as middleware or API in production LLM applications.

Source: GitHub — github.com/protectai/llm-guard
3.2k
GitHub stars
416
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryprotectai/llm-guard
Ownerprotectai
Primary languagePython
LicenseMIT — OSI-approved
Stars3.2k
Forks416
Open issues37
Latest releaseUnknown
Last updated2025-12-15
Sourcehttps://github.com/protectai/llm-guard

What llm-guard is

LLM Guard is a modular Python package (3.9+) exposing composable scanner classes for sanitization, adversarial input detection, and output validation in LLM pipelines. Scanners include ML-based detectors (toxicity, bias, gibberish), pattern-based filters (secrets, code, substrings), and semantic checks (prompt injection, factual consistency), with pluggable model backends and API deployment support.

Quickstart

Get the llm-guard source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/protectai/llm-guard.gitcd llm-guard# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Production chatbot security

Protect customer-facing LLM applications (ChatGPT integrations, internal copilots) from prompt injection, jailbreak attempts, and unintended data exposure by chaining input/output scanners before and after LLM calls.

Content moderation and compliance

Enforce organizational content policies by blocking toxic, biased, or topic-sensitive outputs, and anonymizing/deanonymizing PII in prompts and responses to meet regulatory requirements.

LLMOps pipeline hardening

Integrate as middleware in MLOps workflows to audit model behavior, detect drift in harmful outputs, prevent code injection in code-generation models, and detect gibberish or low-quality responses before delivery.

Implementation considerations

  • Model dependencies: base functionality requires minimal deps, but advanced scanners auto-install transformers, nltk, and other ML libraries; plan for ~500MB+ disk and model cache overhead.
  • Latency profiling: test scanner chains on your LLM response times and throughput targets; ML-based scanners (sentiment, toxicity, bias) may add 500ms–2s per call depending on model and hardware.
  • Configuration and tuning: each scanner exposes threshold, model, and behavior parameters; start with defaults, then tune false positive/negative rates against your use case and data.
  • Error handling: decide on policy if scanner fails (timeout, model unavailable, invalid input): reject, warn, or pass-through; implement monitoring and fallback logic.
  • Cost of external models: downloading and caching HuggingFace models on each scanner init can be slow; consider initializing once and sharing across requests in production.

When to avoid it — and what to weigh

  • Need guaranteed security hardening — LLM Guard is a detection and filtering layer, not a cryptographic guarantee. Determined attackers may craft inputs that evade ML-based scanners; use as defense-in-depth, not sole protection.
  • Require commercial SLA and support contract — Project is open-source community-driven. While Protect AI offers email support, there is no published SLA, guaranteed response time, or commercial support tier in the data provided.
  • Need real-time, sub-millisecond latency — Scanners invoke external models (transformers, sentiment analyzers) and APIs; latency depends on model size and inference hardware. Not suitable for extremely latency-critical applications without profiling and optimization.
  • Cannot depend on external model downloads — Some scanners require downloading ML models at runtime (e.g., toxicity, bias detectors); requires internet access during first run and disk space. Offline or air-gapped deployments need pre-caching.

License & commercial use

Licensed under MIT (MIT License), a permissive OSI-approved license permitting commercial use, modification, and distribution with minimal restrictions (retain copyright notice and license).

MIT license permits commercial use without explicit restrictions. However, the project is open-source and community-maintained; commercial deployment responsibility rests with the integrator (security testing, validation, monitoring). Protect AI offers optional email-based community support but no published commercial SLA. Verify compliance with your security and support policies before production deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

LLM Guard is a detection and mitigation toolkit, not a security guarantee. Scanner effectiveness varies: pattern-based scanners (regex, substrings) are deterministic; ML-based scanners (toxicity, prompt injection, gibberish) have false positive/negative rates dependent on training data and model. Adversarial inputs may evade ML detectors. Use as part of defense-in-depth (e.g., input validation, rate limiting, output sampling, human review). Audit and test scanners against your threat model. No published security audit or CVE history in data; review responsibly.

Alternatives to consider

Langchain safety/moderation chains

Langchain includes built-in LLM-as-judge and OpenAI moderation integrations; tightly coupled to Langchain pipelines; less granular and configurable than LLM Guard's scanner architecture.

Lakera/Prompt Injection Detection API

Specialized SaaS/API for prompt injection detection; closed-source, commercial model; simpler integration but vendor lock-in and per-request costs; no output scanning.

Self-built scanners using LLMs (e.g., Claude content policy evaluation)

Use a strong LLM as a judge for safety; highly flexible and customizable but higher latency, cost, and complexity; no pre-built modules or pattern matching.

Software development agency

Build on llm-guard with DEV.co software developers

Integrate LLM Guard into your pipeline to prevent prompt injection, data leakage, and harmful outputs. Start with pip install llm-guard and explore the interactive playground.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

llm-guard FAQ

Can I use LLM Guard offline?
Basic scanners (regex, ban substrings, token limit) work offline. ML-based scanners (toxicity, sentiment, bias) require downloading models from HuggingFace on first run and internet access. Pre-cache models for air-gapped deployments.
What latency should I expect?
Pattern-based scanners are <10ms. ML-based scanners depend on model and hardware; typically 100ms–2s per call. Test your scanner chain against production SLAs. Consider caching models and batching.
Does LLM Guard guarantee it will stop all malicious prompts?
No. ML-based detectors have false negatives; determined attackers may craft inputs that evade them. Use LLM Guard as one layer in defense-in-depth (rate limiting, input validation, human review, etc.).
Is commercial support available?
Protect AI offers community email support ([email protected]) but no published SLA or commercial support tier. For production deployments, evaluate Protect AI's commercial offerings or contribute/fork for custom support.

Software developers & web developers for hire

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If llm-guard is part of your ai frameworks roadmap, our team can implement, customize, migrate, and maintain it.

Secure Your LLM Application Today

Integrate LLM Guard into your pipeline to prevent prompt injection, data leakage, and harmful outputs. Start with pip install llm-guard and explore the interactive playground.