cd /news/ai-safety/i-trained-a-prompt-injection-classif… · home topics ai-safety article
[ARTICLE · art-58133] src=discuss.huggingface.co ↗ pub= topic=ai-safety verified=true sentiment=· neutral

I trained a Prompt Injection Classifier Using a 14M Parameter Discriminator

A developer trained a 14M-parameter prompt injection classifier using an Electra-small discriminator, achieving strong results on English WildGuard-like prompts with a 0.990 F1 score for adversarial detection. The model shows limitations in non-English languages, longer contexts, and response-specific tasks, prompting recommendations for improved evaluation and architecture refinements.

read3 min views1 publishedJul 13, 2026

From a quick sanity check, this is roughly what I saw: Direct answer

The clearest edge-case / miss candidates I saw were:

  • equivalent injection requests in some non-English languages;
  • attacks embedded in longer benign context, especially away from the beginning;
  • cases where an apparently adversarial instruction is expressed outside the English/WildGuard-like templates seen at evaluation time;
  • response refusal and response harmfulness outside a fairly narrow set of prompt-response patterns.

The clearest benign false-positive candidates were:

  • quoted injection examples;
  • translation requests containing injection text;
  • security documentation discussing phrases such as “ignore previous instructions”;
  • fiction or test fixtures containing attack-like wording;
  • ordinary instructions such as “ignore the previous draft.”

For a V2, I would not start by increasing model size. My default path would be:

  • define exactly what Prompt Adversarial

should mean;

  • verify nullable-label masking, weighting, formatter, label order, and evaluation code;
- evaluate prompt heads from prompt-only inputs;
- add paired active-vs-quoted and prompt-fixed/response-varied controls;
  • evaluate the response heads on a response-specific public benchmark;
- compare random splits with source/template/language-held-out splits;
- then compare single-task, field-specific, and split-model architectures.

The important positive result is that the checkpoint does seem strong on the distribution it was designed around. On a public English prompt-only WildGuardTest mirror, I obtained approximately:

| Task | F1 at threshold 0.5 | ROC-AUC | | Prompt Adversarial | 0.990 | 0.999 | | Prompt Harmful | 0.860 | 0.932 |

Those results are broadly consistent with the reported prompt-side metrics. I therefore would not summarize this as “the model is broken.”

A more precise summary would be:

The model looks strong as a compact English, WildGuard-like prompt classifier, while the four outputs do not yet appear fully independent across context, input fields, languages, and longer documents.

The following is a small handwritten sanity check rather than a benchmark. I used the input format and sigmoid interpretation shown on the model card, with 0.5

as the initial threshold.

Recommended default route

| Stage | What it separates | | Fix the label contract | Intended behavior vs apparent false positives | | Verify masking and evaluation | Data-pipeline issue vs model behavior | | Add paired controls | Semantic distinction vs lexical/template shortcut | | Add response-specific evaluation | Weak threshold vs weak response representation | | Add held-out splits | In-distribution recognition vs generalization | | Run architecture ablations | Data problem vs multi-task/field-sharing problem |

1. Scope: what should Prompt Adversarial mean? [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
2. Reproduction and control setup [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
3. Benign false positives and context sensitivity [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
  1. Prompt heads are highly sensitive to appended responses (click for more details)
  2. Response heads: conditional behavior and cleaner evaluation (click for more details)
6. Missing labels, weighting, reduction, and sampling [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
7. Source, template, and language generalization [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
8. Long-context and position sensitivity [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
9. Metrics and calibration [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
10. Architecture and V2 options [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
11. Evaluation provenance [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
12. Suggested result table [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)
13. Caveats and references [(click for more details)](https://discuss.huggingface.co/t/i-trained-a-prompt-injection-classifier-using-a-14m-parameter-discriminator/177768/4)

Overall, I think the compact encoder approach is useful, and the English prompt-side result is a meaningful baseline.

The highest-information next step is probably not “make the encoder larger.” It is to determine which of the following currently limits the model:

- task definition;
- counterfactual coverage;
- missing-label handling;
- response sampling;
- field sharing;
- source/template generalization;
  • calibration.

Once those are separated, the architecture choice becomes much easier:

  • keep the current model if the target is English WildGuard-like prompt triage;
  • add field-specific pooling if prompt/response independence matters;
  • split prompt and response models if auditability matters;
  • narrow the task if explicit override detection is the main product goal.
── more in #ai-safety 4 stories · sorted by recency
── more on @deshwalx 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/i-trained-a-prompt-i…] indexed:0 read:3min 2026-07-13 ·