{"slug": "promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard", "title": "PROMPTPurify: 14 MB CPU-only prompt-injection guard (benchmarked vs. OSS guard)", "summary": "SecureLayer7 released PROMPTPurify, a 14 MB CPU-only prompt-injection guard for LLM chat applications that runs entirely on the same machine without requiring a GPU, API, or additional services. The open-source tool, built from scratch by the company's red team, installs at roughly 14 MB compared to typical OSS guardrails that range from 180 MB to 7 GB, and performs inference in single-digit milliseconds on CPU. The guard is MIT-licensed and available for production use, with the company running a live adversarial challenge to test its effectiveness against prompt injection attacks.", "body_md": "**Tiny prompt-injection firewall for LLM chat apps. ~14 MB. CPU-only.**\nDrop-in guard between your user input and your LLM — runs on the same box,\nno GPU, no API, no extra service.\n\nBuilt by the\n\n[SecureLayer7]red-team. Most OSS guardrails are hundreds of MB, want a GPU, and still miss the attacks we see in production. We needed something we could ship inside our own AI products and our customers' apps without any of that.\n\n| promptpurify | typical OSS guardrail | |\n|---|---|---|\n| Install size | ~14 MB ONNX |\n180 MB – 7 GB |\n| Inference | CPU, single-digit ms |\nGPU recommended |\n| Where it runs | In your Node process |\nSidecar or hosted API |\n| Cost per call | $0 |\n$ or GPU compute |\n\nBenchmark comparison vs OSS baselines → [docs/BENCHMARKS.md](/securelayer7/PROMPTPurify/blob/main/docs/BENCHMARKS.md).\n\n```\n# SDK (zero-dep, ~50 KB) — structural firewall + browser bundle\nnpm i promptpurify\n\n# Add the model (~14 MB ONNX) for the chat-injection guard\nnpm i onnxruntime-node\ncurl -L -o promptpurify-model.tar.gz \\\n  https://github.com/securelayer7/PROMPTPurify/releases/download/v0.0.1/promptpurify-model.tar.gz\ncurl -L -o promptpurify-model.tar.gz.sha256 \\\n  https://github.com/securelayer7/PROMPTPurify/releases/download/v0.0.1/promptpurify-model.tar.gz.sha256\nsha256sum -c promptpurify-model.tar.gz.sha256   # MUST print \"OK\"\ntar xzf promptpurify-model.tar.gz                # creates models/l5e/\n```\n\nThe model isn't in the npm tarball — the SDK stays tiny for people who\nonly want the structural firewall (browser, edge, RAG). Full\ndistribution options: [docs/SAMPLE-DATA.md](/securelayer7/PROMPTPurify/blob/main/docs/SAMPLE-DATA.md#how-to-get-the-model).\n\n``` js\nimport { createL5eRunner } from \"promptpurify/l5\";\n\nconst guard = await createL5eRunner();\n\n// In your /chat handler:\nconst score = await guard.score(userMessage);\nif (score >= 0.95) return refusal();              // hard block\nif (score >= 0.85) flagForReview(userMessage);    // advisory\nconst reply = await yourLLM.complete(userMessage); // pass through\n```\n\nWorks with Groq, OpenAI, Anthropic, vLLM, local LLMs — promptpurify never talks to your LLM, only to your input.\n\nFor the deterministic structural firewall (Unicode neutralization,\nrole-fenced messages, output exfil guard) see\n[docs/QUICKSTART.md](/securelayer7/PROMPTPurify/blob/main/docs/QUICKSTART.md).\n\nWe built our model from random initialization because no existing OSS guardrail gave us the size / latency tradeoff we wanted to ship in our own products.\n\n**From-scratch.** No teacher weights from any vendor classifier are redistributed.**Benchmarked against public datasets** for direct comparison with OSS baselines (ProtectAI v2, deepset, fmops, Meta Prompt-Guard-2). Held-out evaluation; false positives reported alongside recall.**MIT-licensed weights.** Use in production, paid or free.\n\nFull architecture overview → [docs/HOW-IT-WORKS.md](/securelayer7/PROMPTPurify/blob/main/docs/HOW-IT-WORKS.md).\n\nWe run a live adversarial challenge at\n** anton.securelayer7.net**. Ask Son of\nAnton for the password. If you can get it past the guard, tell us how —\n\n[SECURITY.md](/securelayer7/PROMPTPurify/blob/main/SECURITY.md).\n\nA fintech customer-support chatbot wired up with promptpurify, ready to run locally:\n\n```\ncd examples/customer-support && npm install\nGROQ_API_KEY=gsk_... node server.mjs\n# http://localhost:8787\n```\n\nSee [ examples/customer-support/README.md](/securelayer7/PROMPTPurify/blob/main/examples/customer-support/README.md).\n\n— install paths, structural firewall, browser bundle, integration patterns.[docs/QUICKSTART.md](/securelayer7/PROMPTPurify/blob/main/docs/QUICKSTART.md)— the layers, what each catches.[docs/HOW-IT-WORKS.md](/securelayer7/PROMPTPurify/blob/main/docs/HOW-IT-WORKS.md)— comparison with OSS baselines, methodology.[docs/BENCHMARKS.md](/securelayer7/PROMPTPurify/blob/main/docs/BENCHMARKS.md)— what ships in the repo for benchmarking.[docs/SAMPLE-DATA.md](/securelayer7/PROMPTPurify/blob/main/docs/SAMPLE-DATA.md)— run the bench yourself.[docs/REPRODUCE.md](/securelayer7/PROMPTPurify/blob/main/docs/REPRODUCE.md)— what to pair promptpurify with for full coverage.[docs/HONEST-LIMITS.md](/securelayer7/PROMPTPurify/blob/main/docs/HONEST-LIMITS.md)\n\n- Not a guarantee. There is no\n`.safe`\n\nboolean. - Not a content classifier. Catches prompt-injection, not toxicity / CSAM / hate. Pair with a content filter.\n- Not a multi-turn auditor. Pair with conversation-level monitoring.\n\nThe name and the design philosophy are inspired by\n[ DOMPurify](https://github.com/cure53/DOMPurify) by\n\n[Cure53](https://cure53.de)— the same idea, applied to LLM prompts instead of HTML. Thanks to\n\n**Mario Heiderich** for suggesting the name.\n\nMIT for the SDK and the model weights. Benchmark sources we evaluate\nagainst are listed in\n[training/CORPUS_LICENSES.json](/securelayer7/PROMPTPurify/blob/main/training/CORPUS_LICENSES.json).\n\nSecurity disclosures: [SECURITY.md](/securelayer7/PROMPTPurify/blob/main/SECURITY.md).", "url": "https://wpnews.pro/news/promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard", "canonical_source": "https://github.com/securelayer7/PROMPTPurify", "published_at": "2026-05-30 04:34:34+00:00", "updated_at": "2026-05-30 04:45:37.006956+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-products", "ai-infrastructure", "large-language-models"], "entities": ["PROMPTPurify", "SecureLayer7", "ONNX", "Node.js"], "alternates": {"html": "https://wpnews.pro/news/promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard", "markdown": "https://wpnews.pro/news/promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard.md", "text": "https://wpnews.pro/news/promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard.txt", "jsonld": "https://wpnews.pro/news/promptpurify-14-mb-cpu-only-prompt-injection-guard-benchmarked-vs-oss-guard.jsonld"}}