PROMPTPurify: 14 MB CPU-only prompt-injection guard (benchmarked vs. OSS guard)

SecureLayer7 released PROMPTPurify, a 14 MB CPU-only prompt-injection guard for LLM chat applications that runs entirely on the same machine without requiring a GPU, API, or additional services. The open-source tool, built from scratch by the company's red team, installs at roughly 14 MB compared to typical OSS guardrails that range from 180 MB to 7 GB, and performs inference in single-digit milliseconds on CPU. The guard is MIT-licensed and available for production use, with the company running a live adversarial challenge to test its effectiveness against prompt injection attacks.

Tiny prompt-injection firewall for LLM chat apps. ~14 MB. CPU-only. Drop-in guard between your user input and your LLM — runs on the same box, no GPU, no API, no extra service. Built by the SecureLayer7 red-team. Most OSS guardrails are hundreds of MB, want a GPU, and still miss the attacks we see in production. We needed something we could ship inside our own AI products and our customers' apps without any of that. | promptpurify | typical OSS guardrail | | |---|---|---| | Install size | ~14 MB ONNX | 180 MB – 7 GB | | Inference | CPU, single-digit ms | GPU recommended | | Where it runs | In your Node process | Sidecar or hosted API | | Cost per call | $0 | $ or GPU compute | Benchmark comparison vs OSS baselines → docs/BENCHMARKS.md /securelayer7/PROMPTPurify/blob/main/docs/BENCHMARKS.md . SDK zero-dep, ~50 KB — structural firewall + browser bundle npm i promptpurify Add the model ~14 MB ONNX for the chat-injection guard npm i onnxruntime-node curl -L -o promptpurify-model.tar.gz \ https://github.com/securelayer7/PROMPTPurify/releases/download/v0.0.1/promptpurify-model.tar.gz curl -L -o promptpurify-model.tar.gz.sha256 \ https://github.com/securelayer7/PROMPTPurify/releases/download/v0.0.1/promptpurify-model.tar.gz.sha256 sha256sum -c promptpurify-model.tar.gz.sha256 MUST print "OK" tar xzf promptpurify-model.tar.gz creates models/l5e/ The model isn't in the npm tarball — the SDK stays tiny for people who only want the structural firewall browser, edge, RAG . Full distribution options: docs/SAMPLE-DATA.md /securelayer7/PROMPTPurify/blob/main/docs/SAMPLE-DATA.md how-to-get-the-model . js import { createL5eRunner } from "promptpurify/l5"; const guard = await createL5eRunner ; // In your /chat handler: const score = await guard.score userMessage ; if score = 0.95 return refusal ; // hard block if score = 0.85 flagForReview userMessage ; // advisory const reply = await yourLLM.complete userMessage ; // pass through Works with Groq, OpenAI, Anthropic, vLLM, local LLMs — promptpurify never talks to your LLM, only to your input. For the deterministic structural firewall Unicode neutralization, role-fenced messages, output exfil guard see docs/QUICKSTART.md /securelayer7/PROMPTPurify/blob/main/docs/QUICKSTART.md . We built our model from random initialization because no existing OSS guardrail gave us the size / latency tradeoff we wanted to ship in our own products. From-scratch. No teacher weights from any vendor classifier are redistributed. Benchmarked against public datasets for direct comparison with OSS baselines ProtectAI v2, deepset, fmops, Meta Prompt-Guard-2 . Held-out evaluation; false positives reported alongside recall. MIT-licensed weights. Use in production, paid or free. Full architecture overview → docs/HOW-IT-WORKS.md /securelayer7/PROMPTPurify/blob/main/docs/HOW-IT-WORKS.md . We run a live adversarial challenge at anton.securelayer7.net . Ask Son of Anton for the password. If you can get it past the guard, tell us how — SECURITY.md /securelayer7/PROMPTPurify/blob/main/SECURITY.md . A fintech customer-support chatbot wired up with promptpurify, ready to run locally: cd examples/customer-support && npm install GROQ API KEY=gsk ... node server.mjs http://localhost:8787 See examples/customer-support/README.md /securelayer7/PROMPTPurify/blob/main/examples/customer-support/README.md . — install paths, structural firewall, browser bundle, integration patterns. docs/QUICKSTART.md /securelayer7/PROMPTPurify/blob/main/docs/QUICKSTART.md — the layers, what each catches. docs/HOW-IT-WORKS.md /securelayer7/PROMPTPurify/blob/main/docs/HOW-IT-WORKS.md — comparison with OSS baselines, methodology. docs/BENCHMARKS.md /securelayer7/PROMPTPurify/blob/main/docs/BENCHMARKS.md — what ships in the repo for benchmarking. docs/SAMPLE-DATA.md /securelayer7/PROMPTPurify/blob/main/docs/SAMPLE-DATA.md — run the bench yourself. docs/REPRODUCE.md /securelayer7/PROMPTPurify/blob/main/docs/REPRODUCE.md — what to pair promptpurify with for full coverage. docs/HONEST-LIMITS.md /securelayer7/PROMPTPurify/blob/main/docs/HONEST-LIMITS.md - Not a guarantee. There is no .safe boolean. - Not a content classifier. Catches prompt-injection, not toxicity / CSAM / hate. Pair with a content filter. - Not a multi-turn auditor. Pair with conversation-level monitoring. The name and the design philosophy are inspired by DOMPurify https://github.com/cure53/DOMPurify by Cure53 https://cure53.de — the same idea, applied to LLM prompts instead of HTML. Thanks to Mario Heiderich for suggesting the name. MIT for the SDK and the model weights. Benchmark sources we evaluate against are listed in training/CORPUS LICENSES.json /securelayer7/PROMPTPurify/blob/main/training/CORPUS LICENSES.json . Security disclosures: SECURITY.md /securelayer7/PROMPTPurify/blob/main/SECURITY.md .