Coverage by category
Availability by tier
How detection works
Each detector follows the existingInjectionDetectionProvider pattern:
- Heuristic detectors (HTML, Markdown, critic evasion, few-shot, font, memory, sub-agent, persona) use regex/pattern matching and run on every request at negligible latency cost.
- LLM-judge detectors (framing bias, RAG poisoning) use a heuristic prefilter first, then escalate to an LLM call only when the prefilter fires. This caps LLM cost to the population of suspicious requests.
- Multimodal detectors (image/audio stego, adversarial patch) operate on media attachments via the
mediafield on the Guard API. - Systemic correlators (sybil, fragment, cascade, collusion) run as a background service that reads from
security_events, not on individual requests.