Rebuff vs endee
Side-by-side comparison to help you choose.
| Feature | Rebuff | endee |
|---|---|---|
| Type | Framework | Repository |
| UnfragileRank | 43/100 | 30/100 |
| Adoption | 1 | 0 |
| Quality | 0 | 0 |
| Ecosystem | 0 | 1 |
| Match Graph | 0 | 0 |
| Pricing | Free | Free |
| Capabilities | 12 decomposed | 12 decomposed |
| Times Matched | 0 | 0 |
Analyzes incoming prompts using fast, pattern-based rules to detect common prompt injection attack signatures (keywords, structural patterns, encoding tricks). Operates as the first defense layer before LLM-based detection, using configurable keyword lists and regex-based pattern matching to identify malicious intent without requiring model inference. Returns a heuristic score that can be compared against a configurable threshold to block suspicious inputs.
Unique: Implements defense-in-depth as first layer with configurable keyword and pattern registries, allowing teams to customize detection rules without retraining models. Uses strategy pattern to enable/disable heuristic tactics independently from other detection layers.
vs alternatives: Faster than LLM-only detection (no inference latency) and more transparent than black-box ML approaches, but less semantically sophisticated than LLM-based detection alone
Delegates prompt injection detection to a dedicated language model that analyzes user input semantically to identify malicious intent, jailbreak attempts, and instruction-override attacks. The SDK abstracts the LLM backend (OpenAI, Anthropic, local models via Ollama) and returns a detection score based on the model's confidence in identifying an attack. This layer captures sophisticated, context-aware attacks that simple heuristics miss.
Unique: Abstracts LLM provider selection via strategy pattern, supporting OpenAI, Anthropic, and local Ollama models with unified interface. Configurable thresholds per provider allow tuning sensitivity based on model capabilities and false-positive tolerance.
vs alternatives: More semantically accurate than heuristics but slower; unlike static rule-based systems, adapts to new attack patterns without code changes, though still vulnerable to adversarial prompts targeting the detection model itself
Provides APIs to log detected attacks (especially canary token leaks) to the vector database, enabling the system to learn from incidents and improve future detection. When isCanaryWordLeaked() detects a leak, the application can call logAttack() to store the attack input and metadata, which gets embedded and added to the vector database. This creates a feedback loop where each incident improves detection of similar future attacks.
Unique: Implements closed-loop learning: detected attacks (especially canary token leaks) are automatically logged to vector database, improving future detection without manual curation. Metadata logging enables forensic analysis and trend tracking.
vs alternatives: Enables continuous improvement of detection over time, unlike static rule-based or pre-trained model approaches; requires operational discipline to sanitize sensitive data before logging
Returns detailed detection results that include individual scores from each enabled tactic (heuristic score, LLM confidence, vector similarity score) alongside the final detection decision. This enables developers to understand which tactic flagged an input and why, supporting debugging, threshold tuning, and explainability to stakeholders. Detection results include metadata like matched attack patterns from vector database or heuristic rules triggered.
Unique: Returns granular per-tactic scores and metadata (matched attack patterns, heuristic rules triggered) enabling developers to understand detection decisions at multiple levels of detail. Supports both high-level flagged boolean and detailed scoring for debugging.
vs alternatives: More transparent than black-box detection systems; enables threshold tuning and debugging unavailable in opaque approaches, though requires application-level handling of detailed results
Stores embeddings of previously detected or known prompt injection attacks in a vector database (Pinecone, Supabase, or custom backends), then compares incoming prompts against this corpus using semantic similarity. When a user input's embedding exceeds a similarity threshold to known attacks, the system flags it as a potential injection. This layer learns from past incidents and enables zero-shot detection of attack variants.
Unique: Implements pluggable vector database backends (Pinecone, Supabase, custom) via abstraction layer, enabling teams to choose storage based on compliance, latency, and cost requirements. Stores attack metadata alongside embeddings for incident correlation and forensics.
vs alternatives: Learns from organizational incident history without retraining, unlike static heuristics; more scalable than maintaining curated rule lists, but requires active management of attack corpus and periodic re-embedding as threat landscape evolves
Inserts randomly generated, unique canary tokens into system prompts before sending to the LLM, then monitors the model's response to detect if those tokens appear in the output. If a canary token leaks, it indicates the model has exposed its system instructions, revealing a successful prompt injection. The SDK provides addCanaryWord() to inject tokens and isCanaryWordLeaked() to check responses, enabling post-hoc detection of instruction leakage.
Unique: Generates cryptographically random, unique canary tokens per request and provides explicit APIs (addCanaryWord, isCanaryWordLeaked) for application-level integration. Enables closed-loop learning: detected leaks can be automatically logged to vector database to improve future detection.
vs alternatives: Detects successful attacks that bypass all preventive layers; unlike purely preventive approaches, provides forensic evidence of instruction exposure and enables continuous improvement through incident-driven learning
Implements strategy pattern to compose heuristic, LLM-based, and vector database detection tactics into a unified detection pipeline. Each tactic has an independent, configurable threshold that determines sensitivity. The SDK allows enabling/disabling tactics, adjusting thresholds per tactic, and combining scores across tactics to make a final detection decision. This architecture enables teams to tune detection sensitivity for their specific risk tolerance and false-positive budget.
Unique: Uses strategy pattern to decouple detection tactics from orchestration logic, enabling runtime composition and threshold tuning without code changes. Each tactic is independently testable and can be swapped for custom implementations.
vs alternatives: More flexible than single-method detection (heuristics-only or LLM-only); allows cost-latency-accuracy tradeoffs unavailable in monolithic approaches, though requires operational discipline to tune thresholds correctly
Provides Python bindings for Rebuff detection with both sync (detect_injection) and async (async detect_injection) methods, enabling integration into synchronous Flask/Django applications and async FastAPI/Starlette services. The SDK abstracts backend configuration (LLM provider, vector database, heuristic rules) via environment variables or constructor parameters, reducing boilerplate and enabling environment-specific configuration.
Unique: Provides both sync and async APIs with unified interface, enabling drop-in integration into existing Python frameworks. Configuration abstraction via environment variables and constructor parameters allows same code to run across dev/staging/prod with different backends.
vs alternatives: More Pythonic than REST API calls; async support enables non-blocking detection in high-throughput services, unlike synchronous-only SDKs
+4 more capabilities
Implements client-side encryption for vector embeddings before transmission to a remote database, using symmetric encryption (likely AES-256-GCM or similar) with key management handled entirely on the client. Vectors are encrypted at rest and in transit, with decryption occurring only after retrieval on the client side. This architecture ensures the database server never has access to plaintext vectors or their semantic content, enabling privacy-preserving similarity search without trusting the backend infrastructure.
Unique: Implements client-side encryption for vector embeddings with transparent key management in TypeScript, enabling encrypted similarity search without exposing vector semantics to the database server — a rare architectural pattern in vector database clients that typically assume trusted infrastructure
vs alternatives: Provides stronger privacy guarantees than Pinecone or Weaviate's native encryption (which encrypt at rest but expose vectors to the server during queries) by ensuring the server never handles plaintext vectors, though at the cost of client-side computational overhead
Executes similarity search queries against encrypted vector embeddings using approximate nearest neighbor (ANN) algorithms, likely implementing locality-sensitive hashing (LSH), product quantization, or HNSW-compatible approaches adapted for encrypted data. The client constructs encrypted query vectors and retrieves candidate results from the backend, then decrypts and re-ranks results locally to ensure accuracy despite the encryption layer. This enables semantic search without the server inferring query intent.
Unique: Adapts approximate nearest neighbor search algorithms to work with encrypted vectors by performing server-side ANN on ciphertext and client-side re-ranking on decrypted results, maintaining privacy while leveraging ANN efficiency — most vector databases either skip ANN for encrypted data or don't support encryption at all
vs alternatives: Enables semantic search with stronger privacy than Weaviate's encrypted search (which still exposes vectors during query processing) while maintaining better performance than fully homomorphic encryption approaches that are computationally prohibitive
Rebuff scores higher at 43/100 vs endee at 30/100. Rebuff leads on adoption, while endee is stronger on ecosystem.
Need something different?
Search the match graph →© 2026 Unfragile. Stronger through disorder.
Validates vector dimensions against expected embedding model output sizes and checks compatibility between query vectors and stored vectors before operations, preventing dimension mismatches that would cause silent failures or incorrect results. The implementation likely maintains a registry of common embedding models (OpenAI, Anthropic, Sentence Transformers) with their output dimensions, validates vectors at insertion and query time, and provides helpful error messages when mismatches occur.
Unique: Implements proactive dimension validation with embedding model compatibility checking, preventing silent failures from dimension mismatches — most vector clients lack this validation, allowing incorrect operations to proceed
vs alternatives: Catches dimension mismatches at operation time rather than discovering them through incorrect search results, providing better developer experience than manual dimension tracking
Deduplicates vector search results based on vector ID or metadata fields, and re-ranks results by relevance score or custom ranking functions after decryption. The implementation likely supports multiple deduplication strategies (exact match, fuzzy match on metadata), custom ranking functions (e.g., boost recent documents), and result normalization (score scaling, percentile ranking). This enables sophisticated result presentation without exposing ranking logic to the server.
Unique: Implements client-side result deduplication and custom ranking for encrypted vector search, enabling sophisticated result presentation without exposing ranking logic to the server — most vector databases lack built-in deduplication and ranking
vs alternatives: Provides more flexible result ranking than server-side ranking (which is limited by what the server can see) while maintaining privacy by keeping ranking logic on the client
Provides a client-side key management abstraction that handles encryption key generation, storage, rotation, and versioning for vector data. The implementation likely supports multiple key derivation strategies (PBKDF2, Argon2, or direct key material) and maintains key version metadata to support rotating keys without re-encrypting all historical vectors. Keys can be sourced from environment variables, key management services (AWS KMS, Azure Key Vault), or derived from user credentials.
Unique: Implements client-side key versioning and rotation for encrypted vectors without requiring server-side key management, allowing users to rotate keys independently while maintaining backward compatibility with older encrypted vectors — a critical feature for long-lived vector databases that most encrypted vector clients omit
vs alternatives: Provides more flexible key management than database-native encryption (which typically requires server-side key rotation) while remaining simpler than full KMS integration, making it suitable for teams with moderate compliance requirements
Provides a strongly-typed TypeScript API for vector database operations, with full type inference for vector payloads, metadata schemas, and query results. The implementation likely uses generics to allow users to define custom metadata types, with compile-time validation of metadata field access and query filters. This enables IDE autocomplete, compile-time error detection, and self-documenting code for vector operations.
Unique: Implements a generic TypeScript API for vector operations with compile-time metadata schema validation, allowing users to define custom types for vector metadata and catch schema mismatches before runtime — most vector clients (Pinecone, Weaviate SDKs) provide minimal type safety for metadata
vs alternatives: Offers stronger type safety than Pinecone's TypeScript SDK (which uses loose metadata typing) while remaining simpler than full schema validation frameworks, making it ideal for teams seeking a middle ground between flexibility and safety
Supports bulk insertion and upsert operations for multiple encrypted vectors in a single API call, with client-side batching and encryption applied to all vectors before transmission. The implementation likely chunks large batches to respect network and memory constraints, applies encryption in parallel using Web Workers or Node.js worker threads, and handles partial failures gracefully with detailed error reporting per vector. This enables efficient bulk loading of vector stores while maintaining end-to-end encryption.
Unique: Implements parallel client-side encryption for batch vector operations using worker threads, with intelligent batching and partial failure handling — most vector clients encrypt vectors sequentially, making bulk operations significantly slower
vs alternatives: Achieves 3-5x higher throughput for bulk vector insertion than sequential encryption approaches while maintaining end-to-end encryption guarantees, though still slower than plaintext bulk operations due to encryption overhead
Applies metadata-based filtering to vector search results after decryption on the client side, supporting complex filter expressions (AND, OR, NOT, range queries, string matching) without exposing filter logic to the server. The implementation likely parses filter expressions into an AST, evaluates them against decrypted metadata objects, and returns only results matching all filter criteria. This enables privacy-preserving filtered search where the server cannot infer filtering intent.
Unique: Implements client-side metadata filtering with complex boolean logic evaluation, ensuring filter criteria remain hidden from the server while supporting rich query expressiveness — most encrypted vector systems either lack filtering entirely or require server-side filtering that exposes filter intent
vs alternatives: Provides stronger privacy for filtered queries than Weaviate's encrypted search (which still exposes filter logic to the server) while remaining more flexible than simple equality-based filtering
+4 more capabilities