Rebuff

Analyzes incoming prompts using fast, pattern-based keyword and rule matching to detect common prompt injection attack signatures before they reach the LLM. Operates as the first defense layer in the multi-layered strategy, using configurable thresholds to flag suspicious patterns like instruction overrides, role-play attempts, and known attack keywords. Executes synchronously with minimal latency overhead.

Delegates prompt analysis to a dedicated language model that evaluates semantic intent and malicious patterns beyond simple keyword matching. The LLM tactic accepts user input and returns a detection score based on the model's understanding of attack intent, allowing detection of sophisticated, paraphrased, or novel injection attempts. Integrates with configurable LLM backends (OpenAI, Anthropic, local models) and caches results to reduce API costs.

Automatically captures new attack patterns when canary tokens are leaked in LLM responses and stores them in the vector database for future detection. When isCanaryWordLeaked() detects a leak, the system extracts the leaked prompt, generates embeddings, and adds it to the vector database with metadata about the attack (timestamp, user, LLM model). Over time, the vector database grows with real-world attack examples, improving detection accuracy without manual threat intelligence curation.

Supports multiple deployment models including cloud-hosted (Netlify), Docker containerization, and self-hosted on-premise installations. Configuration is managed through environment variables for API keys, database connections, and detection thresholds, enabling different configurations per environment (dev, staging, production) without code changes. Includes Docker Compose templates for quick self-hosted setup with all dependencies (vector database, LLM backend).

Returns detailed explanations for each detection decision, including per-tactic scores, matched patterns, and reasoning from the LLM-based detector. When a prompt is flagged, developers can see which tactics triggered (heuristic keywords matched, vector similarity score, LLM confidence), enabling debugging and tuning of detection rules. Scores are normalized to 0-1 range for comparison across tactics with different scoring schemes.

Stores embeddings of previously detected or known prompt injection attacks in a vector database and compares incoming prompts against this corpus using cosine similarity or other distance metrics. When a new prompt is submitted, it's embedded and compared to the attack vector store; if similarity exceeds a configurable threshold, the input is flagged. This layer learns from past incidents and enables cross-organization threat intelligence sharing.

Inserts randomly generated, unique canary words into system prompts as invisible markers, then monitors LLM outputs to detect whether the model has leaked its instructions. When a canary word appears in the model's response, it indicates the model has exposed its system prompt or instructions to the user. This mechanism detects successful prompt injection attacks even if earlier layers missed them, and enables logging of new attack patterns to the vector database for future detection.

Organizes all detection tactics (heuristic, LLM-based, vector database, canary tokens) using the strategy design pattern, allowing developers to enable/disable specific tactics, adjust per-tactic thresholds, and compose custom detection pipelines without modifying core code. Each tactic is a pluggable strategy with a standard interface, and the SDK initializes with a sensible default strategy that includes all three main tactics. Configuration is applied at SDK initialization and can be overridden per-request.

Provides Python bindings for all Rebuff detection capabilities with both synchronous (blocking) and asynchronous (non-blocking) APIs. The SDK wraps the core detection logic and handles LLM backend integration, vector database connections, and result caching. Supports context managers for resource cleanup and includes built-in retry logic with exponential backoff for transient failures in external service calls.

Provides JavaScript/TypeScript bindings for Rebuff detection with support for both browser and Node.js environments. The SDK includes type definitions for all detection methods, supports both Promise-based and callback-based APIs, and handles cross-origin requests for browser deployments. Includes built-in result caching to reduce redundant API calls and supports custom fetch implementations for environments with restricted network access.

Provides a web-based interface for testing prompt injection detection without writing code. Users can input prompts, configure detection tactics and thresholds, and see real-time detection results with explanations. The playground supports multiple LLM backends and vector databases, allows saving test cases, and generates shareable links for collaboration. Useful for security teams to validate detection rules before deployment.

Abstracts vector database operations behind a standard interface, allowing users to choose between Pinecone, Weaviate, Milvus, or implement custom backends. The abstraction handles embedding generation, similarity search, and result ranking. Users configure the vector database backend at SDK initialization, and the detection layer transparently uses the configured backend without code changes. Supports batch operations for bulk attack pattern ingestion.

Caches detection results in memory with configurable time-to-live (TTL) and eviction policies (LRU, LFU, FIFO). When the same prompt is submitted multiple times within the TTL window, cached results are returned without re-running detection tactics, reducing latency and API costs. Cache key is computed from prompt hash and configuration state, ensuring cache hits only occur for identical inputs and settings. Supports cache invalidation on demand.