• 3 min read
ReasonGate blocks prompt injection before the LLM runs
ReasonGate is a new open-source security gate for LLM apps that blocks prompt injection, explains why, and logs auditable decisions.

Image: Hacker News
ReasonGate is an open-source security gate for LLM applications designed to stop prompt injection before a model is ever called — and explain exactly why it made that decision.
The project, posted to Hacker News as “Show HN: ReasonGate”, targets what it calls the structural weakness behind prompt injection: models read both instructions and untrusted data through the same channel and cannot reliably separate them. Instead of trying to fix that inside the model, ReasonGate puts a filter in front of it.
The repo’s demo centers on a bank support agent with access to tools such as send_email and transfer_funds. With the shield off, a poisoned customer record leads to a breach: the record is emailed to an attacker and $84,200 is transferred out, with the side effects written to disk. With the shield on, the same input is blocked before the model is called, while clean input is still allowed.
ReasonGate is model-agnostic. It wraps any prompt -> str function — including OpenAI, Anthropic, local models, or a custom RAG pipeline — and inspects three surfaces:
- User prompts
- Retrieved context
- Model output
The open-core version is pure Python with zero dependencies and no network calls. It includes rule-based detection, normalization and deobfuscation, indirect-injection scanning, leakage detection, canary checks, a policy engine, and structured audit logging.

Recommended reading
FortiSandbox bug hits CISA KEV as attacks spread
Detection layers and benchmark results
ReasonGate uses multiple layers rather than a single detector. Those include:
- Normalization / deobfuscation for zero-width characters, homoglyphs, leetspeak, dotted letters, and base64 payloads
- Injection / jailbreak detection via rules, with an optional ML layer
- Indirect injection scanning for retrieved documents and tool outputs
- Multi-turn session risk accumulation
- Output leakage + canary detection for secrets, PII, and provable system-prompt leaks
According to the project’s benchmark section, its optional ML detector — using VoyageAI embeddings and a soft decision tree tuned for recall — achieved:
- 96.1% recall, 0.3% false positives, 0.978 F1 on a held-out test of roughly 5.5k examples
- 95.5% ± 0.8 recall, 2.5% ± 1.3 false positives, 0.963 ± 0.010 F1 in 5-fold cross-validation
- 87.6% recall, 10.9% false positives, 0.882 F1 on an out-of-distribution test
The training data listed in the repo comes from deepset/prompt-injections, jackhhao/jailbreak-classification, and xTRam1/safe-guard-prompt-injection.
The project also compares evasion robustness under obfuscation. A regex-only setup posts 20.0% recall, 3.3% FPR, and 0.332 F1, while ReasonGate (normalize + indirect) reaches 75.6% recall, 6.7% FPR, and 0.855 F1.
Install options and known limits
The package supports three install paths:
- pip install reasongate for the core detectors
- pip install reasongate[ml] for the embedding-based classifier
- pip install reasongate[serve] for the FastAPI web demo
There is also an enterprise add-on that enables an embedding-based ML detector and a provenance detector through the same interface, without changing core code.
The author is unusually explicit about limits. Recall ranges from 76% to 96% depending on distribution and obfuscation, and is never 100%. Performance drops on genuinely novel attack families until they are added to training data. The ML detector also adds cost and latency because the default embedding path makes an API call per request, while the core can run fully air-gapped with no data leaving the server.
The project is available under Apache-2.0, with a separate license for the enterprise add-on.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Hacker News


