3 min read

ReasonGate blocks prompt injection before the LLM runs

ReasonGate is a new open-source security gate for LLM apps that blocks prompt injection, explains why, and logs auditable decisions.

Image: Hacker News

ReasonGate is an open-source security gate for LLM applications designed to stop prompt injection before a model is ever called — and explain exactly why it made that decision.

The project, posted to Hacker News as “Show HN: ReasonGate”, targets what it calls the structural weakness behind prompt injection: models read both instructions and untrusted data through the same channel and cannot reliably separate them. Instead of trying to fix that inside the model, ReasonGate puts a filter in front of it.

Stakes demo — Shield OFF: the customer record is exfiltrated and $84,200 is wired out; Shield ON: the same attack is blocked before the model is called
Stakes demo — Shield OFF: the customer record is exfiltrated and $84,200 is wired out; Shield ON: the same attack is blocked before the model is called

The repo’s demo centers on a bank support agent with access to tools such as send_email and transfer_funds. With the shield off, a poisoned customer record leads to a breach: the record is emailed to an attacker and $84,200 is transferred out, with the side effects written to disk. With the shield on, the same input is blocked before the model is called, while clean input is still allowed.

ReasonGate is model-agnostic. It wraps any prompt -> str function — including OpenAI, Anthropic, local models, or a custom RAG pipeline — and inspects three surfaces:

  • User prompts
  • Retrieved context
  • Model output

The open-core version is pure Python with zero dependencies and no network calls. It includes rule-based detection, normalization and deobfuscation, indirect-injection scanning, leakage detection, canary checks, a policy engine, and structured audit logging.

Recommended reading

FortiSandbox bug hits CISA KEV as attacks spread

Detection layers and benchmark results

ReasonGate uses multiple layers rather than a single detector. Those include:

  • Normalization / deobfuscation for zero-width characters, homoglyphs, leetspeak, dotted letters, and base64 payloads
  • Injection / jailbreak detection via rules, with an optional ML layer
  • Indirect injection scanning for retrieved documents and tool outputs
  • Multi-turn session risk accumulation
  • Output leakage + canary detection for secrets, PII, and provable system-prompt leaks

According to the project’s benchmark section, its optional ML detector — using VoyageAI embeddings and a soft decision tree tuned for recall — achieved:

  • 96.1% recall, 0.3% false positives, 0.978 F1 on a held-out test of roughly 5.5k examples
  • 95.5% ± 0.8 recall, 2.5% ± 1.3 false positives, 0.963 ± 0.010 F1 in 5-fold cross-validation
  • 87.6% recall, 10.9% false positives, 0.882 F1 on an out-of-distribution test

The training data listed in the repo comes from deepset/prompt-injections, jackhhao/jailbreak-classification, and xTRam1/safe-guard-prompt-injection.

The project also compares evasion robustness under obfuscation. A regex-only setup posts 20.0% recall, 3.3% FPR, and 0.332 F1, while ReasonGate (normalize + indirect) reaches 75.6% recall, 6.7% FPR, and 0.855 F1.

Install options and known limits

The package supports three install paths:

  • pip install reasongate for the core detectors
  • pip install reasongate[ml] for the embedding-based classifier
  • pip install reasongate[serve] for the FastAPI web demo

There is also an enterprise add-on that enables an embedding-based ML detector and a provenance detector through the same interface, without changing core code.

The author is unusually explicit about limits. Recall ranges from 76% to 96% depending on distribution and obfuscation, and is never 100%. Performance drops on genuinely novel attack families until they are added to training data. The ML detector also adds cost and latency because the default embedding path makes an API call per request, while the core can run fully air-gapped with no data leaving the server.

The project is available under Apache-2.0, with a separate license for the enterprise add-on.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading