Skip to content

LLM Guard - LLM Security Toolkit Cheatsheet

LLM Guard - LLM Security Toolkit Cheatsheet

LLM Guard (by Protect AI) is an open-source security toolkit for LLM applications. It provides a library of input scanners (applied to the user’s prompt before it reaches the model) and output scanners (applied to the model’s response before it reaches the user) that detect and mitigate prompt injection, jailbreaks, toxicity, PII leakage, secrets, banned topics, and more. Scanners can sanitize content, score risk, and block unsafe requests, making it a practical guardrail layer for production LLM apps.

Installation

MethodCommand
pippip install llm-guard
With ONNX (faster)pip install "llm-guard[onnxruntime]"
API server (Docker)run the official llm-guard-api image
First rundownloads scanner models (transformers)
Verifypython -c "import llm_guard; print('ok')"

Two Scanning Stages

StageApplied toPurpose
Input scannersThe user promptStop malicious/unsafe input reaching the model
Output scannersThe model responseStop unsafe/leaky output reaching the user

Scanning Input

from llm_guard import scan_prompt
from llm_guard.input_scanners import PromptInjection, Toxicity, Secrets

scanners = [PromptInjection(), Toxicity(), Secrets()]
sanitized, results, risk = scan_prompt(scanners, user_prompt)

if any(not ok for ok in results.values()):
    raise ValueError("Unsafe prompt blocked")
ReturnMeaning
sanitizedThe (possibly modified) prompt
resultsPer-scanner pass/fail
riskPer-scanner risk scores (0–1)

Input Scanners

ScannerDetects
PromptInjectionInjection/jailbreak attempts
ToxicityToxic/abusive language
SecretsAPI keys, tokens in the prompt
AnonymizePII (redacts, with later de-anonymize)
BanTopicsDisallowed subjects
BanSubstrings / BanCompetitorsBlocklists
CodePresence of code / specific languages
TokenLimitOversized prompts
LanguageUnexpected languages

Scanning Output

from llm_guard import scan_output
from llm_guard.output_scanners import NoRefusal, Sensitive, Relevance

scanners = [NoRefusal(), Sensitive(), Relevance()]
sanitized_resp, results, risk = scan_output(scanners, prompt, model_response)

Output Scanners

ScannerChecks
SensitivePII/secrets leaking in the response
NoRefusalDetects refusals (quality/guardrail signal)
RelevanceResponse actually answers the prompt
ToxicityToxic output
BiasBiased content
MaliciousURLsDangerous links in output
DeanonymizeRestore redacted PII for trusted display
FactualConsistencyResponse consistent with context

PII Anonymize / Deanonymize Flow

from llm_guard.input_scanners import Anonymize
from llm_guard.output_scanners import Deanonymize
from llm_guard.vault import Vault

vault = Vault()
safe_prompt, _, _ = scan_prompt([Anonymize(vault)], user_prompt)
# ... call the model with safe_prompt ...
final, _, _ = scan_output([Deanonymize(vault)], safe_prompt, model_response)

The Vault stores the mapping so redacted entities can be restored in the final answer.

Deployment

OptionNote
In-process libraryImport and call scan_prompt/scan_output
API serverllm-guard-api for a language-agnostic gateway
ONNX runtimeFaster CPU inference for scanner models
ConfigFail-fast, thresholds, and match strategies per scanner

Common Workflows

# Guardrail wrapper around any LLM call
def guarded_chat(user_input):
    prompt, r_in, _ = scan_prompt(input_scanners, user_input)
    if not all(r_in.values()):
        return "Request blocked by safety policy."
    resp = call_llm(prompt)
    out, r_out, _ = scan_output(output_scanners, prompt, resp)
    return out if all(r_out.values()) else "Response withheld by safety policy."
AspectLLM GuardNeMo GuardrailsGarak
RoleInput/output scanners (runtime)Programmable dialog railsLLM vulnerability scanner (testing)
FocusInjection, PII, toxicity, secretsConversation flow controlRed-teaming/probing
WhenIn the request pathIn the request pathPre-deployment testing
Best forDrop-in guardrailsComplex rule-based flowsFinding weaknesses

Resources