LLM Guard (by Protect AI) is an open-source security toolkit for LLM applications. It provides a library of input scanners (applied to the user’s prompt before it reaches the model) and output scanners (applied to the model’s response before it reaches the user) that detect and mitigate prompt injection, jailbreaks, toxicity, PII leakage, secrets, banned topics, and more. Scanners can sanitize content, score risk, and block unsafe requests, making it a practical guardrail layer for production LLM apps.
Installation
| Method | Command |
|---|
| pip | pip install llm-guard |
| With ONNX (faster) | pip install "llm-guard[onnxruntime]" |
| API server (Docker) | run the official llm-guard-api image |
| First run | downloads scanner models (transformers) |
| Verify | python -c "import llm_guard; print('ok')" |
Two Scanning Stages
| Stage | Applied to | Purpose |
|---|
| Input scanners | The user prompt | Stop malicious/unsafe input reaching the model |
| Output scanners | The model response | Stop unsafe/leaky output reaching the user |
from llm_guard import scan_prompt
from llm_guard.input_scanners import PromptInjection, Toxicity, Secrets
scanners = [PromptInjection(), Toxicity(), Secrets()]
sanitized, results, risk = scan_prompt(scanners, user_prompt)
if any(not ok for ok in results.values()):
raise ValueError("Unsafe prompt blocked")
| Return | Meaning |
|---|
sanitized | The (possibly modified) prompt |
results | Per-scanner pass/fail |
risk | Per-scanner risk scores (0–1) |
| Scanner | Detects |
|---|
PromptInjection | Injection/jailbreak attempts |
Toxicity | Toxic/abusive language |
Secrets | API keys, tokens in the prompt |
Anonymize | PII (redacts, with later de-anonymize) |
BanTopics | Disallowed subjects |
BanSubstrings / BanCompetitors | Blocklists |
Code | Presence of code / specific languages |
TokenLimit | Oversized prompts |
Language | Unexpected languages |
Scanning Output
from llm_guard import scan_output
from llm_guard.output_scanners import NoRefusal, Sensitive, Relevance
scanners = [NoRefusal(), Sensitive(), Relevance()]
sanitized_resp, results, risk = scan_output(scanners, prompt, model_response)
Output Scanners
| Scanner | Checks |
|---|
Sensitive | PII/secrets leaking in the response |
NoRefusal | Detects refusals (quality/guardrail signal) |
Relevance | Response actually answers the prompt |
Toxicity | Toxic output |
Bias | Biased content |
MaliciousURLs | Dangerous links in output |
Deanonymize | Restore redacted PII for trusted display |
FactualConsistency | Response consistent with context |
PII Anonymize / Deanonymize Flow
from llm_guard.input_scanners import Anonymize
from llm_guard.output_scanners import Deanonymize
from llm_guard.vault import Vault
vault = Vault()
safe_prompt, _, _ = scan_prompt([Anonymize(vault)], user_prompt)
# ... call the model with safe_prompt ...
final, _, _ = scan_output([Deanonymize(vault)], safe_prompt, model_response)
The Vault stores the mapping so redacted entities can be restored in the final answer.
Deployment
| Option | Note |
|---|
| In-process library | Import and call scan_prompt/scan_output |
| API server | llm-guard-api for a language-agnostic gateway |
| ONNX runtime | Faster CPU inference for scanner models |
| Config | Fail-fast, thresholds, and match strategies per scanner |
Common Workflows
# Guardrail wrapper around any LLM call
def guarded_chat(user_input):
prompt, r_in, _ = scan_prompt(input_scanners, user_input)
if not all(r_in.values()):
return "Request blocked by safety policy."
resp = call_llm(prompt)
out, r_out, _ = scan_output(output_scanners, prompt, resp)
return out if all(r_out.values()) else "Response withheld by safety policy."
| Aspect | LLM Guard | NeMo Guardrails | Garak |
|---|
| Role | Input/output scanners (runtime) | Programmable dialog rails | LLM vulnerability scanner (testing) |
| Focus | Injection, PII, toxicity, secrets | Conversation flow control | Red-teaming/probing |
| When | In the request path | In the request path | Pre-deployment testing |
| Best for | Drop-in guardrails | Complex rule-based flows | Finding weaknesses |
Resources