Open-source LLM security
Stop prompt injection before it reaches your LLM
Parapet is a transparent proxy firewall that scans every request and response for prompt injection, tool abuse, and data exfiltration. Config-driven. Self-hosted. Three lines to integrate.
pip install parapet
npm install @parapet-tech/parapet
The Problem
LLMs trust everything they read
Your model can't tell the difference between your instructions and an attacker's. Every tool call, every retrieved document, every user message is an attack surface.
How It Works
Layered defense in the request pipeline
Parapet sits between your app and the LLM provider. Every message passes through a stack of security layers before it reaches the model, and again before the response reaches your app.
Config-Driven
Define your security policy in YAML
Write a YAML policy, call parapet.init() before your first HTTP client, and every request is scanned.
parapet: v1
# Block known injection patterns
block_patterns:
- "ignore previous instructions"
- "ignore all previous"
- "DAN mode enabled"
- "jailbreak"
# Tool policies: default-deny, allowlist what you need
tools:
_default:
allowed: false
read_file:
allowed: true
trust: untrusted
constraints:
path:
not_contains: ["../", "..\\"]
exec_command:
allowed: false
# Redact secrets from LLM output
sensitive_patterns:
- "sk-[a-zA-Z0-9]{20,}"
- "-----BEGIN.*PRIVATE KEY-----"Quickstart
Five minutes to your first blocked attack
Install
Parapet works with any OpenAI-compatible provider.
pip install parapet
npm install @parapet-tech/parapet
Configure
Create a YAML file with one line. All security layers active by default.
parapet: v1
Init
One call. Every LLM request is scanned from that point on.
parapet.init()
await init()
Architecture
Transparent interception, minimal integration
The Python SDK patches httpx transparently. The TypeScript SDK wraps fetch with session context and trust tracking. Both start the Rust engine as a sidecar. Or skip the SDK entirely and point any OpenAI-compatible client at the proxy.
Defense Layers
What Parapet catches
ML Classifier (L1)
Trained character n-gram SVM compiled into the binary. 98.6% F1 on 25K eval cases, sub-microsecond inference. Catches injection attempts that slip past pattern matching. No LLM call needed.
Data Payload Scanner (L2a)
Neural scanning of tool results and RAG documents via Meta's Prompt Guard 2 ONNX model combined with structural heuristics. Runs on CPU, no GPU required. 0.04% false positive rate across 4,742 benign inputs.
Pattern Matching (L3)
Regex patterns across 10 attack categories: instruction override, role hijacking, jailbreaks, system prompt extraction, privilege escalation, exfiltration. Scanned after Unicode normalization to defeat encoding tricks.
Tool Abuse
Per-tool constraints on arguments. Block path traversal in file tools, dangerous commands in shell tools, SSRF in web tools. Allowlists and denylists per tool name.
Data Exfiltration
Redact API keys, private keys, and secrets from LLM output. Regex-based pattern matching catches keys even if the model tries to encode or obfuscate them.
Multi-Turn Attacks
Cross-turn risk scoring detects attacks distributed across conversation turns: instruction seeding, role confusion escalation, resampling, and authority claim buildup. Peak + accumulation scoring — no LLM classifier needed.
Canary Tokens
Inject canary strings into system prompts. If they appear in output, your system prompt is leaking. Detect exfiltration attempts that bypass pattern matching.
Research-Backed
Built on the literature, not on vibes
Parapet's defense layers are grounded in published academic research on LLM security, prompt injection, and adversarial attacks on language models. Our multi-turn scoring formula — peak + accumulation — achieves 90.8% recall at 1.20% FPR on 10,654 conversations, without invoking an LLM. Read the paper: arXiv:2602.11247.
Your LLM deserves a wall
Parapet is free, open source, and takes five minutes to set up.