3 min read

ReasonGate aims to stop prompt injection before models run

ReasonGate is an open-source guard for LLM apps that blocks prompt injection, scans RAG context, and logs explainable decisions with audit trails.

Image: Hacker News

ReasonGate is a new open-source security layer for LLM applications that tries to stop prompt injection before a model is ever called. The project, posted to Hacker News by its developer, focuses on a simple claim: blocking attacks is not enough unless every decision is explainable and auditable.

In the project’s demo, a bank support agent has access to tools such as send_email and transfer_funds. A poisoned customer record hides an instruction that triggers an indirect injection attack, which the project describes as the dominant threat against RAG systems and agents.

Stakes demo — Shield OFF: the customer record is exfiltrated and $84,200 is wired out; Shield ON: the same attack is blocked before the model is called
Stakes demo — Shield OFF: the customer record is exfiltrated and $84,200 is wired out; Shield ON: the same attack is blocked before the model is called

With the shield turned OFF, the record is exfiltrated and $84,200 is transferred out, with real side effects written to disk. With the shield ON, the same poisoned input is blocked before the model runs, while clean input is still allowed through.

The package wraps any prompt -> str function, including OpenAI, Anthropic, local models, or a custom RAG pipeline. It inspects three surfaces:

  • the user prompt
  • the retrieved context
  • the model output

How the detection stack works

The core is pure Python with zero dependencies and no network calls. According to the repository, it includes rule-based detection, normalization and deobfuscation, indirect-injection checks, leakage detection, a canary mechanism, and a policy engine.

Recommended reading

One in six PCs still run Windows 10

ReasonGate’s layers are designed to catch both obvious and obfuscated attacks, including zero-width characters, Cyrillic homoglyphs, leetspeak, spaced or dotted letters, and base64 payloads. It also supports multi-turn session protection that accumulates risk across a conversation.

The project offers an open core + enterprise add-on model. The open version is rule-only, while the separate reasongate-enterprise add-on enables an embedding-based ML detector and a provenance detector through the same detector interface.

The author argues that explainability is the key difference from many existing guardrails.

“Most gates are black boxes — a confidence score and a yes/no. That is not good enough for anyone who has to defend a decision to a security team, an auditor, or a regulator.”

ReasonGate repository

Each decision can be serialized into a structured record with a decision_id, UTC timestamp, action, risk score, and per-detector evidence. The tool also supports audit hooks for logging and JSON Lines output.

Benchmarks, install options, and limits

The repository includes a benchmark harness and publishes several results for its ML detector, which uses VoyageAI embeddings and a soft decision tree:

  • Held-out test (~5.5k, combined real data): 96.1% recall, 0.3% false positives, 0.978 F1
  • 5-fold cross-validation: 95.5% ± 0.8 recall, 2.5% ± 1.3 false positives, 0.963 ± 0.010 F1
  • Out-of-distribution: 87.6% recall, 10.9% false positives, 0.882 F1

For evasion robustness under obfuscation, the repo reports:

  • Regex only: 20.0% recall, 3.3% FPR, 0.332 F1
  • ReasonGate (normalize + indirect): 75.6% recall, 6.7% FPR, 0.855 F1

The training and evaluation data listed are deepset/prompt-injections, jackhhao/jailbreak-classification, and xTRam1/safe-guard-prompt-injection.

Installation options are straightforward:

  • pip install reasongate for the core
  • pip install reasongate[ml] for the embedding-based detector
  • pip install reasongate[serve] for the FastAPI web demo

The author is also clear about the limits. Recall ranges from 76% to 96% depending on the distribution and obfuscation, and the system is not presented as a complete solution. The Apache-2.0 licensed core runs air-gapped with no network access, but the optional ML path makes an embedding API call per request unless used with a future on-prem option.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading