March 31, 2026

Deterministic Prompt Injection Detection Library Without ML Dependencies

dev tool real project •• multiple requests

As LLM agents proliferate, prompt injection detection is critical but current solutions require ML models, API calls, or GPU inference. A developer on HN built a Go library using deterministic normalization (10 stages) that detects injections via pattern matching after normalizing evasion techniques like homoglyphs, leet speak, and zero-width characters. Zero regex, zero API calls, single dependency. The ClamAV model for prompt security.

builder note

The ClamAV analogy is exactly right. The scan loop is trivial. The value is the definition database. Invest in building the largest, most actively maintained prompt injection signature database and release it as a community resource. The library itself is the distribution mechanism for the signatures. Port to Rust and TypeScript for maximum adoption. The business model is enterprise signature feeds with faster update cycles.

landscape (4 existing solutions)

Prompt injection detection splits into ML-based solutions (accurate but heavy, requiring GPU or API calls) and pattern-based solutions (fast but brittle regex). The deterministic normalization approach is a third path: normalize evasion techniques to canonical form, then match against a community-maintained signature database. This gives ClamAV-like deployability (embed anywhere, no ML dependencies) with expanding coverage via definition updates.

go-promptguard Go library using perplexity-based detection with character bigram analysis. Catches unnatural text patterns but relies on statistical methods that can false-positive on legitimate non-English text or technical content.
Vigil LLM Python-based composable scanner stack (vector similarity, YARA, transformer classifier). Powerful but Python-only and requires ML model inference. Not embeddable in Go/Rust services without FFI overhead.
Microsoft Prompt Shields Cloud API for prompt injection detection. But requires API calls to Microsoft's servers, adding latency and data privacy concerns. Not suitable for offline or high-throughput scanning.
Augustus (Praetorian) Pentesting tool with 210+ vulnerability probes. But designed for red teaming (attacking), not for runtime defense (blocking). Different use case.

sources (2)

hn https://news.ycombinator.com/item?id=47230384 "Think ClamAV: the scan loop is trivial, the definitions are the product" 2026-03-01
other https://github.com/hazyhaar/pkg/tree/main/injection "zero regex, no API calls, no ML in the loop" 2026-03-01
securityLLMprompt-injectionAI-agentsopen-source