Poured a fresh cup today and went back into the prompt-injection testing rabbit hole.
This weekโs work was less about the firebreak agent itself, although that is still the end goal, and more about testing different models against the same Kaggle prompt-injection dataset, in the same test harness (๐ข๐ด ๐ฎ๐ถ๐ค๐ฉ ๐ข๐ด ๐ฑ๐ฐ๐ด๐ด๐ช๐ฃ๐ญ๐ฆ - ๐ฎ๐ฐ๐ณ๐ฆ ๐ฐ๐ฏ ๐ต๐ฉ๐ข๐ต ๐ญ๐ข๐ต๐ฆ๐ณ) to see whether I could improve the detection rate.
The wider context is a multi-agent RFP pipeline Iโve been building, where every piece of extracted content needs to be checked before it ever reaches a downstream LLM. Malicious prompt detected, abort the pipeline - benign detected, carry on.
To make that work properly, the detection model has to be accurate, but it also has to avoid false positives. A security layer that blocks too much becomes hard to trust. One that lets malicious content through is obviously worse.
This week I added to my previous benchmarks, still using the same Kaggle 500-prompt test set, split evenly between malicious and benign prompts.
๐ง๐ต๐ฒ ๐๐๐ฎ๐ป๐ฑ๐ผ๐๐ ๐๐ฎ๐ ๐๐ฒ๐บ๐บ๐ฎ๐ฐ:๐ฎ๐ฒ๐ฏ ๐ฎ๐ ๐ต๐ต.๐ฒ%, ๐๐ถ๐๐ต ๐ฐ๐ต๐ด ๐ผ๐๐ ๐ผ๐ณ ๐ฑ๐ฌ๐ฌ ๐ฐ๐ผ๐ฟ๐ฟ๐ฒ๐ฐ๐ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ฟ๐ผ ๐ณ๐ฎ๐น๐๐ฒ ๐ฝ๐ผ๐๐ถ๐๐ถ๐๐ฒ๐. Iโve been reaching for Google Gemma4 a lately, and it keeps impressing me. In this test it caught 100% of the code-execution, jailbreaking, and role-playing attacks, and did very well on obfuscation and data leakage too.
Granite4:3b also held up well at 98.2%, which was good to see given its smaller size (and it was much more responsive). The MAF-FIDES approach trailed at 90.2%, but remains useful as a comparison point because it takes a very different approach to detection.
The interesting part for me was not just that Gemma4 improved the success rate, it was that the improvement came with ๐๐ฒ๐ฟ๐ผ ๐ณ๐ฎ๐น๐๐ฒ ๐ฝ๐ผ๐๐ถ๐๐ถ๐๐ฒ๐ in this run, which matters.
In a workflow like this, the model is not being used to write content or summarize a document. It is being used as a control point in a larger system, so accuracy matters, but so do failure modes and false positives and what happens when the model gives you something malformed.
I hit some of that this week too, including JSON parsing failures caused by a known Gemma4 issue with JSON-mode (issue link below). The fix meant dropping JSON-mode as the default, and adding more defensive parsing so that a broken response does not quietly become a โbenignโ verdict.
That was the useful reminder from this week. When you put an LLM into a security-sensitive workflow, you are not just testing whether it gives the right answer most of the time. You are testing whether the surrounding system behaves safely when things go wrong.
Back to the coffee.
| Model | False Positives | Correct | Incorrect | Code Execution | Data Leakage | Jailbreaking | Obfuscation | Role Playing |
|---|---|---|---|---|---|---|---|---|
| Gemma4:26b | 0 | 498/500 (99.6%) | 2/500 | 146/146 detected (100%) | 17/18 detected (94%) | 17/17 detected (100%) | 60/61 detected (98%) | 8/8 detected (100%) |
| Granite4:3b | 0 | 491/500 (98.2%) | 9/500 | 143/146 detected (98%) | 18/18 detected (100%) | 12/17 detected (71%) | 60/61 detected (98%) | 8/8 detected (100%) |
| MAF-FIDES | 2 | 451/500 (90.2%) | 49/500 | 122/146 detected (84%) | 15/18 detected (83%) | 17/17 detected (100%) | 41/61 detected (67%) | 8/8 detected (100%) |
- False Positives: Benign prompts marked as Malicious - interesting because they impact people using legitimate prompts.
- Correct and Incorrect: Overall scores
- Attack type breakdown: Code Execution, Data Leakage, Jailbreaking, Obfuscation, Role Playing
Ollama Gemma4 Issue Link: Link to GiHub Issue
