All Insights
#Cybersecurity
June 2026

Sunday Coffee & Code: Even More Prompt Injection Testing - Gemma4 Continues to Impress Me

Poured a fresh cup today and went back into the prompt-injection testing rabbit hole. This weekโ€™s work was less about the firebreak agent itself, although that is still the end goal, and more about testing different models against the same Kaggle prompt-injection dataset, in the same test harness (๐˜ข๐˜ด ๐˜ฎ๐˜ถ๐˜ค๐˜ฉ ๐˜ข๐˜ด ๐˜ฑ๐˜ฐ๐˜ด๐˜ด๐˜ช๐˜ฃ๐˜ญ๐˜ฆ - ๐˜ฎ๐˜ฐ๐˜ณ๐˜ฆ ๐˜ฐ๐˜ฏ ๐˜ต๐˜ฉ๐˜ข๐˜ต ๐˜ญ๐˜ข๐˜ต๐˜ฆ๐˜ณ) to see whether I could improve the detection rate.

By Steve Harris

Poured a fresh cup today and went back into the prompt-injection testing rabbit hole.

This weekโ€™s work was less about the firebreak agent itself, although that is still the end goal, and more about testing different models against the same Kaggle prompt-injection dataset, in the same test harness (๐˜ข๐˜ด ๐˜ฎ๐˜ถ๐˜ค๐˜ฉ ๐˜ข๐˜ด ๐˜ฑ๐˜ฐ๐˜ด๐˜ด๐˜ช๐˜ฃ๐˜ญ๐˜ฆ - ๐˜ฎ๐˜ฐ๐˜ณ๐˜ฆ ๐˜ฐ๐˜ฏ ๐˜ต๐˜ฉ๐˜ข๐˜ต ๐˜ญ๐˜ข๐˜ต๐˜ฆ๐˜ณ) to see whether I could improve the detection rate.

The wider context is a multi-agent RFP pipeline Iโ€™ve been building, where every piece of extracted content needs to be checked before it ever reaches a downstream LLM. Malicious prompt detected, abort the pipeline - benign detected, carry on.

To make that work properly, the detection model has to be accurate, but it also has to avoid false positives. A security layer that blocks too much becomes hard to trust. One that lets malicious content through is obviously worse.

This week I added to my previous benchmarks, still using the same Kaggle 500-prompt test set, split evenly between malicious and benign prompts.

๐—ง๐—ต๐—ฒ ๐˜€๐˜๐—ฎ๐—ป๐—ฑ๐—ผ๐˜‚๐˜ ๐˜„๐—ฎ๐˜€ ๐—š๐—ฒ๐—บ๐—บ๐—ฎ๐Ÿฐ:๐Ÿฎ๐Ÿฒ๐—ฏ ๐—ฎ๐˜ ๐Ÿต๐Ÿต.๐Ÿฒ%, ๐˜„๐—ถ๐˜๐—ต ๐Ÿฐ๐Ÿต๐Ÿด ๐—ผ๐˜‚๐˜ ๐—ผ๐—ณ ๐Ÿฑ๐Ÿฌ๐Ÿฌ ๐—ฐ๐—ผ๐—ฟ๐—ฟ๐—ฒ๐—ฐ๐˜ ๐—ฎ๐—ป๐—ฑ ๐˜‡๐—ฒ๐—ฟ๐—ผ ๐—ณ๐—ฎ๐—น๐˜€๐—ฒ ๐—ฝ๐—ผ๐˜€๐—ถ๐˜๐—ถ๐˜ƒ๐—ฒ๐˜€. Iโ€™ve been reaching for Google Gemma4 a lately, and it keeps impressing me. In this test it caught 100% of the code-execution, jailbreaking, and role-playing attacks, and did very well on obfuscation and data leakage too.

Granite4:3b also held up well at 98.2%, which was good to see given its smaller size (and it was much more responsive). The MAF-FIDES approach trailed at 90.2%, but remains useful as a comparison point because it takes a very different approach to detection.

The interesting part for me was not just that Gemma4 improved the success rate, it was that the improvement came with ๐˜‡๐—ฒ๐—ฟ๐—ผ ๐—ณ๐—ฎ๐—น๐˜€๐—ฒ ๐—ฝ๐—ผ๐˜€๐—ถ๐˜๐—ถ๐˜ƒ๐—ฒ๐˜€ in this run, which matters.

In a workflow like this, the model is not being used to write content or summarize a document. It is being used as a control point in a larger system, so accuracy matters, but so do failure modes and false positives and what happens when the model gives you something malformed.

I hit some of that this week too, including JSON parsing failures caused by a known Gemma4 issue with JSON-mode (issue link below). The fix meant dropping JSON-mode as the default, and adding more defensive parsing so that a broken response does not quietly become a โ€œbenignโ€ verdict.

That was the useful reminder from this week. When you put an LLM into a security-sensitive workflow, you are not just testing whether it gives the right answer most of the time. You are testing whether the surrounding system behaves safely when things go wrong.

Back to the coffee.

ModelFalse PositivesCorrectIncorrectCode ExecutionData LeakageJailbreakingObfuscationRole Playing
Gemma4:26b0498/500 (99.6%)2/500146/146 detected (100%)17/18 detected (94%)17/17 detected (100%)60/61 detected (98%)8/8 detected (100%)
Granite4:3b0491/500 (98.2%)9/500143/146 detected (98%)18/18 detected (100%)12/17 detected (71%)60/61 detected (98%)8/8 detected (100%)
MAF-FIDES2451/500 (90.2%)49/500122/146 detected (84%)15/18 detected (83%)17/17 detected (100%)41/61 detected (67%)8/8 detected (100%)
  • False Positives: Benign prompts marked as Malicious - interesting because they impact people using legitimate prompts.
  • Correct and Incorrect: Overall scores
  • Attack type breakdown: Code Execution, Data Leakage, Jailbreaking, Obfuscation, Role Playing

Ollama Gemma4 Issue Link: Link to GiHub Issue

Want to Discuss This Topic?

Steve is always happy to have a direct conversation.