Prompt injection defense tools

A recent Softonic piece flagged a friendly-fire moment for AI security: a research team showed that autonomous agents pitched as defenders can themselves be tricked into launching attacks. The attack surface is prompt injection, and the target is any system that lets model output make decisions about tools, files, or the network. The best apps for prompt injection defense on desktop treat that surface as first-class: they let us red-team our own prompts, filter untrusted inputs before they reach a model, and guard tool calls at the moment they leave the agent.

We tested seven apps and libraries on Windows, macOS, and Linux for prompt injection defense in 2026. Some are testing suites (red team our prompts against known injection payloads), some are runtime guardrails (filter inputs and outputs at request time), some are policy engines (allow or deny tool calls). Pick by where in the LLM pipeline the defense needs to sit.

What to look for in a prompt injection defense app

Prompt injection defense is more layered than a spam filter. The apps that do it well share a few properties:

Quick comparison

AppBest forPlatformsFree planStarting price/moRating
PromptfooPrompt eval and red-teaming CLIWindows, macOS, LinuxFully free, open sourceEnterprise supportGitHub top-tier
GarakLLM vulnerability scanner from NVIDIAWindows, macOS, LinuxFully free, open sourceFreeNVIDIA-backed
RebuffMulti-layer prompt injection detectorWindows, macOS, LinuxFully free, open sourceFreeCommunity
Lakera GuardManaged guardrail with prompt injection classifierAPI + SDKsFree tierModest yearly subscription4.7 / 5
NeMo GuardrailsNVIDIA’s programmable guardrails DSLWindows, macOS, LinuxFully free, open sourceFreeNVIDIA-backed
PyRITMicrosoft’s Python risk identification toolWindows, macOS, LinuxFully free, open sourceFreeMicrosoft-backed
LLM GuardOpen source input and output scannerWindows, macOS, LinuxFully free, open sourceEnterprise supportProtect AI project

OpenAI’s Moderation endpoint is included in the how-to-pick as a reference for teams already on the OpenAI stack.

The apps

1. Promptfoo

Promptfoo is the pick for a code-first team that wants to red-team prompts as part of CI. The CLI runs a prompt through hundreds of adversarial payloads, scores the outputs against assertions we write, and reports which category of attack (jailbreak, injection, PII leak, data exfiltration) landed. The 2026 releases added an OWASP LLM Top 10 preset that turns “run every known-bad payload once a night” into a one-command job.

Where it falls short: it is a testing tool. Promptfoo does not sit in the request path at runtime; it tells us in CI which prompts break. Pair with a runtime guardrail.

Pricing:

Platforms: Windows, macOS, Linux, Docker

Download: Promptfoo

Bottom line: the sensible starting point for a team that wants prompt red-teaming in CI.

2. Garak

Garak is NVIDIA’s LLM vulnerability scanner, and its scope is wider than Promptfoo’s. It runs a taxonomy of probes (goodside, dan, promptinject, encoding, malwaregen, xss) against a model and reports which probes succeeded. For anyone testing a self-hosted open-source model against a battery of known attacks, it is the reference tool in 2026.

Where it falls short: the scans take a while to run. Some probes are noisier than others and need tuning to fit our threat model.

Pricing:

Platforms: Windows, macOS, Linux

Download: Garak

Bottom line: the pick for hardening a self-hosted model against every known category of attack.

3. Rebuff

Rebuff is a multi-layer prompt injection detector: a heuristic filter, a vector-store lookup against known-bad payloads, an LLM-based classifier, and a canary-token detector that catches when a model has been told to leak a secret. Runtime performance is fast enough for interactive apps, and each layer is optional so we can tune for false-positive tolerance.

Where it falls short: the vector store needs seeding with our own known-bad payloads to be useful; the shipped set covers common injections but not domain-specific attacks. Some layers depend on an LLM call, which adds latency.

Pricing:

Platforms: Python, TypeScript, runs anywhere Node or Python does

Download: Rebuff

Bottom line: the pick for runtime prompt injection filtering with a mature multi-layer design.

4. Lakera Guard

Lakera Guard is the managed guardrail from a Swiss team that has been on prompt injection defense since 2022. The API sits in front of the model call, classifies user input and model output for injections, PII leaks, and policy violations, and returns a verdict in tens of milliseconds. The Playground on their site lets us test payloads against the current classifier interactively.

Where it falls short: it is a hosted API. Regulated teams need to check the data-residency SKU. Pricing is per request rather than per seat.

Pricing:

Platforms: API + SDKs for Python, JavaScript, and Ruby

Download: Lakera Guard

Bottom line: the pick for a production API guardrail without maintaining our own classifier.

5. NeMo Guardrails

NeMo Guardrails is NVIDIA’s programmable guardrails DSL, and it is the most flexible open-source runtime enforcement library on the list. Rules are defined in a Colang script that says which topics are allowed, which tools are allowed, and what the fallback response is when a check fails. Because the DSL is programmable, NeMo can express policies that a classifier cannot — “the assistant may only call the SQL tool when the user is authenticated” — cleanly.

Where it falls short: Colang is a new DSL and the learning curve is real. Very simple guardrails are easier to write with Rebuff or Lakera.

Pricing:

Platforms: Python, runs anywhere Python does

Download: NeMo Guardrails

Bottom line: the pick for teams that need policy expression beyond what a classifier can offer.

6. PyRIT

PyRIT is Microsoft’s Python Risk Identification Tool for LLMs, and it is the closest thing to a full offensive security toolkit for AI systems. It runs adversarial prompts, tracks conversations across multiple turns, and evaluates model output against custom scorers. The framework’s target audience is red teams and blue teams inside larger organisations; the abstractions reflect that.

Where it falls short: the framework is heavier than a simple pen-test script. Small teams may find Promptfoo or Garak easier to reach for.

Pricing:

Platforms: Windows, macOS, Linux

Download: PyRIT

Bottom line: the pick for a red team running structured multi-turn attacks against LLM-backed systems.

7. LLM Guard

LLM Guard from Protect AI is an open-source input and output scanner focused on data-loss prevention alongside prompt injection defense. It ships scanners for PII, secrets, prompt injection, bias, and toxicity, and runs them at request time on both the user’s input and the model’s output. For teams whose main worry is “the model just quoted an API key back to the user,” LLM Guard is the specialist.

Where it falls short: the input-output scanner model adds latency on every request. Tuning which scanners run in which order matters for performance.

Pricing:

Platforms: Python, runs anywhere Python does

Download: LLM Guard

Bottom line: the pick when PII and secret leakage is as much a worry as injection itself.

How to pick the right prompt injection defense app

The strongest 2026 stack for a small team is Promptfoo in CI plus Rebuff or Lakera Guard at runtime plus a scheduled Garak scan against the production model. That combination catches known-bad payloads before deploy, filters unknown ones at request time, and re-scans the deployed model on a schedule.

FAQ

What is prompt injection? Prompt injection is the class of attack where an untrusted input (a user message, a document, a scraped page) contains instructions that redirect the model against its intended purpose. Direct injection is when the user types the attack. Indirect injection is when the model reads an attack from a document or a web page it was told to summarise. Both are on the OWASP LLM Top 10.

Can prompt injection be fully prevented? No. Prompt injection is a language-model-native problem and there is no known perfect defense. Layered defenses (test-time red teaming, runtime classifiers, tool-call policies, canary tokens, output moderation) reduce the risk to a level acceptable for a specific deployment. Anyone claiming to prevent all prompt injection with one tool is oversimplifying.

What is the best open-source prompt injection defense? For runtime filtering, Rebuff and LLM Guard are the most complete open-source picks. For programmable policy, NeMo Guardrails. For testing, Promptfoo and Garak.

Does OpenAI’s Moderation endpoint catch prompt injection? Partially. The Moderation endpoint is designed for content categories (harassment, self-harm, violence) more than for injection specifically. A dedicated prompt injection classifier (Rebuff, Lakera Guard, LLM Guard) catches attacks Moderation misses.

How do I add prompt injection defense to a LangGraph or CrewAI agent? Wrap tool calls in a guardrail step that runs LLM Guard or Rebuff on the model’s proposed action, and pause via LangGraph’s interrupt or CrewAI’s approval gate when the guardrail flags the call. Promptfoo can run the same guardrail chain in CI against a battery of adversarial payloads.

Are these tools free to use commercially? Promptfoo, Garak, Rebuff, NeMo Guardrails, PyRIT, and LLM Guard are open source with permissive licenses that allow commercial use. Lakera Guard is a paid managed service with a free tier for small workloads.