The first model in the Unplug family is public. It's called Unplug Tiny, it's on HuggingFace under Apache-2.0, and the SDK that wraps it is on PyPI. You can paste text into the live demo right now and watch it work.

// what it actually does

Most prompt-injection classifiers give you one bit: safe or not safe. If a document trips the alarm, you throw the whole thing away. That's a bad trade when the attack is one sentence buried in a 2000-character RAG chunk you actually needed.

Tiny is a dual-head span detector instead. One head decides whether the text is hostile. A second head localizes where the attack is, token by token. So the pipeline can cut the malicious span and keep the rest of the document. Find the attack, cut the attack, keep the rest.

It's small on purpose. The backbone is DeBERTa-v3-xsmall, 70M params, and it runs on CPU. No GPU, no API call, no data leaving your machine.

// the numbers, including the bad ones

Every number on the model card comes from a frozen evaluation harness on held-out data. None of them are hand-typed, and that includes the axes where the model fails. I'd rather ship something honest than something that looks good in a README and falls over in production.

Where it's strong:

Where it isn't:

It shipped as a preview with two failing release gates, documented in the open. That's the point. A security tool that hides its blind spots is worse than no tool, because you stop watching.

// using it

The model checkpoint uses a custom dual-head architecture, so loading it raw won't give you the decision policy. Use the SDK, which handles text normalization, encoded-payload decoding, thresholds, span merging, and redaction around the model:

pip install "unplug-ai[ml]"
from unplug import Guard

guard = Guard.with_tiny()
result = guard.scan(untrusted_text)

if not result.safe:
    print(result.redacted_text)   # attack spans removed, rest kept

// what's next

Tiny is the smallest tier. Small and larger variants follow, trained on the same growing synthetic and curated dataset, which goes public too. The hosted API is next for teams that don't want to self-host, and framework integrations start with Agno.

If you want to break it, that's encouraged. I built a game for exactly that: Jailbreak Dojo lets you social-engineer a local guardian past these shields, and every successful bypass becomes training data for the next model.

Model: huggingface.co/Unplug-AI/unplug-tiny-v1. SDK: github.com/UnplugAI/Unplug.