// what it does

Defense layer for AI agents. 3-stage detection pipeline (regex engine, ML classifier, LLM judge) that catches prompt injection, data leakage, destructive actions, and jailbreaks. Span-level redaction strips the malicious parts while preserving legitimate content. Ships as a Python SDK, hosted API, and MCP server.

// what makes it different

Taint tracking. Every piece of text carries metadata about where it came from: user input, retrieved document, tool output. This catches indirect injection, where a malicious instruction hidden in a document drives a destructive tool call. Most scanners treat text in isolation. Unplug tracks the full execution graph.

// models

We train our own model family on a synthetic and curated dataset. Unplug Tiny is out: a fully open-source, Apache-2.0 classifier on HuggingFace. It's a dual-head span detector. One head decides whether text is hostile, the other localizes the attack token by token, so the pipeline redacts the malicious span and keeps the rest of the document. There's a live demo you can paste text into. Small and larger variants follow, and the training dataset goes public too.

// the numbers

Every number here comes from a frozen evaluation harness on held-out data. Strengths and failures both, because a security tool that hides its blind spots is worse than no tool. Recall is on malicious sets, false-positive rate on benign sets.

Unplug Tiny v1, measured. No number is hand-typed.
test setrecallFPR
Core injection (942)94.4%0.5%
Indirect injection in context (2000)96.3%0.0%
Trigger-word benign probesn/a0.9%
OOD direct injection (281)61.9%10.2%
Harmful-but-not-injectionn/a87.0%
Hardest benign diversityn/a54.2%

It localizes precisely when it fires (97.1% span F1) but it over-fires on harmful-but-not-injection text, because it detects hijacking, not harm. Those are different jobs. Full breakdown is on the model card.

// stack

Python SDK, on PyPI now: pip install "unplug-ai[ml]". A 12-stage text normalizer defeats evasion techniques (leetspeak, homoglyphs, base64, zero-width characters, reversed text, cross-language attacks). Inference runs on CPU, no GPU needed. Everything lives under UnplugAI.

// what's next

Larger model variants, the public training dataset, and the hosted API as a service for teams that don't want to self-host. Framework integrations starting with Agno. Want to stress-test the firewall yourself? Try Jailbreak Dojo.