Open to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time roles
Selected work

LLM Security · 2025 · Designer & Sole Engineer

Agentic AI Guardrail System

A three-layer security pipeline that inspects, classifies, and semantically validates every prompt before it reaches an LLM — catching 92% of attacks across 20,000 adversarial prompts.

92%
Attack detection
20K
Adversarial prompts
3
Defense layers

Context

LLM applications ship with an open door: the prompt. Jailbreaks, prompt injection, and data-exfiltration attempts don't look like traditional exploits — they look like ordinary text. I set out to build a guardrail that treats the prompt boundary as a first-class attack surface, with defense in depth rather than a single brittle filter.

The work later contributed to a published patent in AI security (ID 202641031061).

The problem

A single classifier is easy to fool. Regex misses paraphrase; an ML model misses novel phrasings; a semantic check alone is slow and over-triggers. Each layer has a blind spot the next one covers.

Architecture

Three independent layers, each cheaper and faster than the one behind it, so most traffic is resolved early:

  1. Deterministic filtering — regex and heuristic rules catch known-bad patterns and obvious injection markers in microseconds.
  2. ML classification — a trained classifier scores intent, flagging adversarial phrasing that slips past static rules.
  3. RAG-based semantic validation — the prompt is checked against a curated store of attack signatures and policy, so novel-but-similar attacks are caught by meaning, not surface form.
prompt ─▶ [1] regex ─pass─▶ [2] ML classifier ─pass─▶ [3] RAG semantic check ─▶ LLM
             │ block            │ block                    │ block
             ▼                  ▼                          ▼
                          audit log + policy response

Outcome

  • 92% detection across a test set of 20,000 malicious prompts.
  • Layered short-circuiting keeps the fast path fast — the expensive semantic check only runs on the small fraction that survives layers one and two.
  • A FastAPI service with a PostgreSQL-backed audit trail, deployable in front of any LLM endpoint.

What I'd do next

Adversarial retraining on the misses, per-tenant policy packs, and streaming token-level inspection for tool-calling agents.

Built with

LangChainRAGFastAPIPostgreSQLScikit-learn