A recent Softonic piece flagged a friendly-fire moment for AI security: a research team showed that autonomous agents pitched as defenders can themselves be tricked into launching attacks. The attack surface is prompt injection, and the target is any system that lets model output make decisions about tools, files, or the network. The best apps for prompt injection defense on desktop treat that surface as first-class: they let us red-team our own prompts, filter untrusted inputs before they reach a model, and guard tool calls at the moment they leave the agent.
We tested seven apps and libraries on Windows, macOS, and Linux for prompt injection defense in 2026. Some are testing suites (red team our prompts against known injection payloads), some are runtime guardrails (filter inputs and outputs at request time), some are policy engines (allow or deny tool calls). Pick by where in the LLM pipeline the defense needs to sit.
What to look for in a prompt injection defense app
Prompt injection defense is more layered than a spam filter. The apps that do it well share a few properties:
- Coverage of at least the OWASP LLM Top 10, including direct and indirect prompt injection, insecure output handling, and training-data poisoning.
- Support for both testing (offline red-teaming) and runtime enforcement (inline guardrails). Neither alone is enough.
- Model-agnostic. A defense that only works against OpenAI’s models does not help teams running Claude, Gemini, or open-source models.
- Ability to filter tool calls, not just text. A guardrail that misses “please run this shell command” is useless.
- Open, inspectable rulesets. A closed classifier that we cannot audit is a black box in a chain we needed to make less black.
- Fast enough for real traffic. A 500ms guardrail on a 300ms request is a non-starter for interactive apps.
Quick comparison
| App | Best for | Platforms | Free plan | Starting price/mo | Rating |
|---|---|---|---|---|---|
| Promptfoo | Prompt eval and red-teaming CLI | Windows, macOS, Linux | Fully free, open source | Enterprise support | GitHub top-tier |
| Garak | LLM vulnerability scanner from NVIDIA | Windows, macOS, Linux | Fully free, open source | Free | NVIDIA-backed |
| Rebuff | Multi-layer prompt injection detector | Windows, macOS, Linux | Fully free, open source | Free | Community |
| Lakera Guard | Managed guardrail with prompt injection classifier | API + SDKs | Free tier | Modest yearly subscription | 4.7 / 5 |
| NeMo Guardrails | NVIDIA’s programmable guardrails DSL | Windows, macOS, Linux | Fully free, open source | Free | NVIDIA-backed |
| PyRIT | Microsoft’s Python risk identification tool | Windows, macOS, Linux | Fully free, open source | Free | Microsoft-backed |
| LLM Guard | Open source input and output scanner | Windows, macOS, Linux | Fully free, open source | Enterprise support | Protect AI project |
OpenAI’s Moderation endpoint is included in the how-to-pick as a reference for teams already on the OpenAI stack.
The apps
1. Promptfoo
Promptfoo is the pick for a code-first team that wants to red-team prompts as part of CI. The CLI runs a prompt through hundreds of adversarial payloads, scores the outputs against assertions we write, and reports which category of attack (jailbreak, injection, PII leak, data exfiltration) landed. The 2026 releases added an OWASP LLM Top 10 preset that turns “run every known-bad payload once a night” into a one-command job.
Where it falls short: it is a testing tool. Promptfoo does not sit in the request path at runtime; it tells us in CI which prompts break. Pair with a runtime guardrail.
Pricing:
- Free: fully free, open source
- Paid: enterprise support tier
Platforms: Windows, macOS, Linux, Docker
Download: Promptfoo
Bottom line: the sensible starting point for a team that wants prompt red-teaming in CI.
2. Garak
Garak is NVIDIA’s LLM vulnerability scanner, and its scope is wider than Promptfoo’s. It runs a taxonomy of probes (goodside, dan, promptinject, encoding, malwaregen, xss) against a model and reports which probes succeeded. For anyone testing a self-hosted open-source model against a battery of known attacks, it is the reference tool in 2026.
Where it falls short: the scans take a while to run. Some probes are noisier than others and need tuning to fit our threat model.
Pricing:
- Free: fully free, open source
- Paid: no paid tier
Platforms: Windows, macOS, Linux
Download: Garak
Bottom line: the pick for hardening a self-hosted model against every known category of attack.
3. Rebuff
Rebuff is a multi-layer prompt injection detector: a heuristic filter, a vector-store lookup against known-bad payloads, an LLM-based classifier, and a canary-token detector that catches when a model has been told to leak a secret. Runtime performance is fast enough for interactive apps, and each layer is optional so we can tune for false-positive tolerance.
Where it falls short: the vector store needs seeding with our own known-bad payloads to be useful; the shipped set covers common injections but not domain-specific attacks. Some layers depend on an LLM call, which adds latency.
Pricing:
- Free: fully free, open source
- Paid: no paid tier
Platforms: Python, TypeScript, runs anywhere Node or Python does
Download: Rebuff
Bottom line: the pick for runtime prompt injection filtering with a mature multi-layer design.
4. Lakera Guard
Lakera Guard is the managed guardrail from a Swiss team that has been on prompt injection defense since 2022. The API sits in front of the model call, classifies user input and model output for injections, PII leaks, and policy violations, and returns a verdict in tens of milliseconds. The Playground on their site lets us test payloads against the current classifier interactively.
Where it falls short: it is a hosted API. Regulated teams need to check the data-residency SKU. Pricing is per request rather than per seat.
Pricing:
- Free: free tier for small workloads
- Paid: modest yearly subscription for production traffic
Platforms: API + SDKs for Python, JavaScript, and Ruby
Download: Lakera Guard
Bottom line: the pick for a production API guardrail without maintaining our own classifier.
5. NeMo Guardrails
NeMo Guardrails is NVIDIA’s programmable guardrails DSL, and it is the most flexible open-source runtime enforcement library on the list. Rules are defined in a Colang script that says which topics are allowed, which tools are allowed, and what the fallback response is when a check fails. Because the DSL is programmable, NeMo can express policies that a classifier cannot — “the assistant may only call the SQL tool when the user is authenticated” — cleanly.
Where it falls short: Colang is a new DSL and the learning curve is real. Very simple guardrails are easier to write with Rebuff or Lakera.
Pricing:
- Free: fully free, open source
- Paid: NVIDIA AI Enterprise adds paid support
Platforms: Python, runs anywhere Python does
Download: NeMo Guardrails
Bottom line: the pick for teams that need policy expression beyond what a classifier can offer.
6. PyRIT
PyRIT is Microsoft’s Python Risk Identification Tool for LLMs, and it is the closest thing to a full offensive security toolkit for AI systems. It runs adversarial prompts, tracks conversations across multiple turns, and evaluates model output against custom scorers. The framework’s target audience is red teams and blue teams inside larger organisations; the abstractions reflect that.
Where it falls short: the framework is heavier than a simple pen-test script. Small teams may find Promptfoo or Garak easier to reach for.
Pricing:
- Free: fully free, open source
- Paid: no paid tier
Platforms: Windows, macOS, Linux
Download: PyRIT
Bottom line: the pick for a red team running structured multi-turn attacks against LLM-backed systems.
7. LLM Guard
LLM Guard from Protect AI is an open-source input and output scanner focused on data-loss prevention alongside prompt injection defense. It ships scanners for PII, secrets, prompt injection, bias, and toxicity, and runs them at request time on both the user’s input and the model’s output. For teams whose main worry is “the model just quoted an API key back to the user,” LLM Guard is the specialist.
Where it falls short: the input-output scanner model adds latency on every request. Tuning which scanners run in which order matters for performance.
Pricing:
- Free: fully free, open source
- Paid: enterprise support tier
Platforms: Python, runs anywhere Python does
Download: LLM Guard
Bottom line: the pick when PII and secret leakage is as much a worry as injection itself.
How to pick the right prompt injection defense app
- If we want CI-time red-teaming of our prompts: Promptfoo.
- If we are hardening a self-hosted open-source model: Garak.
- If we want runtime filtering with a multi-layer design: Rebuff.
- If we want a hosted API guardrail: Lakera Guard.
- If our policy is more complex than a classifier can express: NeMo Guardrails.
- If we run a structured red team: PyRIT.
- If PII and secrets leakage is the primary risk: LLM Guard.
- If we are already on the OpenAI stack: OpenAI’s Moderation endpoint is the baseline; layer at least one of the above on top for injection-specific coverage.
The strongest 2026 stack for a small team is Promptfoo in CI plus Rebuff or Lakera Guard at runtime plus a scheduled Garak scan against the production model. That combination catches known-bad payloads before deploy, filters unknown ones at request time, and re-scans the deployed model on a schedule.
FAQ
What is prompt injection? Prompt injection is the class of attack where an untrusted input (a user message, a document, a scraped page) contains instructions that redirect the model against its intended purpose. Direct injection is when the user types the attack. Indirect injection is when the model reads an attack from a document or a web page it was told to summarise. Both are on the OWASP LLM Top 10.
Can prompt injection be fully prevented? No. Prompt injection is a language-model-native problem and there is no known perfect defense. Layered defenses (test-time red teaming, runtime classifiers, tool-call policies, canary tokens, output moderation) reduce the risk to a level acceptable for a specific deployment. Anyone claiming to prevent all prompt injection with one tool is oversimplifying.
What is the best open-source prompt injection defense? For runtime filtering, Rebuff and LLM Guard are the most complete open-source picks. For programmable policy, NeMo Guardrails. For testing, Promptfoo and Garak.
Does OpenAI’s Moderation endpoint catch prompt injection? Partially. The Moderation endpoint is designed for content categories (harassment, self-harm, violence) more than for injection specifically. A dedicated prompt injection classifier (Rebuff, Lakera Guard, LLM Guard) catches attacks Moderation misses.
How do I add prompt injection defense to a LangGraph or CrewAI agent? Wrap tool calls in a guardrail step that runs LLM Guard or Rebuff on the model’s proposed action, and pause via LangGraph’s interrupt or CrewAI’s approval gate when the guardrail flags the call. Promptfoo can run the same guardrail chain in CI against a battery of adversarial payloads.
Are these tools free to use commercially? Promptfoo, Garak, Rebuff, NeMo Guardrails, PyRIT, and LLM Guard are open source with permissive licenses that allow commercial use. Lakera Guard is a paid managed service with a free tier for small workloads.