Prompt Injection Detection Models
B2's Layer 4 uses a secondary model to check 'does this content contain overriding instructions?' before inserting it into the agent's context. This deep-dive expands Layer 4 into the full detection-model analysis: the two families (dedicated classifiers like DeBERTa/RoBERTa fine-tunes, Llama Prompt Guard, ProtectAI; and the secondary-LLM-as-detector approach), their accuracy in practice (benchmark 95-99%+ vs deployment 84-90% vs adversarial out-of-distribution lower still), how attackers evade them (the cat-and-mouse dynamic, the dual-injection problem where a payload must evade the detector AND compromise the primary, the correlated-bypass weakness when detector and primary share a model class), and how to compose them into a defense-in-depth stack where they are a layer, not a silver bullet. The detector is itself a model, and models are injectable. External placement stops DISABLE but not EVADE. Covers the five-step measurement methodology (in-dist + OOD corpus, per-detector bypass, false-positive tax, end-to-end, correlated-bypass test) and the state of the art: detection is necessary but not sufficient; deterministic layers bound the worst case.
The detection model is itself a model, and models are injectable. External placement protects the detector from being DISABLED by a compromised agent (the Course 1 Module 0.2 principle); it does NOT protect it from being EVADED by an input crafted against its decision boundary. The detector runs; it classifies the adversarial payload as benign. This is SDD-B08's load-bearing vulnerability restated at the detector layer.
Benchmark accuracy is 95-99%+; real-world, false-positive-constrained accuracy is 84-90%; adversarial, out-of-distribution accuracy is lower still and decays over time. The gap is an adversarial property with three causes: distribution shift, the false-positive tax, and adversarial adaptation. The number you operate on is the out-of-distribution, FP-constrained, adversarially-adapted rate — and no vendor reports it.
The dual-injection problem: an indirect payload must simultaneously evade the detector AND compromise the primary model. The dual constraint helps against naive attackers but is a targeting signal for adaptive ones — the detector's fixed decision boundary is probeable, and a payload engineered into its false-negative region while still carrying the injection is the attacker's goal. The correlated case (detector and primary share a model class) makes this easier than the independence assumption predicts.
The detector is the highest-value single layer for indirect-injection defense, but it is a layer, not a boundary. The only layers without an evasion surface are the deterministic ones (IronCurtain, the harness scope gate). The end-to-end bypass rate is the product of the model-layer residuals, floored by the harness gate. Detection is necessary; it is not sufficient. The boundary is deterministic; the detector bounds the volume of adversarial traffic the boundary and the primary model must handle.