Prompt Injection Defense: 14 Firewall Hooks Before the LLM

Prompt injection is the SQL injection of AI agents. A user pastes an instruction into a support ticket. An email arrives with hidden markdown that reverses the agent's goals. A web page the agent is summarizing contains a line that tells it to leak the system prompt. The mechanism is trivial: LLMs cannot reliably distinguish instructions from data, so any text that reaches the model can become an instruction.

The defensive answer is not a smarter model. Newer models are measurably more resistant, but not immune — every generation gets jailbroken within days of release. The durable answer is to stop trusting the LLM as the enforcement point. Push the checks out of the model and into a layer that runs before the request even reaches the provider. That layer is an AI firewall, and for Dobby's Agentic Gateway, it is 13 PRE hooks running in a defined order on every request, with an additional POST-response hallucination check after the LLM replies.

Why In-Model Defense Is Not Enough

System prompts that say 'ignore any instruction in the user message' work until they don't. Models are trained to be helpful and to follow the most recent, most specific instruction. Adversarial prompts are engineered to look like the most specific instruction. Even chain-of-thought and constitutional approaches leak — the same research teams that publish the defense often publish the jailbreak a week later.

A firewall turns this from an AI research problem into a plumbing problem. Plumbing is boring, which is what you want in security. Rules, patterns, and rate limits are auditable. You can unit-test them. You can write a postmortem that makes sense. You cannot do any of that with 'we tuned the system prompt'.

The 14 Hooks, in Order

Every request to Dobby's gateway passes through 13 PRE hooks before the LLM provider ever receives it, plus a POST-response hallucination check that fires after the LLM replies. Each hook can pass, mutate, reject, or escalate. The order is deliberate — cheap checks first (auth, rate), expensive checks last (content scanning, profile merge).

• 1. Authentication — validate gk_user_*, gk_svc_*, or gk_tmp_* key, check SHA-256 hash against the database
• 2. Key validation — scopes, IP allowlist, expiry, kill-switch check
• 3. Org plan lookup — load plan tier (free, pro, team, enterprise) from cache or BigQuery
• 4. Rate limiting — per-key limits (100/500 RPM by tier) with in-memory fallback on Valkey outage
• 5. Budget check — per-agent, per-org daily/monthly budgets with 80/90/100% alerts
• 6. Model whitelist — block unapproved models at the gateway level, not the code
• 7. Prompt injection scan — pattern-based detection on the prompt itself (imperative phrases, role-swap attempts, system-prompt exfiltration markers)
• 8. Content Shield DLP — 26 patterns matching PII, credentials, and secrets; block or redact based on policy
• 9. Profile merge — apply tenant-level policy overrides on top of org policy (5-layer merge)
• 10. Provider routing — pick primary provider, fall back to secondary on 503 or timeout
• 11. Streaming handler — translate provider SSE to OpenAI-compatible SSE for consistent clients
• 12. Cost capture — count tokens, compute dollars, record latency
• 13. Audit log — write the full request record to BigQuery (365-day retention)
• 14. Anomaly detection — flag cost spikes, unusual model switches, and rate-limit hits for Slack alerts

Security that runs after the model has already answered is not security — it is an apology.

Hook 7 — What Pattern-Based Injection Detection Actually Catches

The prompt injection hook is not a magic classifier. It is a library of patterns derived from real attacks in the wild. Role-swap markers like 'you are now', 'ignore previous instructions', 'new system:', 'assistant:'. Exfiltration markers asking the model to repeat its system prompt, its tools, or its configuration. Obfuscation markers — base64 blocks, reversed text, Unicode homoglyph variants of known trigger words. Each pattern has a confidence score, and the hook rejects requests whose aggregate score crosses a per-org threshold.

This catches the 90% of attacks that are scripted and reused. It does not catch a novel handcrafted attack. For that, you rely on the later hooks — profile merge (reducing blast radius by limiting what the agent can do), cost capture (a jailbroken agent that runs wild shows up as an anomaly), and audit log (post-incident forensics). No single hook is a silver bullet. The point is layering.

Hook 8 — Content Shield and the 26 Patterns

Content Shield is the DLP layer. It runs on both the inbound prompt and the outbound completion, scanning for 26 patterns: US and EU national ID formats, credit card numbers (Luhn-validated), API keys from the top 12 providers, private keys (PEM headers), AWS access key IDs, JWTs, and more. On match, the policy can block the request, redact the matched span, or pass it through with an alert. Per-org configuration controls which action applies to which pattern class.

// Content Shield policy — per-org JSON
{
  "version": 1,
  "actions": {
    "api_key_openai": "block",
    "api_key_anthropic": "block",
    "credit_card": "redact",
    "national_id_us": "redact",
    "jwt_token": "alert",
    "private_key_pem": "block"
  },
  "alert_channel": "slack",
  "redaction_marker": "[REDACTED:{type}]"
}

Crucially, the DLP scan runs on the original request body — not on a re-serialized copy after the profile merge mutated it. An earlier iteration of the gateway made that mistake and the scan missed payloads where profile merge had rewritten a field. The lesson: the request the scanner sees must be byte-for-byte the request the user sent.

What You Actually Deploy

Teams using Dobby do not write 13 PRE hooks plus the POST hallucination check. They get them by default. Pointing an OpenAI-compatible client at the gateway's base URL and a gk_user_* or gk_svc_* key is enough to put every request through the full chain. Policy — which patterns block vs redact, what the budget is, which models are whitelisted — lives in the admin UI or a versioned JSON document. The firewall runs as a Fastify service on port 4000 inside the prod cluster (two pods, enforce mode) and the code is in `services/firewall/`.

If you already have an AI deployment, you can front it with this firewall without changing your agent code. The provider response contract is preserved — streaming SSE, JSON, and all the OpenAI-compatible error codes. What changes is that the model no longer sees requests that a competent attacker would use to weaponize it.