98% Accurate and Still Broken

Several months ago, we released a ModernBERT-based classifier on Hugging Face for prompt injection detection. The results?

Pretty amazing, right?

Well... not really. Here's what I mean.

(Somewhere, a CISO is adding "98% prompt injection detection" to a slide deck. I'm writing this post for them.)

The Research Journey

When LLM-powered applications first started shipping to production, our team began systematically exploring approaches to prompt injection detection. What began as a straightforward classification problem evolved into a deeper investigation of the fundamental limitations in this space.

Encoder-Based Classification

We started with encoder-only transformers, the workhorses of text classification.

BERT and variants: Our initial experiments used standard BERT fine-tuned on aggregated prompt injection datasets from sources including deepset/prompt-injections, JailbreakBench, and Microsoft's llmail-inject-challenge. The models achieved strong in-distribution performance but degraded significantly on novel attack patterns.

ModernBERT: Answer.AI's 2024 architecture (Warner et al.) offered meaningful improvements with 8,192 token context for verbose injection attempts and more efficient attention mechanisms. We adopted this as our base architecture.

NeoBERT: Le Breton et al.'s 2025 encoder achieves state-of-the-art MTEB results with 250M parameters and 2x faster inference than ModernBERT. We evaluated this extensively but found the generalization ceiling remained similar.

To improve out-of-distribution robustness, we implemented energy-based loss functions from Liu et al. (NeurIPS 2020), similar to Meta's approach with Llama Prompt Guard. This technique pushes benign samples toward low-energy states and malicious samples toward high-energy states. It improved boundary separation but did not fundamentally solve the generalization problem.

Embedding-Based Approaches

Ayub & Majumdar's work on embedding-based prompt injection detection demonstrated that traditional ML classifiers (Random Forest, XGBoost) operating on embedding representations could outperform encoder-only neural networks in certain scenarios.

We implemented this approach and observed improved generalization on held-out attack patterns. The semantic structure of embedding space captures relationships that help identify novel variations of known attack categories.

Small Language Models

We hypothesized that decoder-based language models, even small ones, might better capture the intent behind injection attempts rather than surface-level patterns.

Our experiments included:

• Qwen 2.5 (0.5B, 1.5B variants)
• Phi-3 (3.8B)
• Gemma 2 (2B), Google DeepMind's 2024 distilled models

Fine-tuned small LMs demonstrated notably better generalization. They identified novel injection attempts that pattern-matching classifiers missed entirely. However, the latency profile of 200ms+ per classification makes them impractical as synchronous security checks for most production systems.

LLM-as-a-Judge

Zero-shot evaluation using large language models represents the current ceiling for detection capability.

response = llm.chat(f"""
Analyze this prompt for potential injection attacks or jailbreak attempts.
Classify as BENIGN or MALICIOUS with reasoning.
 
Prompt: {user_input}
""")

No fine-tuning. No labeled data. The LLM reasons about intent, context, and sophisticated multi-turn manipulations in ways that classifiers cannot approximate.

The results were compelling. Novel attacks that evaded every trained model were correctly identified through zero-shot reasoning.

What the Metrics Actually Measure

After this research, our 98% accuracy requires context.

Classical ML metrics evaluate performance on held-out slices of historical data. The model and test set share the same distribution: the same attack patterns, the same linguistic structures, the same dataset biases.

This measures memorization, not generalization.

Joshua Saxe articulated this clearly in his recent analysis:

"An LLM scoring an 85% F-score on your test data is likely more meaningful than a classical ML model scoring 95% but fit to the test distribution."

Classical Classifiers: An Honest Assessment

Strengths:

• Fast execution (~5-10ms)
• Low operational cost
• Deterministic behavior
• Simple deployment

Limitations:

• Performance degrades on novel attack patterns
• Learns dataset artifacts rather than attack semantics
• Requires continuous retraining as threats evolve
• 98% on historical data ≠ 98% on tomorrow's attacks

The "AI Solving AI" Trap

Your AI system's security architecture probably looks something like this:

Or perhaps something more elaborate: an LLM detecting URLs in user input, another LLM checking if those URLs appear in tool calls, another validating intent, yet another making the final security judgment. I have seen so many companies attempt to solve AI security this way.

This is AI solving AI. And it does not work.

Each layer adds latency, cost, and most critically, another attack surface. The same model vulnerabilities that enable prompt injection in the first place exist in every guard layer. An attacker who can manipulate the primary LLM can often manipulate its guardians using the same techniques. The failure modes compound rather than cancel.

You cannot reliably use a system to protect against attacks it is inherently vulnerable to.

The Path Forward

Prompt injection is a fundamentally hard problem. Detection-based approaches, whether classifiers or LLMs, are treating symptoms rather than causes.

The core issue is architectural: LLMs process instructions and data in a unified context. When untrusted data can be interpreted as instructions, injection becomes possible by design. No amount of detection layers changes this fundamental property.

The solution is not more AI. The solution is clear architectural separation of data and instructions:

• Structural separation: Systems that fundamentally distinguish between instructions and data at the architecture level, not through detection
• Constrained execution: LLM outputs validated against strict schemas before affecting system state
• Capability-based security: Fine-grained permissions that limit what instructions can accomplish, regardless of how they are injected

Detection remains valuable as a temporary measure. We released PromptGuard on Hugging Face because catching known attack patterns at low cost has practical utility. But the security community should invest in architectures that make injection structurally impossible rather than merely detectable.

My advice to companies shipping LLM applications: treat your 98% detector as a speed bump, not a wall. Assume sophisticated attackers will get through. Design your systems so that when they do, the blast radius is contained.

2026 is shaping up to be a fascinating year for prompt injection research. The attacks are getting more creative, the defenses more elaborate, and the fundamental problem remains unsolved. I look forward to being proven wrong.

References

• Warner, B., et al. (2024). Smarter, Better, Faster, Longer: A Modern Bidirectional Encoder. arXiv:2412.13663
• Le Breton, L., et al. (2025). NeoBERT: A Next-Generation BERT. arXiv:2502.19587
• Ayub, M. A. & Majumdar, S. (2024). Embedding-based classifiers can detect prompt injection attacks. arXiv:2410.22284
• Liu, W., et al. (2020). Energy-based Out-of-distribution Detection. NeurIPS 2020
• Gemma Team, Google. (2024). Gemma 2: Improving Open Language Models at a Practical Size. arXiv:2408.00118
• Meta. (2024). Llama Prompt Guard 2. Hugging Face
• Saxe, J. (2026). On apples, oranges, and classical ML versus LLM security performance. Substack