LLM prompt injection detection, output validation, and telemetry.
PicoWatch is the 3rd product in the Pico Security Series. It runs standalone or integrates into PicoShogun's firewall layer. 258 tests, thread-safe rate limiting, audit HMAC, assert_secure() startup gate, default bind 127.0.0.1.
| Layer | Defense | Description |
|---|---|---|
| L5 | Prompt Guard | Detects jailbreaks, indirect injections, role manipulation, and instruction overrides |
| L6 | Output Guard | Validates LLM outputs against schemas, content policies, and PII/exfiltration rules |
| L7 | Telemetry | OpenTelemetry traces, Prometheus metrics, audit logging — full observability for every request |
PicoWatch is a fast deterministic pre-filter and telemetry layer — not a complete solution for LLM prompt injection defense.
What it does well:
- Catch common injection patterns (direct overrides, role manipulation, instruction smuggling) with deterministic regex-weighted scoring
- Provide observable, repeatable scoring for every request
- Block the ~80% of lazy/automated attacks cheaply and fast
- Detect encoding-based obfuscation (base64, ROT13, URL-encoding) via decode-then-rescan
What it does NOT guarantee:
- Adaptive attackers can bypass pattern-based detection through paraphrase, translation, novel framings, or spaced-out text
- A
score=0.94, blocked=Trueresult means a strong rule match, not a mathematical proof of injection - Encoding detection flags the presence of encoded payloads; novel encoding schemes may evade detection
Recommended deployment: Use PicoWatch as a first-pass filter in a defense-in-depth stack. Pair it with LLM-based classifiers and output guards for layers that handle what pattern matching cannot.
| Product | Layer | Focus |
|---|---|---|
| PicoSentry | L2 | Static supply-chain scanning |
| PicoDome | L3/L4 | Runtime sandbox + behavioral analysis |
| PicoWatch | L5/L6/L7 | LLM prompt/output defense + telemetry |
| PicoShogun | Command centre | Firewall + dashboard for the Pico series |
pip install picowatch
# Scan a prompt for injection
picowatch scan-prompt --text "ignore previous instructions and..."
# Validate an LLM output against a schema
picowatch validate-output --schema my_schema.json --output response.json
# Start HTTP daemon (with API key auth)
PICOWATCH_API_KEY=secret picowatch serve --port 8766
# Run as Python library
from picowatch import PromptGuard, OutputGuard, TelemetrySink
guard = PromptGuard()
result = guard.check("ignore all previous instructions")
print(result) # PromptScanResult(blocked=True, score=0.94, rules=['inj_override_ignore'])# Start server
picowatch serve --port 8766
# Scan a prompt (requires API key if PICOWATCH_API_KEY is set)
curl -X POST http://localhost:8766/v1/scan/prompt \
-H "Content-Type: application/json" \
-H "X-API-Key: your-secret-key" \
-d '{"text": "ignore all instructions"}'
# Validate output
curl -X POST http://localhost:8766/v1/scan/output \
-H "Content-Type: application/json" \
-d '{"output": "Contact John at john@example.com", "schema": {"type": "object"}}'
# Health check (no auth required)
curl http://localhost:8766/v1/health
# Prometheus metrics (no auth required)
curl http://localhost:8766/metrics| Method | Path | Auth | Description |
|---|---|---|---|
| POST | /v1/scan/prompt |
API key | Scan prompt for injection patterns |
| POST | /v1/scan/output |
API key | Validate LLM output against schema/policy |
| GET | /v1/health |
None | Health check |
| GET | /metrics |
None | Prometheus metrics |
| GET | /v1/rules |
None | List active defense rules |
| GET | /v1/rules/:id |
None | Get rule detail |
# Build and run with Prometheus + OTel collector
docker-compose up -d
# With API key
PICOWATCH_API_KEY=your-secret-key docker-compose up -dSee docs/adr/ for the full decision log.
- ADR-001 — Defense layer model (L5/L6/L7)
- ADR-002 — OpenTelemetry + Prometheus observability
- ADR-003 — Deterministic injection detection rules
- ADR-004 — Schema + policy output validation
- ADR-005 — Standalone-first with PicoShogun integration
- ADR-006 — Deterministic rule evaluation
- ADR-007 — Transport and deployment model
- ADR-008 — Supply-chain hardening
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev,server]"
python -m pytest
ruff check .
mypy srcBusiness Source License 1.1 (BUSL-1.1) — source-available; production use allowed except for competitive offerings. After 3 years, converts to Apache-2.0. See LICENSE, LICENSE-SUMMARY.md, and COMMERCIAL-LICENSE.md.