Echelon Prompt Injection Defense Shield

• 

  Echelon in action: Real-time detection blocks a credential-theft attempt, protecting LLMs from malicious intent and data leaks.

Inspiration

The inspiration for Echelon stems from my role as Research Lead for 'The Cyber Alliance' (TCA) and my experiences in campus Capture The Flag (CTF) events. While traditional network security is well-guarded, I noticed a massive gap in the "Human-to-AI" interface. Most existing prompt injection defenses are either static regex filters that are easily bypassed by encoding, or bulky LLM checks that introduce unacceptable latency.

As LLMs transition from chatbots to autonomous agents, the risk of a "jailbroken" agent performing unauthorized actions is a critical threat. I wanted to build a shield that was as intelligent as the models it protects, specifically leveraging the tiered reasoning of Gemini 3 to provide an enterprise-grade security layer.

What it does

Echelon acts as an intelligent security middleware—a Defense Shield Gateway. It sits between the user and the LLM application to perform a multi-stage security handshake:

1. Sanitization: Automatically decodes Base64, hex, and Unicode-normalized obfuscation attempts.
2. Tiered Triage: Uses Gemini 3 Flash (minimal thinking level) to perform a millisecond-fast "vibe check" on the risk level.
3. Deep Reasoning: If a high-risk intent is flagged, Gemini 3 Pro (high thinking level) analyzes the prompt's underlying logic to detect complex, multi-turn injection strategies.
4. Containment & PII Masking: Ensures no Personally Identifiable Information (PII) is leaked and reformulates prompts to neutralize system instruction overrides.

How we built it

The project is built using Python and the Google GenAI SDK, utilizing a vertical flow architecture.

• Dual-Tier Logic: We implemented a system where the "Guardrail" dynamically chooses between Gemini 3 Flash for speed and Pro for depth.
• Mathematical Risk Assessment: We developed a scoring algorithm to determine if a prompt should be blocked or sanitized: $$S_{total} = \sum_{i=1}^{n} (w_i \cdot c_i) + \lambda \cdot R_{intent}$$ Where $c_i$ represents heuristic matches, $w_i$ is the weight of the specific vulnerability, $R_{intent}$ is the reasoning score from Gemini 3, and $\lambda$ is our sensitivity coefficient.
• Structured Outputs: We utilized Gemini 3's JSON schema enforcement to ensure the "Containment Filter" always returns data in a predictable, safe format.

Challenges we ran into

The primary challenge was the Latency-Security Paradox: the more thorough the security check, the slower the AI's response time. We solved this by creating the "Flash Triage" layer, ensuring that 90% of safe prompts pass through with negligible delay.

Another hurdle was "Adversarial Roleplay." Attackers often hide malicious intent within elaborate fictional scenarios. Refining the system instructions for our Guardrail layer to distinguish between creative writing and a "jailbreak attempt" required extensive testing against various attack vectors discovered during our recent SVNIT hackathon sessions.

Accomplishments that we're proud of

• Obfuscation Immunity: We successfully achieved zero-bypass results against Base64 and Unicode-based bypass techniques.
• Intent-Based Detection: Echelon can distinguish between a user asking "How do I perform a CSRF attack?" (Blocked) and a student asking "Explain the mechanics of CSRF for my security exam" (Allowed).
• Unified Backend: Consolidating the entire security stack into a single Gemini 3 ecosystem, replacing our previous multi-provider (Groq/Gemini) setup with a more efficient, tiered intelligence approach.

What we learned

This project deepened my understanding of Defensive Prompting and the nuances of LLM Latency Optimization. I learned that security in the age of Generative AI isn't just about blocking words; it's about understanding intent. Balancing the different "thinking levels" of Gemini 3 taught me how to architect systems that are both highly intelligent and highly performant.

What's next for Echelon Prompt Injection Defense Shield

• Agentic Monitoring: Moving beyond input filtering to monitor AI outputs, preventing "Indirect Prompt Injection" where the model is compromised by third-party data it retrieves.
• Self-Evolving Guardrails: Implementing a feedback loop where blocked attacks are used to autonomously update the heuristic scoring weights.
• Echelon SDK: Packaging the middleware as a lightweight Python library to help other developers secure their LLM applications with a single line of code.

Built With

• ai-safety
• ai-security
• api
• artificial-intelligence
• cybersecurity
• defense
• developer-tools
• fastapi
• gateway
• gemini-3
• github
• google-ai-studio
• google-cloud
• google-gemini
• guardrails
• intent-detection
• json
• latex
• llm
• machine-learning
• markdown
• microservices
• middleware
• natural-language-processing
• pii-masking
• prompt-injection
• pydantic
• python
• reasoning
• rest-api
• sdk
• security
• structured-data
• vertex-ai