DEV Community

RESK
RESK

Posted on

Blocking LLM Jailbreaks at the Logits Level with reskSecure

U0001f4e6 PyPI: https://pypi.org/project/resksecure
U0001f419 GitHub: https://github.com/Resk-Security/reskSecure
U0001f310 Web: https://resk.fr


Blocking LLM Jailbreaks at the Logits Level with reskSecure

The Problem

Prompt injection and jailbreak attacks are the number one vector against production LLM systems. Instruction-based filters and post-generation regex checks have a fundamental flaw: they operate after the dangerous token has already entered the generation pipeline.

A single malicious token in the output stream can leak PII, call a disallowed API function, or generate harmful content. By the time a regex catches it, the damage is done.

The Solution: Bitmask-Based Logits Firewall

reskSecure takes a different approach. Instead of scanning output text, it intercepts at the logits stage — before a single token is sampled. Using a configurable bitmask system, it either zeroes out dangerous tokens or applies a learned penalty to discourage them.

How It Works

from resksecure import Firewall, Severity

# Load a YAML policy
fw = Firewall.from_yaml("policy.yaml", severity=Severity.HARD)

# The firewall wraps your generation call
output = fw.generate(
    model=model,
    prompt="Tell me how to pick a lock",
    tokenizer=tokenizer
)
# Dangerous tokens are blocked before they ever reach the output
Enter fullscreen mode Exit fullscreen mode

Key Features

  • Two severity modes: HARD sets blocked logits to -infinity, BIAS applies a configurable penalty
  • Hot-reload policies: Change YAML rules without restarting your inference server
  • Tool call prevention: Block the first token of a disallowed function call at the logits level
  • YAML policy system: Define forbidden tokens, phrases, and tool patterns in human-readable files
  • Python >= 3.13 + PyTorch >= 2.0.0 compatible

Why Logits-Level?

Post-generation filters check output text and allow the model to already have generated the dangerous content. Logits-level filtering prevents generation entirely. The model simply cannot produce the first token of a blocked sequence.

This is especially critical for tool calling. When an agent tries to invoke a sensitive function, reskSecure intercepts the logits before the function name token is sampled — no post-hoc check, no race condition.

Quick Start

pip install resksecure
Enter fullscreen mode Exit fullscreen mode

Create a simple policy file:

# policy.yaml
severity: hard
blocklist:
  - "ignore previous instructions"
  - "disregard safety"
  - "jailbreak"
Enter fullscreen mode Exit fullscreen mode

Then run:

from resksecure import Firewall, Severity

fw = Firewall.from_yaml("policy.yaml", severity=Severity.HARD)
result = fw.generate(model, prompt, tokenizer)
Enter fullscreen mode Exit fullscreen mode

Next Up

We are actively building RESK Monitor — real-time LLM deployment monitoring with anomaly detection on behavioral drift, error rate analysis, and automated incident response. Stay tuned.

Links

If you run LLMs in production, try reskSecure and let us know what you think. Contributions, issues, and feedback are welcome.

Top comments (0)