PicoWatch — LLM defender with telemetry: prompt injection detection, output validation, and observability
Project description
PicoWatch
LLM prompt injection detection, output validation, and telemetry. Pre-1.0 beta — works, but not production-hardened yet.
PicoWatch is the 3rd product in the Pico Security Series. It runs standalone or integrates into PicoShogun's firewall layer.
What It Does
| Layer | Defense | Description |
|---|---|---|
| L5 | Prompt Guard | Detects jailbreaks, indirect injections, role manipulation, and instruction overrides |
| L6 | Output Guard | Validates LLM outputs against schemas, content policies, and PII/exfiltration rules |
| L7 | Telemetry | OpenTelemetry traces, Prometheus metrics, audit logging — full observability for every request |
Threat Model — Honest Limits
PicoWatch is a fast deterministic pre-filter and telemetry layer — not a complete solution for LLM prompt injection defense.
What it does well:
- Catch common injection patterns (direct overrides, role manipulation, instruction smuggling) with deterministic regex-weighted scoring
- Provide observable, repeatable scoring for every request
- Block the ~80% of lazy/automated attacks cheaply and fast
- Detect encoding-based obfuscation (base64, ROT13, URL-encoding) via decode-then-rescan
What it does NOT guarantee:
- Adaptive attackers can bypass pattern-based detection through paraphrase, translation, novel framings, or spaced-out text
- A
score=0.94, blocked=Trueresult means a strong rule match, not a mathematical proof of injection - Encoding detection flags the presence of encoded payloads; novel encoding schemes may evade detection
Recommended deployment: Use PicoWatch as a first-pass filter in a defense-in-depth stack. Pair it with LLM-based classifiers and output guards for layers that handle what pattern matching cannot.
Pico Security Series
| Product | Layer | Focus |
|---|---|---|
| PicoSentry | L2 | Static supply-chain scanning |
| PicoDome | L3/L4 | Runtime sandbox + behavioral analysis |
| PicoWatch | L5/L6/L7 | LLM prompt/output defense + telemetry |
| PicoShogun | Command centre | Firewall + dashboard for the Pico series |
Quick Start
pip install picowatch
# Scan a prompt for injection
picowatch scan-prompt --text "ignore previous instructions and..."
# Validate an LLM output against a schema
picowatch validate-output --schema my_schema.json --output response.json
# Start HTTP daemon (with API key auth)
PICOWATCH_API_KEY=secret picowatch serve --port 8766
# Run as Python library
from picowatch import PromptGuard, OutputGuard, TelemetrySink
guard = PromptGuard()
result = guard.check("ignore all previous instructions")
print(result) # PromptScanResult(blocked=True, score=0.94, rules=['inj_override_ignore'])
HTTP API
# Start server
picowatch serve --port 8766
# Scan a prompt (requires API key if PICOWATCH_API_KEY is set)
curl -X POST http://localhost:8766/v1/scan/prompt \
-H "Content-Type: application/json" \
-H "X-API-Key: your-secret-key" \
-d '{"text": "ignore all instructions"}'
# Validate output
curl -X POST http://localhost:8766/v1/scan/output \
-H "Content-Type: application/json" \
-d '{"output": "Contact John at john@example.com", "schema": {"type": "object"}}'
# Health check (no auth required)
curl http://localhost:8766/v1/health
# Prometheus metrics (no auth required)
curl http://localhost:8766/metrics
API Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| POST | /v1/scan/prompt |
API key | Scan prompt for injection patterns |
| POST | /v1/scan/output |
API key | Validate LLM output against schema/policy |
| GET | /v1/health |
None | Health check |
| GET | /metrics |
None | Prometheus metrics |
| GET | /v1/rules |
None | List active defense rules |
| GET | /v1/rules/:id |
None | Get rule detail |
Docker
# Build and run with Prometheus + OTel collector
docker-compose up -d
# With API key
PICOWATCH_API_KEY=your-secret-key docker-compose up -d
Architecture Decisions
See docs/adr/ for the full decision log.
- ADR-001 — Defense layer model (L5/L6/L7)
- ADR-002 — OpenTelemetry + Prometheus observability
- ADR-003 — Deterministic injection detection rules
- ADR-004 — Schema + policy output validation
- ADR-005 — Standalone-first with PicoShogun integration
- ADR-006 — Deterministic rule evaluation
- ADR-007 — Transport and deployment model
- ADR-008 — Supply-chain hardening
Development
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev,server]"
python -m pytest
ruff check .
mypy src
License
BUSL-1.1. See LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file picowatch-0.7.0.tar.gz.
File metadata
- Download URL: picowatch-0.7.0.tar.gz
- Upload date:
- Size: 82.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
72b0bd98882debc76f0d96557a2e671e92a92e93e406ab603a35f8c0b4bc7b8f
|
|
| MD5 |
f958c7504771d94312ea479373e682a2
|
|
| BLAKE2b-256 |
44fd40863fecf84d43297fcbd438c910c0912c014e8c09cab3348c00ade90659
|
File details
Details for the file picowatch-0.7.0-py3-none-any.whl.
File metadata
- Download URL: picowatch-0.7.0-py3-none-any.whl
- Upload date:
- Size: 53.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a54ed8079ce7b07907f17f3e6e0759791d56581778f1995b9cb11bc5d501911
|
|
| MD5 |
9261c52e5b176b4946af20f03a3941e2
|
|
| BLAKE2b-256 |
8bd9623dfb3e932c48e82bd7adb77db2bfb1ed696bfcd3d24f3f133f8e7c8e0f
|
