Saved in:
Bibliographic Details
Main Authors: Le, Hieu Xuan, Goh, Benjamin, Tang, Quy Anh
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.25176
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915892414119936
author Le, Hieu Xuan
Goh, Benjamin
Tang, Quy Anh
author_facet Le, Hieu Xuan
Goh, Benjamin
Tang, Quy Anh
contents Prompt attacks, including jailbreaks and prompt injections, pose a critical security risk to Large Language Model (LLM) systems. In production, guardrails must mitigate these attacks under strict low-latency constraints, resulting in a deployment gap in which lightweight classifiers and rule-based systems struggle to generalize under distribution shift, while high-capacity LLM-based judges remain too slow or costly for live enforcement. In this work, we examine whether lightweight, general-purpose LLMs can reliably serve as security judges under real-world production constraints. Through careful prompt and output design, lightweight LLMs are guided through a structured reasoning process involving explicit intent decomposition, safety-signal verification, harm assessment, and self-reflection. We evaluate our method on a curated dataset combining benign queries from real-world chatbots with adversarial prompts generated via automated red teaming (ART), covering diverse and evolving patterns. Our results show that general-purpose LLMs, such as gemini-2.0-flash-lite-001, can serve as effective low-latency judges for live guardrails. This configuration is currently deployed in production as a centralized guardrail service for public service chatbots in Singapore. We additionally evaluate a Mixture-of-Models (MoM) setting to assess whether aggregating multiple LLM judges improves prompt-attack detection performance relative to single-model judges, with only modest gains observed.
format Preprint
id arxiv_https___arxiv_org_abs_2603_25176
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Prompt Attack Detection with LLM-as-a-Judge and Mixture-of-Models
Le, Hieu Xuan
Goh, Benjamin
Tang, Quy Anh
Computation and Language
Prompt attacks, including jailbreaks and prompt injections, pose a critical security risk to Large Language Model (LLM) systems. In production, guardrails must mitigate these attacks under strict low-latency constraints, resulting in a deployment gap in which lightweight classifiers and rule-based systems struggle to generalize under distribution shift, while high-capacity LLM-based judges remain too slow or costly for live enforcement. In this work, we examine whether lightweight, general-purpose LLMs can reliably serve as security judges under real-world production constraints. Through careful prompt and output design, lightweight LLMs are guided through a structured reasoning process involving explicit intent decomposition, safety-signal verification, harm assessment, and self-reflection. We evaluate our method on a curated dataset combining benign queries from real-world chatbots with adversarial prompts generated via automated red teaming (ART), covering diverse and evolving patterns. Our results show that general-purpose LLMs, such as gemini-2.0-flash-lite-001, can serve as effective low-latency judges for live guardrails. This configuration is currently deployed in production as a centralized guardrail service for public service chatbots in Singapore. We additionally evaluate a Mixture-of-Models (MoM) setting to assess whether aggregating multiple LLM judges improves prompt-attack detection performance relative to single-model judges, with only modest gains observed.
title Prompt Attack Detection with LLM-as-a-Judge and Mixture-of-Models
topic Computation and Language
url https://arxiv.org/abs/2603.25176