Prompt-Siren: Meta's Open-Source LLM Prompt Injection Offense and Defense Research Platform

Meta's Prompt-Siren is a research workbench specifically designed for developing and testing prompt injection attack and defense strategies for large language models (LLMs). It supports the AgentDojo and SWE-bench benchmarks, and provides fine-grained state machine control and an extensible plugin architecture.

As large language models are increasingly integrated into various applications, prompt injection attacks have become one of the most pressing threats in the field of AI security. Attackers can hijack model behavior, steal sensitive information, or perform unauthorized operations through carefully crafted inputs. However, there has been a lack of standardized tool support for systematically researching and defending against such attacks.

Meta's Prompt-Siren is a professional research workbench designed specifically to address this issue. It provides a complete experimental environment that allows researchers to safely and reproducibly develop and test attack and defense strategies for LLMs.

The design of Prompt-Siren embodies several key concepts:

Unlike simple script-based attack testing, Prompt-Siren uses a state machine design to provide fine-grained control over agent execution. This means researchers can precisely define each stage of an attack, observe intermediate states, and intervene at key points. This design is particularly suitable for complex attack scenarios, such as progressive injection in multi-turn dialogues.

The platform natively supports two important security benchmarks:

• AgentDojo: Focuses on security evaluation in agent workflows
• SWE-bench: Security testing based on real-world code editing tasks

This multi-benchmark support allows researchers to validate the effectiveness of attacks and defenses across different scenarios.

Prompt-Siren uses Hydra for experiment orchestration, supporting powerful parameter scanning capabilities. Researchers can easily conduct large-scale experiments and compare performance under different configurations.

The platform uses an extensible plugin system that supports customization of:

• Agents: Define the behavior of the AI system under test
• Attacks: Implement specific prompt injection techniques
• Environments: Simulate different application contexts

This modular design allows the community to contribute new attack vectors and defense mechanisms, continuously enriching the research ecosystem.

Considering the cost of LLM API calls, Prompt-Siren has built-in usage restriction mechanisms:

• Cost cap control
• Call count limits
• Automatic caching and result organization

These features ensure that research can be conducted within a controllable budget.