Methodology

How detectors are scored, and why. Everything is recomputable from committed per-prompt scores.

What's being measured

A prompt-injection detector outputs a risk score in [0, 1] per input; you pick a threshold above which you block. Two questions decide whether it's deployable, and they trade off:

  1. Detection — does it catch attacks it hasn't seen?
  2. False positives — how often does it flag ordinary, benign traffic?

A number on either axis alone is close to meaningless. A 0.95-AUC detector that trips on a quarter of real users is an outage; a detector with a low false-alarm rate that misses attacks is theatre. We report both.

Three families of metric

MetricThreshold-dependent?What it tells you
ROC-AUC No How well the detector ranks attacks above benign across all thresholds. Can't be gamed by threshold choice.
F1 / FPR at 0.5 Yes Out-of-the-box behaviour if you don't tune. Realistic (most deployments never tune) but unfair to models whose scores cluster near 0.5.
FPR at fixed catch rate; EER; operating curves No (normalized) Tune each detector to the same catch rate (e.g. 95% of attacks), then compare false-alarm cost. Removes the "where's the line" objection.

The leaderboard's headline table shows avg AUC, avg F1@0.5, and FPR@0.5 on real traffic for direct and indirect axes separately. Operating-point data (FPR@95%/99% catch, EER) is in operating_points.json.

Datasets

All evaluation sets are held out — they are not training data for the detectors. Three groups:

Some datasets are gated (LMSYS, HackAPrompt) — the harness skips them cleanly if you don't have access.

Scoring protocol — the same for everyone

ROC curves on the leaderboard page

The ROC chart on /leaderboard/ plots TPR vs FPR from det_points.json. Those curves are computed by pooling all four direct-attack datasets by sample count before deriving TPR/FPR at each threshold — so rogue (n=5,000) dominates JailbreakBench (n=200).

The table's Direct avg AUC and Direct avg F1@0.5 columns use unweighted per-dataset averages instead. Both views are valid; they answer slightly different questions. Read per-dataset columns in the raw JSON if you need to reconcile them.

Reproducibility

What this benchmark does not claim

Detectors catch the patterns they were trained on. No detector here addresses domain-specific abuse, multi-step/contextual attacks (a single-prompt classifier has no conversation state), or tool misuse. A detector is one layer of defense-in-depth, not the whole wall. See FINDINGS.md.

Run it yourself

git clone https://github.com/bastion-soft/pi-detector-bench.git
cd pi-detector-bench
pip install -e .

python -m scripts.run_leaderboard          --dump-scores results/scores
python -m scripts.measure_false_positives  --dump-scores results/scores
python -m scripts.eval_indirect            --dump-scores results/scores_indirect
python -m scripts.rebuild_results_from_scores
python -m scripts.analyze_operating_points

Full source methodology: METHODOLOGY.md in the harness repo. Propose changes via Submit a detector or a methodology proposal.