As you continue to deploy LLM-powered applications into your enterprise, securing these systems against evolving threats becomes increasingly more complex and critical. Often, security teams are divided on how to best tackle this challenge, with two competing approaches emerging in the market:
While some vendors push single-model approaches like LLM-as-a-judge techniques, Haize Labs’ constitutional classifiers, and Meta’s LlamaGuard for comprehensive coverage, our experience with enterprise customers has revealed pretty big advantages to the specialized smaller, multiple model approach. Our models focus on specific problem areas like prompt injection, toxicity, or PII detection using BERT-based classifiers.
The foundation of any robust LLM system begins with how security models are trained. By using smaller, purpose built models, we can integrate high performing open source models with proprietary ones—creating a world class solution that addresses your specific needs. This modular approach enables our team to iterate quickly and focus deeply on one threat category at a time.
For instance, we can leverage well-established PII detection models that have been refined over years while simultaneously focusing our development resources on critical emerging threats like prompt injection and jailbreak detection.
Protect AI trains models separately for inputs and outputs, combining traditional ML with BERT-based models. Training smaller models has advantages such as:
While some vendors extend single-model approaches to cover multiple risks—e.g., Snowflake using LlamaGuard for both content moderation and prompt injection—Meta itself released PromptGuard to target jailbreaks and prompt injections separately, implicitly acknowledging limitations of single-model generalization.
Let’s dig a bit deeper and look at threshold calibration—the sensitivity setting that determines when the model flags something as a potential threat. With multiple specialized models, each model can have its own optimized threshold rather than trying to find one compromise threshold that works adequately (but not optimally) for all security concerns.
Essentially, with smaller models, your security system is less likely to completely fail because it's made up of separate components rather than one big piece.
Here’s how: Smaller models can be distributed across CPUs or GPUs, and error handling can ensure partial coverage even if one model fails. For example, we can prioritize prompt injection detection as an early check to fail fast when threats are identified—something much harder to orchestrate in monolithic model setups.
GPU inference for LLMs is costly and often optimized through proprietary methods not publicly available. BERT inference, however, has been widely adopted since 2018 and benefits from community-supported efficiency improvements like flash attention and long-context support. We support modern BERT models that handle 4k–8k tokens efficiently and run flexibly on shared or dedicated GPUs without requiring complex multi-device setups.
When comparing different approaches to AI security, many people assume larger language models are always better at handling diverse threats and unusual inputs. However, this advantage only becomes meaningful in extremely large models with over 70 billion parameters—models too resource-intensive for practical security applications.
In practice, we observed BERT outperforming compact LLMs like DeepSeek’s version of Qwen 1.5B in classification tasks—scoring 0.97 F1 compared to Qwen’s 0.81—while maintaining faster and cheaper inference. We chose Qwen 1.5B for comparison specifically because it's in the performance range feasible for low-latency, cost-effective deployment, making it more realistic for production inference scenarios.
Your security team needs tools they can depend on consistently, without unpredictable results undermining their confidence. Hallucinations—an inherent issue in generative LLMs—introduce unreliability in classification tasks. Unlike deterministic classifiers, LLMs may return inconsistent or illogical labels for the same inputs, leading to higher false positives and confusion in production use.
While maintaining this reliability, our approach doesn't sacrifice practical capabilities. Claims around LLMs handling longer context windows are valid, but we support modern BERT variants with context lengths up to 8k tokens—more than sufficient for security classification. Longer context also introduces significant memory overhead, raising both latency and compute costs. In most practical cases, chunking techniques are enough to retain performance while maintaining inference efficiency.
Don’t just take our word for the better performance of smaller models. Targeted small models significantly outperform general purpose ones in our tests. This is reinforced by adoption in the open source community: our DeBERTa-v3-based prompt injection model has been downloaded over 4.6 million times, and our newer v2 model already exceeds 680,000 downloads.
These numbers highlight not only strong community validation but also suggest that precise, specialized models are more practical and effective than LLM-based classifiers in real-world use.
Interested in learning more? Request a demo >