PIArena: Prompt Injection Evaluation
- PIArena is a unified and extensible platform for evaluating prompt injection attacks and defenses in LLM systems, featuring formal threat models and standardized metrics.
- It employs a modular architecture with plug-and-play components—including benchmarks, attack, defense, and evaluator modules—to facilitate rigorous, cross-task evaluation.
- The platform’s comprehensive benchmarks and adaptive strategy-based attacks reveal key trade-offs between utility and robustness, guiding the development of next-generation LLM defenses.
PIArena is a unified and extensible platform for the evaluation of prompt injection attacks and defenses in LLM systems. Its design addresses the lack of standardized methodology for assessing the robustness and generalization of prompt injection defenses across diverse tasks, datasets, and attack strategies. PIArena includes formal definitions, a modular architecture, comprehensive benchmarks, a dynamic adaptive attack method, and a systematic evaluation protocol grounded in recent empirical findings (Geng et al., 9 Apr 2026).
1. Formal Threat Model and Metrics
PIArena formalizes prompt injection in the black-box setting. Consider a user issuing a target instruction (e.g., "Summarize the following document") and providing a context to an LLM . The canonical response is
where is string concatenation. A prompt injection adversary crafts an injected instruction and tampered context , constructing
with the goal that fulfills the injected task rather than the user's target task.
Defenses are grouped as:
- Detection-based: classify as "clean"/"contaminated," blocking queries if contaminated.
- Prevention-based: sanitize, re-prompt, or fine-tune so that 0 executes the intended instruction even under 1.
Primary evaluation metrics are:
- Utility (U): Task performance under clean/defended context (e.g., F1, ROUGE-L, or LLM-judge score).
- Attack Success Rate (ASR): Proportion of contaminated samples where model output completes the injected instruction. Formally, for 2 samples: 3 with IsSuccess determined by an LLM-judge.
2. Platform Architecture and Modular Design
PIArena's system is composed of four core plug-and-play modules with standardized interfaces:
| Module | Input | Output / Role |
|---|---|---|
| Benchmark | JSONL dataset with {target_inst, context, injected_task, ...} |
Supplies test cases and ground truths |
| Attack | Sample 4 | Generates and injects prompt |
| Defense | Tampered context 5 | Returns model response (possibly sanitized, rejected, or flagged) |
| Evaluator | Model response, sample metadata | Computes utility and ASR |
The canonical workflow is:
- Benchmark yields sample 6.
- Attack generates 7 and constructs 8.
- Defense processes 9 (e.g., sanitizes or classifies) and queries LLM 0.
- Evaluator scores utility and ASR via rules and LLM-as-judge assessments.
The open modular design allows arbitrary integration of new attack algorithms, defense mechanisms, or benchmark datasets by implementing their interface.
3. Benchmark Suite and Evaluation Protocol
PIArena provides a portfolio of 1,700 benchmark samples from 14 datasets, facilitating rigorous cross-task evaluation:
- Task types: question answering (SQuAD v2, Dolly-QA), summarization/information extraction (Dolly), retrieval-augmented generation (NQ, MS-MARCO, HotpotQA), and long-context challenges (LongBench: Qasper, GovReport, MultiNews, etc.).
- Injected goals: phishing, content promotion, access denial, infrastructure failure (all tasks LLM-generated for contextual realism).
- Backend LLMs: both open-source (Qwen3-4B, Llama3-70B, gpt-oss-120B) and proprietary (GPT-4o, GPT-5, Claude-4.5, Gemini-3-Pro/Flash).
- Attack modes: Combined (ensemble heuristics), Direct (undistorted injection), Strategy (adaptive/dynamic).
PIArena's protocols encompass:
- Attack-only (raw ASR),
- Defense-only (utility under clean/defended inputs),
- Combined (full factorial evaluation: all attacks × defenses × datasets × models).
Responses are judged using F1, ROUGE-L, retrieval metrics, or explicitly via LLM-judge YES/NO verdict on whether the output responded to the injected instruction.
4. Adaptive Strategy-Based Attack
A central innovation is the dynamic, feedback-driven attack:
- Phase 1: Candidate Generation. The base injection 1 is rewritten by a set of strategies 2 to produce a diverse pool 3 of candidate prompts per strategy. Each is tested; immediate successes are returned.
- Phase 2: Feedback-Guided Refinement. Unsuccessful seeds undergo black-box refinement for up to 4 iterations. Each iteration, PIArena assesses output:
- If detected/sanitized, instructs "increase stealth."
- If ignored, instructs "increase imperativeness."
- Else, iteratively rewrites to evade the defense, using an attacker LLM for
Rewrite(P, guidance).
This loop typically converges in 1–2 iterations for most defenses (worst case 4.6 for the strongest), achieving substantially higher ASR than static approaches.
5. Comparative Analysis of Attacks and Defenses
PIArena's comprehensive cross-benchmark evaluations reveal critical trends:
- Limited generalizability: Defenses that appear robust (e.g., PISanitizer, SecAlign++) under engineered attacks demonstrate high ASR (11% Direct, 4% Combined, but up to 21% against adaptive attacks; e.g., SecAlign++ falls from 58% utility under no attack vs 74% baseline).
- Utility-robustness tradeoff: Strategies such as DataSentinel maintain low ASR but with high false positive rates or near-zero utility (e.g., AttentionTracker, 15% utility).
- Adaptive attack vulnerability: The strategy-based attack achieves 99% ASR when defenses are absent, 86% under PISanitizer, and can surpass 21% under SecAlign++.
- Closed-source model exposure: All high-performance models, including GPT-4o-mini (76% ASR), GPT-5 (70%), and Claude-4.5 (31% but 97% utility loss on strategy attack), are susceptible.
- Task-alignment limitations: For injected tasks aligned with the target (e.g., factual disinformation in QA), ASR exceeds 80% for all defenses, indicating the inherent limitation of detection/sanitization methods at the instruction level.
PIArena also integrates and evaluates agentic benchmarks (InjecAgent, AgentDojo, AgentDyn, WASP) and general-purpose benchmarks (OPI, SEP), substantiating that performance failures extend across both general and agent-specific evaluation settings.
6. Implications, Limitations, and Future Directions
PIArena's results crystallize three key recommendations:
- Require systematic, cross-task evaluation: Defenses must be scrutinized under diverse datasets, attacks, and injection scenarios. PIArena's unified API enables such comprehensive assessments.
- Adopt adaptive threat models: Relying on static or template-based attacks overestimates defense robustness; development must leverage dynamic adversarial routines.
- Transition from instruction detection to content verification: Defenses restricted to prompt structure lack efficacy against content-rewriting or knowledge-level attacks (e.g., disinformation), necessitating techniques such as external fact checking, provenance tracing, or semantic validation.
A central limitation is that benchmarks, though broad, do not encompass the entire spectrum of real-world attacks or system configurations; however, current results already expose severe and general weaknesses. PIArena's open-source release invites further community-driven extension.
7. Usage and Extensibility
PIArena is designed for high usability and extensibility:
- Installation: Via standard Python package management.
- Integration: New attacks, defenses, and benchmarks are supported by implementing modular interfaces; example code demonstrates one-line instantiation for each.
- Evaluation routines: Plug-and-play for any combination of attack, defense, benchmark, and model backend.
The platform aims to accelerate empirical progress toward robust prompt injection defense by enforcing rigorous, comprehensive, and reproducible evaluation practices (Geng et al., 9 Apr 2026).