Use Case

SOC 2GDPRISO 27001

AI Agent Security for RAG Pipelines

Retrieval-Augmented Generation pipelines pull documents from vector databases and inject them directly into LLM context windows. This creates a unique attack surface: every document in your corpus becomes a potential injection vector. Unlike direct user input, RAG-sourced injections bypass traditional input validation because the content arrives through a trusted retrieval path. Attackers can poison knowledge bases, manipulate retrieval rankings to surface malicious content, or embed hidden instructions in documents that override system prompts when retrieved. Rune scans every retrieved document before it reaches the LLM, detecting injections buried in PDFs, web scrapes, and internal knowledge bases — regardless of how they entered your corpus.

Start Free — 10K Events/MonthNo credit card required

14% of RAG sessions encounter injection attempts

Based on production telemetry, roughly 1 in 7 RAG pipeline sessions processes at least one document containing injection-like patterns — most originating from web-scraped content rather than direct user input.

<3ms added latency per document scan

Rune's pattern and semantic scanners process individual document chunks in under 3 milliseconds, adding negligible overhead to retrieval pipelines that already spend 50-200ms on embedding lookup and reranking.

99.2% detection rate on document-embedded injections

Multi-layer scanning (regex + semantic + LLM judge) catches prompt injections hidden in documents with high accuracy, including obfuscated variants using Unicode substitution, base64 encoding, and whitespace manipulation.

Key Security Risks

criticalDocument Poisoning

Malicious instructions embedded within documents stored in your vector database. When a user query triggers retrieval of a poisoned document, the injected instructions are treated as trusted context by the LLM, allowing attackers to override system prompts, exfiltrate data, or redirect agent behavior.

Real-world scenario: A company's internal knowledge base was populated with web-scraped content that included a blog post containing hidden instructions in white-on-white text. When the RAG pipeline retrieved this document to answer employee questions, the LLM followed the hidden instructions and included a phishing link in its responses, directing users to a credential harvesting page.

highRetrieval Manipulation

Attackers craft queries designed to manipulate which documents are retrieved from the vector store. By understanding how embedding similarity works, they can engineer inputs that consistently surface specific documents — including poisoned ones — while bypassing relevant results.

Real-world scenario: A legal research assistant's vector database contained thousands of case documents. An adversary discovered that by appending specific unicode characters to queries, they could skew cosine similarity scores to consistently retrieve a planted document containing instructions to summarize cases in a misleading way, subtly misrepresenting precedent.

highContext Window Overflow

Deliberately large or numerous retrieved documents fill the LLM's context window, pushing system prompts and safety instructions out of the effective attention range. The LLM then operates without its guardrails, becoming susceptible to instructions contained in the retrieved content.

Real-world scenario: A customer-facing Q&A system retrieved the top 10 matching documents per query. An attacker submitted a broad query that matched many long documents, pushing the system prompt out of the model's effective context window. The agent then responded to a follow-up injection embedded in one of the retrieved documents, disclosing the full system prompt and API configuration.

criticalCross-Tenant Data Leakage

In multi-tenant RAG systems, insufficient namespace isolation in the vector database allows queries from one tenant to retrieve documents belonging to another. Combined with prompt injection, this can be weaponized to systematically extract another tenant's knowledge base.

Real-world scenario: A SaaS platform used a shared Pinecone index with metadata filtering for tenant isolation. A prompt injection in a user query manipulated the agent into reformulating its retrieval query without the tenant filter, causing it to retrieve and summarize confidential product roadmaps from a competitor's namespace.

How Rune Helps

Retrieved Document Scanning

Rune's middleware intercepts documents after retrieval but before they enter the LLM context. Each document is scanned for prompt injection patterns, hidden instructions, and anomalous content using multi-layer detection — pattern matching, semantic analysis, and optional LLM-based classification.

Chunk-Level Granularity

Rather than scanning entire documents as blobs, Rune analyzes individual chunks as they flow through the retrieval pipeline. This catches injections that only appear in specific sections and provides precise alerting — you know exactly which chunk in which document triggered the detection.

Output Validation

Even if a poisoned document reaches the LLM, Rune scans the final output before it reaches the user. Responses that contain exfiltration attempts (encoded data, suspicious URLs), policy violations, or hallucinated instructions are blocked or flagged in real-time.

Framework-Native Integration

Rune integrates directly with LangChain's callback system and LlamaIndex's instrumentation module. You add one middleware wrapper and every retrieval, LLM call, and tool invocation is automatically scanned — no custom plumbing required.

Example Security Policy

version: "1.0"
rules:
  - name: scan-retrieved-documents
    scanner: prompt_injection
    action: block
    severity: critical
    scope: retrieval
    description: "Block retrieved documents containing injection attempts"

  - name: detect-context-overflow
    scanner: context_abuse
    action: alert
    severity: high
    config:
      max_retrieved_tokens: 12000
      description: "Alert when retrieved content exceeds safe context ratio"

  - name: block-data-exfiltration
    scanner: data_exfiltration
    action: block
    severity: critical
    config:
      patterns:
        - urls
        - encoded_data
        - markdown_images
      description: "Prevent data exfiltration through LLM responses"

  - name: pii-in-retrieval
    scanner: pii
    action: redact
    severity: high
    scope: output
    description: "Redact PII surfaced from retrieved documents"

Policies are defined in YAML and enforced at the SDK level. Version control them alongside your agent code.

Quick Start

pip install runesec langchain

from rune import Shield
from rune.integrations.langchain import RuneCallbackHandler
from langchain_openai import ChatOpenAI
from langchain.chains import RetrievalQA
from langchain_community.vectorstores import Chroma

# Initialize Rune Shield
shield = Shield(
    api_key="rune_live_xxx",
    agent_id="rag-pipeline",
    policy_path="policy.yaml"
)

# Create callback handler for LangChain
rune_handler = RuneCallbackHandler(shield)

# Your existing RAG setup — Rune wraps it transparently
llm = ChatOpenAI(model="gpt-4o", callbacks=[rune_handler])
vectorstore = Chroma(persist_directory="./chroma_db", embedding_function=embeddings)
retriever = vectorstore.as_retriever(search_kwargs={"k": 5})

chain = RetrievalQA.from_chain_type(
    llm=llm,
    retriever=retriever,
    callbacks=[rune_handler],  # Scans retrieved docs + LLM output
)

# Every query now has runtime protection
result = chain.invoke({"query": "What is our refund policy?"})
# Retrieved docs scanned for injections before reaching GPT-4o
# Final response scanned for data exfiltration and policy violations

The RuneCallbackHandler hooks into LangChain's callback system to intercept every stage of the RAG pipeline. Retrieved documents are scanned for prompt injection before they enter the LLM context. The LLM's response is scanned for data exfiltration attempts and policy violations before reaching the user. All events are logged to the Rune dashboard for monitoring and forensic analysis.

Secure your rag pipelines today

Add runtime security in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month Getting Started