ML Security PapersIntroducing the Generative Application Firewall (GAF)
Joan Vendrell Farreny , Martí Jordà Roca , Miquel Cornudella Gaya , Rodrigo Fernández Baón , Víctor García Martínez , Eduard Camacho Sucarrats , Alessandro Pignati
Published on arXiv
2601.15824
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
Proposes GAF as an architectural abstraction that unifies prompt injection defense, jailbreak detection, data masking, and agent tool security into a single enforcement layer, filling gaps unaddressable by traditional WAFs.
Generative Application Firewall (GAF)
Novel technique introduced
This paper introduces the Generative Application Firewall (GAF), a new architectural layer for securing LLM applications. Existing defenses -- prompt filters, guardrails, and data-masking -- remain fragmented; GAF unifies them into a single enforcement point, much like a WAF coordinates defenses for web traffic, while also covering autonomous agents and their tool interactions.
Key Contributions
- Introduces the Generative Application Firewall (GAF) as a unified, centralized enforcement architecture for LLM application security, analogous to how WAFs coordinate defenses for web traffic.
- Defines a layered threat model for conversational LLM systems covering semantic-level filtering, context/session-aware policy enforcement, and mediation of autonomous agent tool calls.
- Identifies the gap between fragmented existing defenses (prompt filters, guardrails, data masking) and argues for a single enforcement point spanning users, sessions, agents, and tools.