| Canonical name | yara |
| Python | yara |
| TypeScript | yara |
| Server key | yara_analyzer |
| Category | Pattern Matching |
What it detects
Anything you can express as a YARA rule:- Known prompt-injection idioms (“Ignore previous instructions…”, “Disregard the above…”).
- Secret shapes (API tokens, SSH keys, generic high-entropy identifiers).
- Internal codenames or document signatures you do not want leaving your tenancy.
- Output formats you want to enforce (e.g. JSON-only outputs).
How it works
Agnes compiles all active rules in the selected YARA policy (or all active tenant rules if no policy is selected) into a single YARA matcher. Input text is scanned against the matcher; matches surface as analyzer findings with the rule name and category. System rules ship inapi/data/yara/
and include things like instruction bypass, generic-secret detection,
SSH-key shapes, and a “fake IT maintenance” social-engineering rule.
Parameters
| Key | Type | Required | Default | Notes |
|---|---|---|---|---|
yara_policy_id | select | No | tenant default | Reference a YARA policy. Leave empty to use the default (or all active rules if no default exists). |
Outputs and metrics
| Metric | Suggested thresholds |
|---|---|
matches_found | > 0 (any match), >= 3 (multiple). |
processing_time_ms | Observability only. |
Termination signals
| Signal | What it matches |
|---|---|
Boolean: match_found | Any rule matched. |
Match: rule_name | A specific rule, by name. |
Match: category | All rules in a meta category = block. |
rule_name and category are dynamic signals — the dashboard policy
editor populates them from the rules in your tenant.
Limits and cost
| Limit | Value |
|---|---|
| Max input tokens | 1,000,000 |
| Requests / minute | 5,000 (per tenant) |
Typical latency
1–50 ms depending on the number of compiled rules. YARA is one of the cheapest analyzers — put it early in your execution plan to short-circuit on cheap signals.A small worked example
The shippedInstructionBypass rule:
meta: category = value (Instruction Bypass) becomes a
termination signal you can match on — “terminate when any rule with
category ‘Instruction Bypass’ fires” — without naming each rule
individually.
When to use it
- Always on as a cheap first line. Put YARA early in your combined policy so it short-circuits before the GPU classifiers fire.
- Encode product-specific rules. Internal codenames, regulatory phrasings, product-specific PII shapes that Cloud DLP does not ship. YARA is the right place.
- Outbound is high-value. Outbound YARA catches LLMs that have internalised your codebase or customer data and started reproducing patterns.
Failure modes
- Rule compilation error → the rule fails to load and is excluded from the run; surfaced in admin logs but does not break the analyzer.
- No rules in the selected policy → the analyzer returns
matches_found: 0andOKstatus. Fix the policy if you expected matches.
Next
- YARA rules and policies — author rules, group them into policies, manage activation.
- Combined analyzer — wiring YARA into termination rules.