Deterministic checks catch the mechanical tricks; a semantic LLM pass catches the ones written in natural language. The document is always isolated so the analyzer never obeys it.
Each detection comes with a severity, an origin (deterministic / llm / hybrid) and the exact evidence.
White-on-white text, near-zero font sizes and hidden runs that humans never see but an LLM reads.
Instructions smuggled into document author, title, comments and custom properties.
“Ignore all previous instructions” and similar attempts to hijack the model.
Deliberately misspelled trigger words that still read as commands to a model.
Zero-width and tag characters that hide a payload inside otherwise normal text.
Counts embedded images that could carry hidden instructions (deeper scan in v2).
Attempts to extract your system prompt or internal rules.
DAN-style jailbreaks that ask the model to drop its guardrails.
Payloads designed to take effect across a conversation.
Fake system/assistant delimiters that try to break out of the document context.
Base64 and other encodings used to hide instructions from simple filters.
Instructions that try to make the model leak data to an external destination.
PDF, Word (.docx) and Excel (.xlsx), up to 50 MB per file.
Every analysis is logged to your account so you can review what was scanned and when.
Content is passed to the LLM inside a nonce delimiter — it is analyzed, never executed.