u/Feeling-Grand8280

Hey everyone,

I'm working on a production app that hooks an LLM up to external APIs (tools/function calling), and the threat of indirect prompt injection is starting to give me gray hairs.

I’ve seen a bunch of startups and open-source tools popping up offering "LLM Firewalls" or "Prompt Guardrails" to intercept inputs/outputs and filter out malicious instructions.

But looking at it practically, it feels a bit like a game of whack-a-mole. I'm trying to figure out if these tools are actually worth integrating, or if standard software security practices are enough.

For those of you with LLMs in production:

1. Are you actually using a dedicated prompt injection firewall? (If so, which one, and has it actually caught anything?)
2. Or are you just relying on classic security? (e.g., strict system prompts, strict output parsing, sandboxing code execution, and treating all LLM outputs as untrusted user input).

I’d love to hear some real-world perspective before I go adding another layer of complexity to our stack. Cheers!

Hey everyone,

I'm working on a production app that hooks an LLM up to external APIs (tools/function calling), and the threat of indirect prompt injection is starting to give me gray hairs.

I’ve seen a bunch of startups and open-source tools popping up offering "LLM Firewalls" or "Prompt Guardrails" to intercept inputs/outputs and filter out malicious instructions.

But looking at it practically, it feels a bit like a game of whack-a-mole. I'm trying to figure out if these tools are actually worth integrating, or if standard software security practices are enough.

For those of you with LLMs in production:

1. Are you actually using a dedicated prompt injection firewall? (If so, which one, and has it actually caught anything?)
2. Or are you just relying on classic security? (e.g., strict system prompts, strict output parsing, sandboxing code execution, and treating all LLM outputs as untrusted user input).

I’d love to hear some real-world perspective before I go adding another layer of complexity to our stack. Cheers!

Hey guys,

Like a lot of people here, I kept hitting my token ceilings and running out of budget because of long chat histories and heavy prompts. I realized I was flying completely blind because aggregate usage graphs don't tell me what part of my codebase or workspace is the actual culprit.

I put together a quick tool for myself that tracks token usage broken down by specific features/tasks rather than just total daily spend.

It made me realize that short, vague prompts often cost nearly as much as detailed ones because of context re-reading, which completely changed how I prompt.

I’m looking to polish this up. If you were tracking your token usage locally, what would you actually care about seeing?

• Do you want to see token burn by prompt length, by conversation depth, or by specific features?
• Are you more worried about hitting 5-hour soft limits, or managing actual dollar costs on API keys?
• What is the single most annoying thing about tracking token usage right now?

If you’re running a SaaS that uses OpenAI / Anthropic / Gemini:

1. Do you know which feature in your product is burning the most on LLM costs, or is it a mystery?
2. Any time you’ve been surprised by your bill and had no idea where it came from?
3. What would help you the most as a founder:
   • Better visibility into which features cost what?
   • Forecasting?
   • Or just simple alerts?

No promo, just looking to understand real problems.