Prompt injection defense token cost
A safety prefix feels free — it is just a few sentences in the system prompt. But you pay for those sentences on every request, forever. This tool turns that into a monthly number and sets it next to the risk-adjusted cost of an injection attack, so the security decision becomes an expected-value comparison instead of a gut call.
How it works
The tool computes two figures over a 30-day month:
- Defense cost =
defense_tokens × input_price × requests_per_day × 30. This is the unavoidable overhead of carrying the prefix on every call. - Risk-adjusted incident cost =
requests_per_day × 30 × injection_probability × incident_cost. This is the expected loss if you ship without the prefix, assuming the prefix is what stops those injections.
If the expected incident cost exceeds the defense cost, the prefix is worth it on average. The tool also shows the break-even injection probability — the risk level at which the two numbers are equal — so you can sanity-check whether your risk estimate is above or below that threshold.
Worked example
Suppose your chatbot receives 10,000 requests per day and your safety prefix is 150 tokens. On a model priced at $0.50 per million input tokens:
Defense cost per month = 150 tokens × ($0.50 / 1,000,000) × 10,000 × 30
= $0.0000005 × 10,000 × 30
= $22.50 / month
Now suppose you estimate the probability that any single request carries a successful injection is 0.01% (1 in 10,000), and a breach costs your business $5,000 in remediation and reputational exposure:
Expected incident cost = 10,000 req/day × 30 days × 0.0001 × $5,000
= $150,000 / month
The $22.50 prefix cost eliminates $150,000 of expected monthly exposure. Even if you are off by a factor of ten on the breach probability, the defense still wins by a large margin. This is why the break-even injection probability is usually tiny — the prefix is almost always worth it.
What the break-even probability tells you
The break-even is the injection probability at which defense cost equals expected incident cost:
break_even_prob = defense_cost / (requests × incident_cost)
If your estimated risk is well above this threshold, add the prefix without debate. If your estimate is at or below it, examine your incident-cost estimate — it almost certainly underestimates tail risk.
Sizing the incident cost correctly
Injection incident costs are easy to underestimate because the worst-case path is catastrophic rather than typical. Realistic components include:
- Direct remediation — incident response, audit, PR management
- Data exposure liability — particularly severe if user data is leaked
- Regulatory fines — depending on jurisdiction and data type
- Customer churn — loss of trust can persist well beyond a single incident
- Competitive leakage — if a system prompt reveals proprietary logic
For a consumer app with millions of users, a single high-visibility breach can cost far more than the entire API spend for the year. That asymmetry is the core argument for carrying the defense unconditionally.
Tips and notes
- The break-even probability is usually tiny, which is why almost every production app carries some injection defense — the prefix is cheap relative to a single bad incident.
- Defense tokens add to latency and context usage too, not just cost; keep the prefix tight.
- This prices only the instruction-prefix layer. A real defense stack also includes a guard model, input sanitization, and constrained tool permissions — budget for those separately.
- Tail risk matters: even when the expected-value math is close, a single catastrophic breach can dwarf years of prefix cost, so bias toward defending when incident cost is high.