Large Language Models (LLMs) are increasingly vulnerable to Prompt Injection (PI) attacks, where adversarial instructions hidden within retrieved contexts hijack the model's execution flow. Current defenses typically face a critical trade-off: prevention-based fine-tuning often degrades general utility via the "alignment tax", while detection-based filtering incurs prohibitive latency and memory costs. To bridge this gap, we propose RedVisor, a unified framework that synthesizes the explainability of detection systems with the seamless integration of prevention strategies. To the best of our knowledge, RedVisor is the first approach to leverage fine-grained reasoning paths to simultaneously detect attacks and guide the model's safe response. We implement this via a lightweight, removable adapter positioned atop the frozen backbone. This adapter serves a dual function: it first generates an explainable analysis that precisely localizes the injection and articulates the threat, which then explicitly conditions the model to reject the malicious command. Uniquely, the adapter is active only during this reasoning phase and is effectively muted during the subsequent response generation. This architecture yields two distinct advantages: (1) it mathematically preserves the backbone's original utility on benign inputs; and (2) it enables a novel KV Cache Reuse strategy, eliminating the redundant prefill computation inherent to decoupled pipelines. We further pioneer the integration of this defense into the vLLM serving engine with custom kernels. Experiments demonstrate that RedVisor outperforms state-of-the-art defenses in detection accuracy and throughput while incurring negligible utility loss.

翻译：大型语言模型（LLM）日益面临提示注入（PI）攻击的威胁，此类攻击通过隐藏在检索上下文中的对抗性指令劫持模型执行流程。现有防御方案通常面临关键权衡：基于预防的微调常因"对齐税"导致通用性能下降，而基于检测的过滤方案则产生难以承受的延迟与内存开销。为弥补这一缺陷，我们提出RedVisor统一框架，该框架融合了检测系统的可解释性与预防策略的无缝集成。据我们所知，RedVisor是首个利用细粒度推理路径同时实现攻击检测与安全响应引导的方法。我们通过在冻结主干网络上部署轻量级可移除适配器实现该机制。该适配器具备双重功能：首先生成可解释的分析报告，精确定位注入点并阐明威胁机理，随后显式引导模型拒绝恶意指令。其独特之处在于适配器仅在推理阶段激活，在后续响应生成阶段则保持静默。此架构产生两大优势：（1）在数学层面保持主干网络对良性输入的原始性能；（2）支持创新的KV缓存重用策略，消除解耦流水线固有的冗余预填充计算。我们进一步率先将该防御机制集成至vLLM服务引擎并开发定制内核。实验表明，RedVisor在检测精度与吞吐量方面均优于现有防御方案，同时仅产生可忽略的性能损失。