Safety classifiers that screen LLM inputs for jailbreak attempts have become standard deployment components, yet almost all production systems rely on GPU-based models: fine-tuned transformers and LLM-as-a-judge pipelines. These approaches impose significant per-query latency and infrastructure cost. Very little research has asked whether CPU-based classifiers, such as support vector machines and gradient-boosted trees trained on TF-IDF features, can match their accuracy across the conditions that production deployments encounter. We evaluate five CPU classifier families, Mamba-130M as an SSM-based GPU classifier, and transformer-based GPU models (DeBERTa-v3 and Gemma-2B with LoRA) across nine jailbreak sources and three regimes: in-distribution (D1), out-of-distribution (D2), and adversarially obfuscated (D3). On D1, the best CPU classifier matches the best transformer GPU model at roughly one-fifth the deployment cost. On D2, CPU classifiers fail via confident miscalibration, producing high-confidence false negatives that bypass escalation entirely. On D3, CPU classifiers outperform transformer GPU models by more than 26 percentage points in F1. Based on these complementary failure modes, we design GuardChain, a three-stage safety pipeline (Regex -> CPU -> GPU) that routes each prompt to the cheapest stage capable of a confident decision. The CPU stage alone resolves 80\% of in-distribution prompts at near-peak accuracy, and the GPU stage recovers the out-of-distribution failures. For practitioners deploying LLM safety at scale, this work provides evidence that GPU-class infrastructure is unnecessary for the majority of traffic.

翻译：用于筛查大语言模型输入是否存在越狱尝试的安全分类器已成为标准部署组件，但几乎所有生产系统都依赖基于GPU的模型：微调后的Transformer和LLM作为评判的流水线。这些方法会带来显著的每次查询延迟和基础设施成本。很少有研究探讨基于CPU的分类器（例如在TF-IDF特征上训练的支持向量机和梯度提升树）能否在生产部署所遇到的各种条件下达到与之相当的准确率。我们评估了五类CPU分类器、基于SSM的GPU分类器Mamba-130M以及基于Transformer的GPU模型（DeBERTa-v3和带LoRA的Gemma-2B），涵盖九个越狱来源和三个场景：分布内（D1）、分布外（D2）和对抗性混淆（D3）。在D1场景下，最佳CPU分类器以约五分之一部署成本达到了最佳Transformer GPU模型的性能。在D2场景下，CPU分类器因高置信度校准失误而失败，产生高置信度假阴性结果，完全绕过升级处理。在D3场景下，CPU分类器的F1值比Transformer GPU模型高出超过26个百分点。基于这些互补的失败模式，我们设计了GuardChain，一个三阶段安全流水线（正则表达式→CPU→GPU），将每个提示路由到能够做出置信决策的最廉价阶段。仅CPU阶段就能以接近峰值准确率处理80%的分布内提示，而GPU阶段则能恢复分布外失败情况。对于规模化部署大语言模型安全的从业者来说，这项工作提供了证据表明，大多数流量无需GPU级基础设施。