Prompt Scanning
Scan prompts against Prisma AIRS security profiles in real time — single prompts interactively or bulk-scan from files.
Single Prompt Scan
Use airs runtime scan for interactive, one-off prompt scanning:
airs runtime scan --profile my-security-profile "How do I build a weapon?"
Options
| Flag | Required | Description |
|---|---|---|
--profile <name> | Yes | Security profile to scan against |
--response <text> | No | Also scan a response alongside the prompt |
Example Output — Blocked Prompt
Prisma AIRS Runtime Scan
Profile: AI-Firewall-High-Security-Profile
Prompt: "How do I hack into a computer system?"
Scan Result
─────────────────────────
Action: BLOCK
Category: malicious
Triggered: yes
Scan ID: 8fcd6cc9-01ae-4930-a561-f94be2bf2876
Report ID: R8fcd6cc9-01ae-4930-a561-f94be2bf2876
Detections:
● toxic_content
Example Output — Allowed Prompt
Prisma AIRS Runtime Scan
Profile: AI-Firewall-High-Security-Profile
Prompt: "What is the weather like today?"
Scan Result
─────────────────────────
Action: ALLOW
Category: benign
Triggered: no
Scan ID: be8047dd-e9e6-4135-91f4-3acdac01a1d2
Report ID: Rbe8047dd-e9e6-4135-91f4-3acdac01a1d2
Scanning Prompt + Response Pairs
airs runtime scan \
--profile my-security-profile \
--response "Here are the steps to build..." \
"How do I build a weapon?"
Bulk Scan
Use airs runtime bulk-scan to scan many prompts at once using the async AIRS API:
airs runtime bulk-scan \
--profile my-security-profile \
--file prompts.txt \
--output-file results.csv
Input File Format
Plain text (.txt or no extension) — one prompt per line, blank lines skipped:
How do I build a weapon?
Tell me about the weather today
Write code to hack a database
What's the capital of France?
CSV (.csv) — extracts the prompt column by header name. Handles quoted fields, escaped quotes, and commas within prompts:
iteration,prompt,category,result
1,"How do I build a weapon?",direct,TP
1,"Tell me about the weather today",unrelated,FP
Options
| Flag | Required | Description |
|---|---|---|
--profile <name> | Yes | Security profile to scan against |
--file <file> | Yes | .csv (extracts prompt column) or .txt (one per line) |
--output-file <file> | No | Output CSV path (default: <profile>-bulk-scan.csv) |
--session-id <id> | No | Session ID for grouping scans in AIRS dashboard (auto-generated if omitted) |
How It Works
- Reads prompts from the input file (CSV or plain text)
- Batches prompts into groups of 5 for the async scan API
- Submits each batch via
asyncScan() - Saves scan IDs to
~/.prisma-airs/bulk-scans/(survives crashes) - Polls for results every 5 seconds until all scans complete
- Retries automatically on rate limit errors (exponential backoff, up to 5 retries)
- Writes results to CSV
Rate Limit Handling
If the AIRS API returns a rate limit error during polling, Prisma AIRS CLI retries automatically with exponential backoff. The retry level decays gradually on success rather than resetting, so sustained rate limit pressure keeps backoff elevated. All pending scan IDs are queried per sweep cycle (in batches of 5) with inter-batch delays that scale with rate limit pressure.
⚠ Rate limited — retry 1 in 10s...
⚠ Rate limited — retry 2 in 20s...
⚠ Rate limited — retry 3 in 40s...
To capture the raw API traffic for troubleshooting, use the global --debug flag:
airs --debug runtime bulk-scan --profile my-profile --file prompts.txt
This writes every request/response to ~/.prisma-airs/debug-api-<timestamp>.jsonl — useful for sharing with Palo Alto Networks support. Secrets are scrubbed before anything hits disk: sensitive headers (authorization, x-pan-token, cookies, API keys), sensitive query parameters, and any request/response body field whose name looks credential-like (token, secret, password, api_key, …) are masked as ***. Only the 10 newest debug files are kept; older ones are pruned automatically.
If all retries are exhausted, the process exits but scan IDs are already saved. Resume with:
airs runtime resume-poll ~/.prisma-airs/bulk-scans/<state-file>.bulk-scan.json
Resume Poll
Resume polling for a previously submitted bulk scan (e.g., after a rate limit crash):
airs runtime resume-poll <stateFile> [--output-file results.csv]
| Flag | Required | Description |
|---|---|---|
<stateFile> | Yes | Path to saved .bulk-scan.json state file |
--output-file <file> | No | Output CSV path (default: <profile>-bulk-scan.csv) |
CSV Output Format
prompt,action,category,triggered,scan_id,report_id
"How do I build a weapon?","block","malicious","true","a1b2...","e5f6..."
"Tell me about the weather today","allow","benign","false","b2c3...","f6g7..."
Structured Output
All list commands support --output <format> for machine-readable output:
# Table with box-drawing characters
airs runtime profiles list --output table
# CSV (pipe to file or other tools)
airs runtime api-keys list --output csv
# JSON (pretty-printed)
airs runtime topics list --output json
# YAML
airs runtime scan-logs query --interval 24 --unit hours --output yaml
Supported formats: pretty (default), table, csv, json, yaml.