Public LLM-security badge
Drop a live security score into any README, docs site, or marketing page. The badge endpoint serves a Shields-style SVG (grade A through F or N/A) derived from the run's overall_risk score, cached at the edge for 5 minutes. Sandbox-only by design — embedding a badge for a real customer endpoint would leak the customer's posture.
Key points
- Letter grade comes from a tight rubric: A (overall_risk ≤10), B (≤25), C (≤40), D (≤60), F (>60), N/A when the run has no score yet.
- SVG width is computed from the letter so it never reflows when the grade changes.
- Endpoint: GET /v1/badges/runs/{run_id}.svg — same auth allowlist as the demo permalinks (no API key needed).
- JSON variant at /v1/badges/runs/{run_id}.json exposes the raw {letter, color, score, tested_at} for bespoke widgets.
01
How to embed
- Markdown: [](https://doesitdefend.ai/demo/runs/run_xxx)
- HTML: <a href="https://doesitdefend.ai/demo/runs/run_xxx"><img src="https://api.doesitdefend.ai/v1/badges/runs/run_xxx.svg" alt="LLM security badge"></a>
- The /demo/runs/{id} page renders a copy-paste block with the snippets already filled in.
02
Why sandbox-only
- A badge for a paying customer endpoint would advertise that customer's posture publicly — a leak surface they didn't opt into.
- Sandbox runs (Juice Shop + VulnBot today) carry no PII and use our own attack-target infrastructure, so a public badge is safe by construction.
- If you want a 'compliance status' badge for your own team, build it against your private dashboard.