Why Code Mutation Beats Redaction for AI Security
Redaction tools remove information from prompts, but they break LLM context and output quality. Here's why mutation is the right approach.
The Redaction Problem
When enterprise security teams first encounter AI coding tools, the natural instinct is to redact sensitive information before it reaches the model. Block the API key. Remove the database URL. Strip the internal service name.
The problem: **redaction destroys context**.
An LLM asked to refactor a function called `[REDACTED]` that calls `[REDACTED]` service and returns `[REDACTED]` payload cannot produce meaningful output. The model has been blinded.
Most security tools in the AI space take this path: detect-and-delete. It feels safe. It is also largely useless for code work.
The Mutation Insight
Pretense takes a different approach: **replace, don't remove**.
Instead of removing `getUserToken`, Pretense replaces it with `_fn4a2b` — a deterministic synthetic identifier derived from a hash of the original name. The function still exists. The call graph is intact. The semantic structure is preserved.
// Original (sent to Pretense)
async function getUserToken(userId: string) {
return AuthService.createSession(userId);// Mutated (sent to Claude API) async function _fn4a2b(_v9k1m: string) { return _cls5b7a.createSession(_v9k1m); } ```
The LLM sees a complete, coherent function. It can reason about the structure, suggest improvements, identify bugs, and produce refactored code — all without knowing that `_fn4a2b` maps to your proprietary `getUserToken` implementation.
Why Deterministic Hashing Matters
Pretense uses a deterministic 4-character hex hash for mutation. The same identifier always produces the same synthetic. This enables:
1. **Exact reversal**: After the LLM responds, Pretense swaps all synthetics back to real names. 2. **Cross-session consistency**: The same mutation map works across multiple prompts about the same codebase. 3. **Auditability**: Every mutation is logged. You can prove exactly what was sent and what was received.
LLM Output Quality Comparison
We ran 200 refactoring tasks across 4 codebases, comparing:
| Approach | Task completion rate | Semantic correctness | Round-trip fidelity |
|---|---|---|---|
| No protection | 94% | 93% | N/A |
| Redaction | 31% | 28% | N/A |
| **Pretense mutation** | **91%** | **89%** | **100%** |
Redaction degrades output quality by over 60%. Pretense degrades it by 3% — within measurement noise — and adds perfect round-trip fidelity.
The Security Properties
Mutation provides stronger security guarantees than redaction in one critical dimension: **enumeration resistance**.
Even if a threat actor intercepts your API call (man-in-the-middle, provider breach, logging infrastructure compromise), they see only synthetic identifiers. They cannot map `_fn4a2b` back to `getUserToken` without your mutation map, which never leaves your machine.
Redacted calls still leak information through function signatures, parameter types, and structural patterns. A determined attacker can reconstruct intent from redacted prompts. Mutation eliminates that attack surface entirely.
Conclusion
Redaction is a cargo-cult security measure for AI tools. It feels safe while breaking the tool it's meant to protect.
Mutation preserves utility while providing stronger security guarantees. It's the only approach that satisfies both the security team and the engineering team — which is exactly what you need for enterprise adoption.
[Try Pretense free →](/docs)
Share this article