A focused publication on prompt injection. Direct and indirect techniques, model-specific behaviors, taxonomy, PoCs against open and closed models, defenses and their failure modes — written for working AI red teamers, not press releases.https://promptinjection.report/enhttps://promptinjection.report/posts/bing-sydney-indirect-prompt-injection-incident/https://promptinjection.report/posts/bing-sydney-indirect-prompt-injection-incident/In early 2023, Bing Chat became the first widely-publicized case of indirect prompt injection in a deployed commercial LLM. What happened, what the attack surface was, and what it revealed about production injection risk.Sat, 16 May 2026 00:00:00 GMTprompt-injectionincident-analysisbingsydneyindirect-prompt-injectionreal-worldcase-studyPrompt Injection Report Editorialhttps://promptinjection.report/posts/garak-vs-pyrit-vs-promptmap/https://promptinjection.report/posts/garak-vs-pyrit-vs-promptmap/Three frameworks for testing LLMs for prompt injection: Garak, PyRIT, and promptmap. What each one is built for, where each falls short, and how to decide which one to run.Fri, 15 May 2026 00:00:00 GMTprompt-injectiongarakpyritpromptmapllm-securitytestingred-teamtoolingPrompt Injection Report Editorialhttps://promptinjection.report/posts/rebuff-defense-review-failure-modes/https://promptinjection.report/posts/rebuff-defense-review-failure-modes/Rebuff is a multi-layer prompt injection detection system. An honest audit of how its four detection layers work, what they catch in practice, and how each layer can be bypassed.Thu, 14 May 2026 00:00:00 GMTprompt-injectiondefenserebuffdetectioncanary-tokensllm-securitybypassPrompt Injection Report Editorialhttps://promptinjection.report/posts/indirect-prompt-injection-poc-llama3-rag/https://promptinjection.report/posts/indirect-prompt-injection-poc-llama3-rag/A reproducible PoC of indirect prompt injection against Llama 3.1 8B in a document-QA pipeline. What landed, what didn't, and what the defense gap looks like from the inside.Wed, 13 May 2026 00:00:00 GMTprompt-injectionllamaragpocindirect-prompt-injectionopen-source-modelsred-teamPrompt Injection Report Editorialhttps://promptinjection.report/posts/prompt-injection-attack-taxonomy/https://promptinjection.report/posts/prompt-injection-attack-taxonomy/Direct, indirect, multi-modal, and agentic prompt injection are distinct attack classes with different trust boundaries, attacker access requirements, and defenses. A practitioner's map.Tue, 12 May 2026 00:00:00 GMTprompt-injectiontaxonomyindirect-prompt-injectionmulti-modalagentic-aithreat-modelingPrompt Injection Report Editorialhttps://promptinjection.report/posts/prompt-injection-vs-jailbreaking/https://promptinjection.report/posts/prompt-injection-vs-jailbreaking/Prompt injection and jailbreaking both use natural language to subvert LLM behavior, but the attacker, the trust boundary that breaks, and the defenses that work are different. A comparison for security engineers.Mon, 11 May 2026 00:00:00 GMTprompt-injectionjailbreakingllm-securitythreat-modelingindirect-prompt-injectionowasp-llmPrompt Injection Report Editorialhttps://promptinjection.report/posts/prompt-injection-regulatory-liability/https://promptinjection.report/posts/prompt-injection-regulatory-liability/Prompt injection has been a security problem since 2022. As of 2026, it's also a compliance problem. Where the regulatory liability actually attaches, and what deployers should document.Thu, 07 May 2026 00:00:00 GMTprompt-injectionregulatory-liabilityeu-ai-actcompliancepolicyPrompt Injection Report Editorialhttps://promptinjection.report/posts/welcome/https://promptinjection.report/posts/welcome/Prompt Injection Report covers offensive AI security from a working practitioner's perspective. Here's what we publish.Sun, 03 May 2026 00:00:00 GMTmetaPrompt Injection Report Editorial