Interactive tool
Injection Threat Modeler
Assemble your LLM application from building blocks. The modeler shows which of the five prompt-injection taxonomy classes become reachable, which trust boundary each one breaks, the attacker access required, a sanitized proof-of-concept pattern (described, never a live payload), and the defenses that mitigate the class — each annotated with its known failure mode. Export the whole threat model as Markdown.
Each of the five taxonomy classes becomes reachable only when your selected blocks expose its channel. We describe sanitized PoC patterns only — no live payloads, in line with this site's stance. 5 taxonomy classes · reviewed 2026-05.
The five-class taxonomy
| Class | Becomes reachable with | In one line |
|---|---|---|
| Direct prompt injection | user-chat, system-prompt | The user themselves supplies adversarial instructions. |
| Indirect prompt injection | rag-corpus, web-fetch, doc-ingestion | Instructions arrive through content the model consumes, not from the user. |
| Multimodal injection | doc-ingestion, web-fetch | The instruction is carried in a non-text modality (image/audio/file). |
| Agentic / tool-use injection | function-calling, multi-agent | Injection drives tool calls or hijacks downstream agents — leading to real-world actions. |
| Insecure output handling | html-render | The injection's payload executes in the consumer of the model's output. |