Topics

Direct, indirect, multi-modal, and agentic prompt injection are distinct attack classes with different trust boundaries, attacker access requirements, and defenses. A practitioner's map.

Prompt injection and jailbreaking both use natural language to subvert LLM behavior, but the attacker, the trust boundary that breaks, and the defenses that work are different. A comparison for security engineers.

Rebuff is a multi-layer prompt injection detection system. An honest audit of how its four detection layers work, what they catch in practice, and how each layer can be bypassed.

In early 2023, Bing Chat became the first widely-publicized case of indirect prompt injection in a deployed commercial LLM. What happened, what the attack surface was, and what it revealed about production injection risk.

A reproducible PoC of indirect prompt injection against Llama 3.1 8B in a document-QA pipeline. What landed, what didn't, and what the defense gap looks like from the inside.

Prompt injection has been a security problem since 2022. As of 2026, it's also a compliance problem. Where the regulatory liability actually attaches, and what deployers should document.

Prompt Injection Report covers offensive AI security from a working practitioner's perspective. Here's what we publish.

Three frameworks for testing LLMs for prompt injection: Garak, PyRIT, and promptmap. What each one is built for, where each falls short, and how to decide which one to run.