Prompt Injection
Definition
Prompt injection is an attack that supplies adversarial input so a language model treats attacker-controlled text as trusted instructions. It is ranked `LLM01:2025` in the OWASP Top 10 for LLM Applications, the #1 risk verified against the 2025 source by the LLM Top 10 standards review. The model has no reliable boundary between developer instructions, user input, and content it retrieves, so text in any of those channels can redirect its behavior.
The class is recognized across the standards bodies the wiki tracks: MITRE ATLAS catalogs prompt injection as an adversarial technique against language-model systems (AML.T0051, LLM Prompt Injection), and the NIST AI 600-1 GenAI Profile names prompt injection (both direct and indirect) under its information-security risk category, where its Suggested Action MS-2.7-007 directs deployers to red-team resilience against it.
Variants on the wiki
- Indirect prompt injection — the payload arrives through content the model retrieves (a web page, document, or tool output) rather than the user’s direct prompt.
- Recursive prompt injection — injected instructions that propagate through agent-to-agent or multi-step chains.
- Network-layer containment and prompt injection containment — the defensive practices.
Why it is load-bearing
Prompt injection is one leg of the lethal trifecta (untrusted input, private data access, exfiltration channel). Because there is no robust in-band fix, current defenses are architectural: constrain what a model can do after it reads untrusted text, rather than trying to filter the text perfectly. It is the recurring entry vector across the threat-modeling spine’s worked example: ASI01 goal hijack, ASI06 memory poisoning, and ASI02 tool misuse all begin with injected content. The reconciliation matrix maps it to the Runtime plane (LLM01, AML.T0051), where detection is capped by the policy decision that follows.
See also
- SYARA Semantic Detection — a detection-side response: semantic rules that catch injection intent at scale.
Remaining depth
This is the parent concept for the wiki’s injection-variant pages. Still to add: detection limits, the spotlighting/delimiting research, and the CaMeL-style capability-constraint approach.