Simon Willison

Independent researcher and writer at simonwillison.net, co-creator of Django, and creator of Datasette. Since 2022 has been one of the most-cited public commentators on prompt injection and LLM security. Coined the term “Lethal Trifecta for AI Agents” in June 2025 — the formulation that an agent with (1) access to private data, (2) exposure to untrusted content, and (3) the ability to externally communicate can be tricked by an attacker into exfiltrating the private data.

The Lethal Trifecta has been adopted as a load-bearing framing in subsequent practitioner work, including the Securing Your Agents deck (Bill McIntyre, 2026), Stripe’s containment-architecture writing (see Stripe), and as a shorthand in the OWASP Agentic Top 10 discussion.

Notable Contributions to the Field

• “The Lethal Trifecta for AI Agents” — simonwillison.net, June 2025
• Long-running blog coverage of prompt-injection attacks, indirect injection vectors, and tool-call exploitation across major model releases
• Public-facing analysis of agent kill chains (e.g., GeminiJack, Jules-class compromises) before they appeared in vendor disclosures

See Also

• Lethal Trifecta — the concept page
• Indirect Prompt Injection — the attack class Willison’s writing emphasizes
• Johann Rehberger — fellow public-research voice on agent security