Glossary / Prompt Injection
Prompt injection is an attack where instructions are placed into an LLM's input so the model treats them as commands instead of data.
Large language models process prompts as a single stream of text. When system guidance, user requests, and external content are mixed together, the model can give unintended weight to instructions that were meant to be treated as plain data.
Prompt injection appears in chatbots, AI assistants, and agent workflows where the model reads or summarizes documents, emails, or web pages. It can be direct (a user message) or indirect (instructions hidden inside content the model reads).
This differs from traditional injection flaws because filtering input alone is not enough. Defenses focus on separating instructions from data, limiting tool permissions, validating outputs, and monitoring for unexpected behavior.
Prompt injection happens when untrusted content is mixed with instructions, so the model cannot reliably distinguish commands from data.
Appsecco's AI/MCP testing maps where untrusted content enters prompts, attempts controlled injections, and verifies that boundaries, permissions, and validations hold up in practice.
System guidance, developer instructions, user input, and retrieved content all appear in one prompt. If boundaries are not explicit, the model may treat embedded text as instructions.
An attacker, or even a benign document, can include phrases like "ignore previous instructions" or tool requests that look like operational commands.
When the model can call tools or fetch data, injected directives can lead to unintended actions unless permissions and output checks are enforced.
These types describe where instructions enter the prompt and how they influence model behavior. In Appsecco testing, we trace each input channel and validate the controls that should keep instructions and data distinct.
Instructions are placed directly in a chat message or form input that the system intended to treat as plain data.
Instructions are embedded in documents, web pages, or retrieved content that the model summarizes or uses for context.
Injected instructions attempt to trigger tool calls, data access, or workflow steps beyond what the user requested.
These are representative scenarios seen in AI assistants and agent workflows. Each example highlights how teams keep outcomes predictable by separating instructions, limiting tools, and validating outputs.
A user message included hidden text like "ignore previous instructions" and asked for internal policy details.
The assistant attempted to follow the injected text, but output validation stripped sensitive snippets and returned a safe summary.
Confidence signal: Clear separation between system guidance and user content kept responses within scope.
A retrieved PDF embedded a request to call an internal endpoint while the model was summarizing content.
Tool allowlists blocked the call, and audit logs flagged the attempt for review.
Confidence signal: Least-privilege tool scopes and logging prevented unintended actions.
A web page used during browsing contained a hidden instruction to change calendar invites.
The agent required explicit confirmation before making any scheduling changes.
Confidence signal: Human-in-the-loop approvals reduced surprises for end users.
These patterns are why prompt injection testing focuses on boundary clarity, tool permissions, and verification before actions are taken.
Prompt injection is a predictable outcome of how LLMs blend instructions and data, not a failure of diligence. Prevention relies on clear boundaries, scoped permissions, and verification so teams can keep behavior stable without overcorrecting.
A RAG assistant moved retrieved text into a dedicated data block, required explicit user intent for tool calls, and applied output checks. With those controls in place, injected instructions were ignored and summaries stayed in scope.
The goal is not to block all input, but to make model behavior predictable and reviewable under real usage.
Core risks and controls for systems built on large language models.
Where tool access, memory, and permissions can introduce new failure modes.
How Model Context Protocol integrations expand the attack surface.
Validating flows and intent, not just technical input validation.
Safe next step
If you are reviewing prompt injection risks or AI agent controls, we can walk through how we scope AI/MCP testing, what boundaries we check, and the evidence you will receive.
Start a conversationor Read the first pentest guide first