Your web application firewall does not understand prompt injection

Classic appsec defends the perimeter. The agent attack surface is semantic, and it walks right through controls built for syntax.

B

Balagei G Nagarajan

3 MIN READ


A traditional firewall inspecting syntax while a plain-language injection passes through untouched
Keep your firewalls, your input validation, your authentication.
— from “Your web application firewall does not understand prompt injection”

Key facts.

  • OWASP published a separate Top 10 for LLM Applications because classic web security did not cover injection, tool poisoning, output handling, or excessive agency (OWASP, 2025).
  • Prompt injection is semantic: it carries malicious intent in valid natural language, which signature-based tools are not designed to catch.
  • The gap is not raw capability, with GPT-4 plus plugins solving only about 15% of GAIA tasks versus 92% for humans, it is that the attack is meaning, not malformed syntax, which perimeter controls do not read (GAIA, 2023).

What does classic appsec still get you, and what does it miss?

Keep your firewalls, your input validation, your authentication. They still defend the conventional surface. What they miss is the new layer: an attacker who never sends a malformed packet, only a polite paragraph that tells your agent to do something harmful. Defending that needs agent-aware controls, instruction-data separation, taint tracking on untrusted content, action gating, and behavioral pattern detection. Classic appsec is necessary and no longer sufficient. The agent added a surface your old tools cannot see.

Two-layer diagram showing the conventional attack surface covered by appsec and the semantic agent surface left exposed

Perimeter controls vs. agent-aware controls

Perimeter controlsAgent-aware controls
Inspect syntax and signaturesTrack instructions, taint, and behavior
Miss semantic injectionDetect instruction-like untrusted content
Built for malformed inputBuilt for well-formed malicious meaning

A firewall reads syntax; injection is meaning in prose, so a stronger model won't catch it: GPT-4 plus plugins solved 15% of GAIA, the incident is the class. (arXiv:2311.12983)

VibeModel's Pattern Intelligence Layer is the agent-aware layer your perimeter tools cannot be. We work at the level where the new attacks live, the meaning of what flows through the agent and the behavior that follows, so a polite paragraph carrying a harmful instruction is caught where a firewall waves it through. Keep your appsec. Add the layer that understands agents.

Frequently asked questions

Should I drop my existing security tools?
No. They still defend the conventional surface. Add agent-aware controls on top; the two layers cover different threats.

Can I write WAF rules for injection?
Only crudely. Injection is open-ended natural language, so signature rules catch a sliver and miss the rest. You need semantic, behavioral defenses.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.