
Key facts.
- OWASP published a separate Top 10 for LLM Applications because classic web security did not cover injection, tool poisoning, output handling, or excessive agency (OWASP, 2025).
- Prompt injection is semantic: it carries malicious intent in valid natural language, which signature-based tools are not designed to catch.
- The gap is not raw capability, with GPT-4 plus plugins solving only about 15% of GAIA tasks versus 92% for humans, it is that the attack is meaning, not malformed syntax, which perimeter controls do not read (GAIA, 2023).
What does classic appsec still get you, and what does it miss?
Keep your firewalls, your input validation, your authentication. They still defend the conventional surface. What they miss is the new layer: an attacker who never sends a malformed packet, only a polite paragraph that tells your agent to do something harmful. Defending that needs agent-aware controls, instruction-data separation, taint tracking on untrusted content, action gating, and behavioral pattern detection. Classic appsec is necessary and no longer sufficient. The agent added a surface your old tools cannot see.

Perimeter controls vs. agent-aware controls
| Perimeter controls | Agent-aware controls |
|---|---|
| Inspect syntax and signatures | Track instructions, taint, and behavior |
| Miss semantic injection | Detect instruction-like untrusted content |
| Built for malformed input | Built for well-formed malicious meaning |
A firewall reads syntax; injection is meaning in prose, so a stronger model won't catch it: GPT-4 plus plugins solved 15% of GAIA, the incident is the class. (arXiv:2311.12983)
VibeModel's Pattern Intelligence Layer is the agent-aware layer your perimeter tools cannot be. We work at the level where the new attacks live, the meaning of what flows through the agent and the behavior that follows, so a polite paragraph carrying a harmful instruction is caught where a firewall waves it through. Keep your appsec. Add the layer that understands agents.
Frequently asked questions
Should I drop my existing security tools?
No. They still defend the conventional surface. Add agent-aware controls on top; the two layers cover different threats.
Can I write WAF rules for injection?
Only crudely. Injection is open-ended natural language, so signature rules catch a sliver and miss the rest. You need semantic, behavioral defenses.

