Prompt injection after mitigations: lower, never zero

Every defense moves the number down. None of them move it to zero. Planning for residual injection risk is the only honest security posture.

B

Balagei G Nagarajan

3 MIN READ


A dial labeled injection success rate moving toward zero but stopping short of it after each defense
69% on GPT-4o with defenses, so the incident is late, not absent.
— from “Prompt injection after mitigations: lower, never zero”

Key facts.

  • A dedicated prompt-injection benchmark lands targeted attacks on GPT-4o 47.69% of the time, and agents solve under 66% of tasks even with no attack present (AgentDojo, 2024).
  • Injection succeeded 41 to 84% across frontier-backed coding agents, with some attack categories above 90% (AIShellJack, 2025).
  • The root cause is that instructions and data share one channel, so no single filter fully separates them.

If defenses don't reach zero, what's the point of them?

An upgrade lowers the injection rate, never to zero: AgentDojo lands 47.69% on GPT-4o with defenses, so the incident is late, not absent. (arXiv:2406.13352)

The point is defense in depth plus containment. Input filtering, output checks, and instruction-data separation each reduce the rate, and stacking them reduces it further. But the decisive move is to assume some injection gets through and limit what it can do: gate exfiltration-capable actions, require approval for irreversible steps, and treat untrusted-content ingestion as a taint event. You aren't trying to make injection impossible, you're trying to make a successful injection harmless.

Funnel diagram showing layered defenses each shrinking injection success but a residual always passing through to a containment gate

Eliminate vs. contain

Trying to eliminateReduce and contain
One filter assumed sufficientLayered defenses plus a containment gate
Surprised when injection succeedsPlans for residual success
Blast radius unboundedBlast radius limited by gates

VibeModel's Pattern Intelligence Layer is built for the residual. We recognize the behavioral pattern of a successful injection, an agent acting on an instruction it shouldn't have, and stop the dangerous action even when the injection itself slipped past the filters. Lower the rate however you can; we make sure what gets through can't hurt you.

Frequently asked questions

Will a future model solve this?
Unlikely soon. The instruction-data confusion is fundamental to how LLMs read text. Plan for residual risk regardless of model.

what's the single highest-value defense?
Containment: gate exfiltration and irreversible actions. It turns a successful injection into a non-event.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.