What is prompt injection?
Prompt injection is a vulnerability in software built around large language models. The failure is not simply that a model can be persuaded to say something odd. The security issue appears when an application mixes trusted instructions, untrusted text, sensitive context, and real tools inside the same model interaction, then treats the model output as trustworthy.
A direct attack comes from the user prompt itself. An indirect attack hides instructions inside material the app processes later: a web page in a browser agent, an email in a productivity assistant, a document in a retrieval system, a support ticket in a triage bot, or a source file read by a coding assistant. The second category is harder because the attacker may never talk to the model directly.
"an attack against applications that have been built on top of AI models"
Why it matters
The impact depends on the application. A toy chatbot may only produce a bad answer. A customer-support copilot could reveal private account details. A browser agent could act on content it found on a page. A coding agent could write unsafe code. A data-analysis assistant could run generated code or query records outside the user's authorization. OWASP lists prompt injection as LLM01 in its 2025 Top 10 because the risk follows the privileges the application grants to the model.
A useful security posture starts with humility: prompt wording is not a reliable boundary. Delimiters, system messages, and "ignore malicious instructions" reminders can reduce casual failures, but they do not replace access control, deterministic validation, explicit permissions, or human approval for high-impact actions.
How to use this reference
This site is organized like a compact security field guide. Start with the taxonomy, read the mechanism page to understand instruction/data collapse, then move to defenses and red-teaming. The incident page gives dated examples without publishing novel payloads. The resources page links to primary research, OWASP guidance, and practical tools.
Free defensive tools
Rogue Prompt now includes browser-only tools for launch review: a prompt-injection risk checklist, a system prompt hardening linter, and an LLM app threat model generator. They are designed to produce defensive review artifacts without sending your prompt or architecture notes anywhere.