FAQ

Prompt Injection FAQ

Concise answers to common questions about prompt injection, jailbreaks, indirect attacks, prevention, and responsible testing.

Updated 2026-07-06

Basics

What is prompt injection?

Prompt injection is a vulnerability where instructions supplied by a user or by external content alter the behavior of an LLM application in unintended ways. The security issue becomes serious when the model can access sensitive data, make decisions, or call tools.

What is the difference between a jailbreak and prompt injection?

A jailbreak is usually a direct attempt to bypass a model or application policy. Prompt injection is broader: it includes direct jailbreak-style attempts and indirect attacks where instructions are hidden inside content the application reads.

What is indirect prompt injection?

Indirect prompt injection happens when hostile instructions are embedded in untrusted content such as a web page, email, PDF, code comment, support ticket, or retrieved document. The user may ask a harmless question, but the application brings attacker-controlled text into the model context.

Defense

Is prompt injection solvable?

There is no generally accepted complete fix for all LLM applications. Practical defense is risk reduction: minimize privileges, separate trusted and untrusted content, validate tool calls outside the model, require human approval for high-impact actions, and continuously test.

Do delimiters or system prompts prevent prompt injection?

They can help the model interpret context, but they are not security boundaries. Attackers can paraphrase, encode, split, or hide instructions. Use prompt structure as one layer, not the layer that protects data or tools.

Can input filtering stop prompt injection?

Filtering catches obvious cases and is worth using, but it is incomplete by itself. A robust system assumes some hostile content will pass and prevents that content from changing authorization, tool calls, or high-impact outputs.

Is a system prompt leak always a security incident?

A leak is a problem if the prompt contains secrets, hidden policy logic, sensitive architecture details, or bypass instructions. Treat system prompts as non-secret operational guidance. They should not contain credentials or confidential data.

Testing and real cases

How do you test for prompt injection responsibly?

Test only systems you own or are authorized to assess. Define scope, use controlled data, avoid destructive actions, record outcomes, report findings privately, and rerun tests after fixes. Red-team the application flow, not just the base model.

What are real prompt-injection attacks?

Public cases include early Bing Chat prompt leakage, indirect prompt injection research demonstrations, plugin-based exfiltration proofs of concept, and email-assistant scenarios where hidden instructions in messages influence AI workflows.

Sources for these answers