Source library
Prompt Injection Resources
Primary sources, research papers, defense guidance, tooling, and machine-readable files for LLM security work.
Updated 2026-07-06
Standards and frameworks
Start with OWASP and NIST. OWASP gives the application-security taxonomy and practical mitigations. NIST gives broader risk-management language for governance, measurement, and evaluation. Together they help security teams talk to engineers, product leaders, and risk owners without reducing prompt injection to a prompt-engineering trick.
OWASP
OWASP LLM01:2025 Prompt Injection
The core OWASP GenAI Security Project page for direct and indirect prompt injection risks.
OWASP
OWASP LLM Prompt Injection Prevention Cheat Sheet
Hands-on mitigation guidance for agents, remote content, least privilege, monitoring, and guardrails.
NIST
NIST AI Risk Management Framework
Risk-management framework and generative AI profile for trustworthy AI governance.
Research papers
The most useful papers do more than collect attack strings. They describe the trust-boundary problem, the agent architecture problem, and the conditions under which untrusted text can control behavior. Read them for threat models and design patterns, not for copy-paste probes.
Indirect injection
Not what you have signed up for
The 2023 Greshake et al. paper on compromising LLM-integrated applications through indirect prompt injection.
Agent design
Design Patterns for Securing LLM Agents against Prompt Injections
Formal discussion of design patterns including action selectors, plan-then-execute, dual LLMs, and context minimization.
Instruction/data separation
Can LLMs separate instructions from data?
Research on the core ambiguity behind prompt injection: distinguishing instructions from data.
Defense guidance
These sources are useful when converting theory into product changes. Look for the controls that fit your threat model: privilege separation, quarantined processing, tool allow-lists, sandboxing, security classifiers, user approval, logging, and continuous evaluation.
Primer
Prompt injection explained
A clear developer-oriented explanation of why prompt injection targets applications built on top of models.
Architecture
The Dual LLM pattern
Simon Willison's proposal for separating privileged and quarantined model roles.
Operational defense
Practical LLM security advice from the NVIDIA AI Red Team
Practical pitfalls and mitigations from real AI red-team assessments.
Layered defenses
Google layered defense strategy
Google guidance on defense layers for indirect prompt injection.
Adaptive testing
Gemini security safeguards
Google DeepMind discussion of automated red teaming and defense-in-depth for indirect prompt injection.
Detection
Microsoft Prompt Shields
Microsoft documentation on user prompt attacks and document attacks.
Tooling
Automated tools help you find regressions and compare versions, but they should not replace manual threat modeling. Treat tools as part of a loop: define the product risk, create test cases, run evaluations, fix architecture, and rerun the same cases in CI or scheduled jobs.
Open source
Promptfoo red teaming
Framework for adversarial testing, evaluations, and regression checks.
Scanner
NVIDIA garak
Open-source LLM vulnerability scanner for probing known classes of model and app weakness.
Knowledge base
MITRE ATLAS
Adversarial threat landscape for AI systems, useful for mapping tactics and techniques.
Rogue Prompt free tools
These tools are built into this site and run client-side only. Use them to turn the sources above into practical review notes before launch.
Client-side
Prompt Injection Risk Checklist
Scores untrusted-input, tool-authority, data-exposure, and operations risk for LLM apps.
Client-side
System Prompt Hardening Linter
Flags prompt-held secrets, brittle wording, and missing trust-boundary guidance without uploading prompt text.
Client-side
LLM App Threat Model Generator
Creates copyable markdown threat models for chat, RAG, agent, and email-assistant architectures.
Machine-readable files
Treatment T4 includes both compact and expanded LLM-facing references for this site. Use llms.txt for the short map and llms-full.txt for a longer summary of definitions, pages, and defensive principles.