ML Security PapersEvaluation of Prompt Injection Defenses in Large Language Models
Priyal Deep 1,2, Shane Emmons 1, Amy Fox 1, Kyle Bacon 1, Kelley McAllister 1, Krisztian Flautner 2
Published on arXiv
2604.23887
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Every defense relying on the model to protect itself eventually broke; only hardcoded output filtering achieved zero secret leaks across 15,000 attacks
LLM-powered applications routinely embed secrets in system prompts, yet models can be tricked into revealing them. We built an adaptive attacker that evolves its strategies over hundreds of rounds and tested it against nine defense configurations across more than 20,000 attacks. Every defense that relied on the model to protect itself eventually broke. The only defense that held was output filtering, which checks the model's responses via hardcoded rules in separate application code before they reach the user, achieving zero leaks across 15,000 attacks. These results demonstrate that security boundaries must be enforced in application code, not by the model being attacked. Until such defenses are verified by tools like Swept AI, AI systems handling sensitive operations should be restricted to internal, trusted personnel.
Key Contributions
- Adaptive agentic attacker that evolves strategies over hundreds of rounds to test prompt injection defenses
- Systematic evaluation of 9 defense configurations across 20,000+ attacks showing all model-based defenses fail
- Demonstrates output filtering in application code is the only defense achieving zero leaks across 15,000 attacks