11 variants - direct, indirect, RAG pipeline, tool output injection
Prompt Injection is ranked LLM01 in the OWASP LLM Top 10 (2025) — the industry-standard taxonomy for large language model security risks. It represents one of the most commonly exploited vulnerability classes in production AI deployments.
Direct & indirect injection - instruction override, unicode obfuscation, delimiter escape, RAG pipeline, tool output injection.
CodeWall's autonomous offensive agent was pointed at McKinsey's Lilli platform. It found 22 unauthenticated API endpoints through publicly exposed documentation. A JSON field was concatenated directly into SQL queries - a textbook injection flaw. Full read/write access to the production database was achieved in under two hours without any human involvement.
A researcher shared a PowerPoint presentation with hidden prompt injection payloads embedded in speaker notes. When a recipient asked Copilot to summarise the document, the injected instructions fired and Copilot returned the user's recent private emails instead of a summary.
Vanna AI's natural language to SQL interface was vulnerable to prompt injection that allowed attackers to craft prompts causing the model to generate and execute arbitrary SQL queries against the connected database - bypassing the intended query restrictions entirely.
Run the full LLM01 attack suite against your LLM in minutes.
Run free scan →