cd /news/ai-safety/now-defenders-are-embracing-the-prom… · home topics ai-safety article
[ARTICLE · art-57482] src=arstechnica.com ↗ pub= topic=ai-safety verified=true sentiment=↑ positive

Now, defenders are embracing the prompt injection, too

Researchers from Tracebit found that planting prompt injections alongside secrets in AWS environments can stop AI hacking agents from seizing control, reducing full account admin access from 57% to 5% in tests across five leading models.

read2 min views1 publishedJul 13, 2026
Now, defenders are embracing the prompt injection, too
Image: Arstechnica (auto-discovered)

Prompt injections, the malicious commands attackers embed into content to entice LLMs to follow them, have been attackers’ go-to tool for turning AI platforms against their users. A well-phrased command sneaked into an email or calendar invitation is often all it takes to cause the LLM to exfiltrate sensitive data or follow other harmful actions.

Now defenders are embracing the prompt injection, too.

A strong, sharp effect #

Researchers from Tracebit on Monday said they found that placing prompt injections alongside passwords, cryptographic keys, and other secrets stored on AWS was often all that was needed to shut down attacks from AI hacking agents. The prompts direct the attacking LLM to perform an action forbidden by its guardrails, the safety barriers AI developers erect to prevent them from taking harmful actions. The LLM responds by shutting down.

Examples are a prompt that orders the LLM to provide the steps for developing inhalable Anthrax spores, or, in the case of LLMs from Chinese developers, make references to the iconic Tank Man from the 1989 Tiananmen Square massacre. Once the LLM encounters these forbidden commands, they no longer follow their existing commands. The researchers have named the technique context bombing.

“Ultimately we’re triggering a refusal mechanism in the context,” Andy Smith, co-founder and CEO of Tracebit, said when explaining the name choice. “What we’re trying to capture is the fact that this does have a strong, sharp effect and one that can be difficult for the agents to come back from. Once they get that into their context they are going to keep refusing.”

Tracebit says initial testing suggests context bombing has great potential. They tested Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6 by giving them instructions to perform routine developer tasks that led the models to enumerate resources and stumble onto the planted strings. They ran the models inside a simulated AWS environment.

“Across five leading models and 152 attack runs, planting one of these strings in a decoy secret cut the rate at which agents seized full account admin from 57% to 5%, and complete compromise (where they also left themselves a persistent foothold) from 36% to 1%,” Monday’s post reported. “The most capable agent in our tests, Opus 4.8, went from achieving admin access in 93% of runs to failing every single time when confronted with a context bomb.”

── more in #ai-safety 4 stories · sorted by recency
── more on @tracebit 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/now-defenders-are-em…] indexed:0 read:2min 2026-07-13 ·