Prompt injection has become one of the defining security problems of the AI era, and CrowdStrike just made the map of it bigger. The company's AI security research team has published 18 new prompt injection techniques, pushing its public taxonomy past 200 distinct methods for manipulating the language, context, and data that AI systems trust. Prompt injection means sneaking instructions into the text or data a model reads so that it follows the attacker instead of the user.
The risk has grown sharply as organizations move from simple chatbots to AI agents that can crawl webpages, open file stores, and even run shell commands. When an agent ingests attacker controlled data, an instruction hidden inside that data can hijack it, a class of attack researchers call indirect prompt injection. IntelFusions has covered how scammers plant hidden instructions in websites to redirect AI agents, and how North Korean malware even tries to gaslight AI triage tools.
Five new tricks
Among the additions, CrowdStrike details five techniques that show how far past crude jailbreaks the field has moved:
- Trigger Activated Rule Addition: a sleeper instruction that does nothing until a trigger word or event appears, then quietly changes the agent's behavior. One example tells a model to start duplicating every outgoing email to anon[at]evilcorp[.]corp once a keyword is used.
- Cognitive Token Suppression: blocking a model's usual refusal and apology words to steer it away from safely declining a request.
- Algorithmic Payload Decomposition: breaking a malicious command into harmless looking fragments, then instructing the model to reassemble and run them, so scanners see only benign pieces.
- Special Token Injection: faking the delimiters and role markers a model uses internally, tricking it into treating untrusted input as a trusted system command.
- Unwitting User Delivery: socially engineering an authorized user into pasting a hidden payload themselves, so it runs inside their own authenticated session.
What it means for defenders
CrowdStrike argues that securing AI now requires threat modeling every place model context can originate, including prompts, files, retrieval pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data. AI red teaming needs to move well beyond typing "ignore previous instructions," and detection has to account for composite attacks that chain several of these techniques at once. Above all, teams need runtime visibility into the prompts and responses flowing through their AI systems, since an instruction buried in retrieved data can look perfectly innocent until the moment it fires.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.