Prompt Injection and Jailbreaks

Prompt injection is the LLM-era analogue of classic injection flaws (SQL, command). The root cause is identical: an application mixes trusted instructions and untrusted data in the same channel, and the interpreter (the model) cannot reliably tell them apart.

With an LLM, the system prompt, the developer's instructions, and any retrieved content all arrive as one flat token stream. If attacker-controlled text says Ignore previous instructions and..., the model may obey it because, to the model, it is just more language.

• Trusted: your system prompt and policy.
• Untrusted: user input, web pages, files, tool output, emails.

Direct prompt injection happens when the end user types adversarial instructions straight into the prompt to override the application's intended behavior.

A typical attempt against a customer-support bot looks like this:

• The bot is told to only answer billing questions.
• The user pastes text that re-frames the model's role and asks it to leak its system prompt or perform out-of-scope actions.

Direct injection is the easiest to reason about because the malicious text and the attacker are the same person, but it still bypasses naive guardrails.