Now in early access, book a 30-minute demo →
Top riskcritical

Prompt Injection

Any content an agent reads can carry instructions it will follow. Prompt injection turns web pages, READMEs, tickets, and tool output into a command channel that hijacks the agent's authority.

Attackerplants payload Untrusted contentweb page, README, ticket AI agentfollows injected orders Secrets + sourceenv vars, keys, code Attacker endpointexfiltration Tool-call hookallow / deny / log hidden prompt read into context reads sends data deny before run
Indirect prompt injection: a payload planted in untrusted content steers the agent into reading secrets and exfiltrating them.

Prompt injection is the defining vulnerability of agentic AI: an attacker puts instructions where the agent will read them, and the agent executes those instructions with its own authority. Unlike a memory-corruption exploit, there is nothing to patch, because following instructions in text is what the model is built to do. The security question is never whether injected text can influence the agent; it is what the agent is allowed to do once influenced.

How the attack works

Direct injection is a user typing hostile instructions into the agent, which mostly matters for shared and customer-facing agents. The variant that matters on the endpoint is indirect injection: the payload arrives inside content the agent fetches while doing legitimate work. A web page it browses, a README in a dependency, a Confluence page an MCP tool retrieves, a Jira ticket, a code comment, even the output of another tool - all of it lands in the context window with roughly the same standing as the user's own words. The mechanics are covered in depth in indirect prompt injection explained.

Injection becomes an incident when it combines with two other properties: access to sensitive data and the ability to communicate externally. That combination, the lethal trifecta, is the standard exfiltration chain: injected instructions tell the agent to read something valuable and send it somewhere the attacker controls.

Attack scenarios

Mitigations

  1. Treat every fetch as untrusted input. Know which of your agents and MCP tools pull external or user-generated content into context; that list is your injection surface.
  2. Cut the trifecta, not the text. You cannot sanitize natural language reliably. You can deny the combination: least privilege on what agents can read, and explicit egress policy on where they can send.
  3. Enforce at the tool-call boundary. The moment injection becomes action is a tool call: a shell command, a file read, a network request. A hook that evaluates each call against policy before it runs turns a hijacked agent into a logged, denied attempt.
  4. Keep an audit trail. Injection is quiet; the evidence is the sequence of tool calls. Retain them, queryable, long enough to investigate.

How Anomity helps

Anomity's Endpoint Sensor inventories every agent, MCP server, and skill that could carry or receive an injected payload, so the injection surface is enumerable instead of invisible. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call is evaluated and allowed, denied, or logged before it runs - which is exactly where an injected read-secrets-and-exfiltrate chain breaks. Violations route to SIEM, Slack, email, and Jira, and every tool call lands in a queryable 90-day audit trail for investigation.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok