Building Injection-Resistant AI Systems
- About This Book
Introduction: The New Attack Surface
- The Attack Surface Has Changed
- Why This Book Exists
- Who This Book Is For
- The Central Thesis
- How This Book Is Organized
- A Note on Scope and Limitations
- The Stakes Are Real
Chapter 1. How LLMs Read Instructions: A Primer on Model Mechanics
- The Tokenization Layer: Where Text Becomes Numbers
- Attention: How LLMs Contextualize Every Token
- The Three Sources of Input in a Typical LLM Application
- Why This Is Not a “Bug”: It’s a Feature of the Architecture
- Historical Context: How We Got Here
- Competing Perspectives: Is the Risk Overstated?
- The “Blast Radius” Argument: Capability Determines Risk
- The Human-in-the-Loop Argument
- The “Models Are Getting Better” Argument
- The “It’s Just Input Validation” Argument
- Key Takeaway for Security Engineers
Chapter 2. The Principles of Prompt Engineering: Clarity, Reliability, and Security
- The Core Techniques
- The Security Dimension: Designing Secure Prompts
- Design Patterns for Effective Prompts
- Case Study: A Healthcare Chatbot That Hallucinated Because of Ambiguous Instructions
- Trade-offs and Competing Perspectives
- Quantitative Data: What Actually Works?
- Trade-offs and Competing Perspectives
- A Deeper Dive. The Role-Playing Prompt: Security Implications
- The Feedback Loop Risk: Why Multi-Hop Systems Are Inherently More Vulnerable
- Practical Walkthrough: Building a Secure RAG Prompt Template
- Key Takeaway
Chapter 3. Anatomy of Prompt Injection: Direct Attacks
- Direct Injection Mechanics
- Real-World Examples: Documented Incidents
- Prompt Leaking as Reconnaissance
- Why Legacy Defenses Fail
- The Fundamental Tension
- The Remoteli.io Incident: A Deep Dive
- The Bing/Sydney Leak: A Case Study in Reconnaissance
- Prompt Leaking as Reconnaissance (Continued)
- Why Legacy Defenses Fail (Expanded)
- The Fundamental Tension (Expanded)
- Key Takeaway
Chapter 4. The Indirect Injection Threat: RAG, Web Content, and Data Poisoning
- The RAG Trust Paradox
- Case Study: Slack AI (August 2024)
- Case Study: ChatGPT Memory / SpAIware (September 2024)
- PoisonedRAG: Five Documents, 90% Success Rate
- Vector Database Vulnerabilities
- Three-Layer Defense Architecture for RAG
- The Slack AI Attack: A Full Technical Walkthrough
- Competing Perspectives: Is RAG Really That Vulnerable?
- Three-Layer Defense Architecture for RAG (Expanded with Implementation)
- Key Takeaway
Chapter 5. Jailbreaks: Social Engineering for Machines
- What Jailbreaking Is (and Isn’t)
- The Taxonomy of Jailbreak Techniques
- Characteristics of Jailbreak Prompts
- Automated Jailbreak Discovery
- The Consequences: Character.AI and Beyond
- The GOAT Framework: How Automated Red Teaming Works
- TAP: Tree of Attacks with Pruning
- Defense Against Jailbreaks: A Practical Guide
- The Character.AI Case: A Cautionary Tale
- Key Takeaway
Chapter 6. AI Agents and Tool Use: When Prompts Become Shells
- From Chatbots to Agents
- The Semantic Kernel RCE Vulnerabilities (May 2026)
- Documented Incidents
- The Expanding Blast Radius
- Framework-Agnostic Vulnerabilities
- CVE-2026-26030: A Step-by-Step Code Analysis
- The Expanding Blast Radius: A Framework for Analysis
- A Deeper Look: The Semantic Kernel RCE Vulnerabilities (CVE-2026-26030 and CVE-2026-25592)
- Framework-Agnostic Vulnerabilities: The Deeper Truth
- Key Takeaway
Chapter 7. Defense-in-Depth Architecture: Layered Protections
- The Three-Layer Model
- Guardrails: The Runtime Enforcement Layer
- The Trade-Off: Security vs. Usability
- The Trade-Off: Security vs. Usability (Expanded with Calibration Examples)
- Competing Perspectives: Is Defense-in-Depth Overkill?
- Key Takeaway
Chapter 8: Instruction Hierarchy and Isolation Patterns
- The Core Principle: Instruction Hierarchy
- The Six Design Patterns for Injection-Resistant Agents
- Architectural Isolation Patterns
- Case Study: Applying Patterns to a Customer Service Chatbot
- Pattern Selection: A Decision Framework
- Case Study: Applying Patterns to a Healthcare Data Analysis Platform
- Competing Perspectives: Are Design Patterns Enough?
- Key Takeaway
Chapter 9. Enterprise Security Stacks: FIDES, LlamaFirewall, and Beyond
- Microsoft FIDES: Deterministic Defense Through Information Flow Control
- Meta LlamaFirewall: Open-Source Guardrail System
- Comparing Enterprise Options
- OWASP Top 10 for LLM Applications 2025
- Choosing the Right Stack
- FIDES Implementation: A Practical Walkthrough
- LlamaFirewall Deployment Guide
- LlamaFirewall’s Agent Alignment Check: A Deeper Dive
- The TaskTracker Alternative: Detection Through Internal Activations
- Comparing Enterprise Options (Expanded)
- Competing Perspectives. Deterministic vs. Probabilistic: The Real Trade-Off
- Key Takeaway
Chapter 10. Red-Teaming AI Systems: Practical Security Testing
- Why Red-Teaming Is Different
- Setting Up Automated Red Teams with Promptfoo
- PyRIT and Garak: Alternative Frameworks
- Building a Red-Team Playbook
- The LLMail-Inject Challenge: Lessons from 370,000+ Test Prompts
- CI/CD Integration
- PyRIT: Multi-Turn Attack Walkthrough
- Garak: Comprehensive Vulnerability Scanning
- Garak: Comprehensive Vulnerability Scanning
- CI/CD Integration: Making Red-Teaming Continuous
- The LLMail-Inject Challenge: Lessons from 370,000+ Test Prompts (Expanded)
- Practical Red-Team Exercise: A Complete Walkthrough
Chapter 11. Production Deployment: Monitoring, Incident Response, and Compliance
- Runtime Monitoring and Anomaly Detection
- Data Governance in AI Systems
- Incident Response Playbooks
- Compliance Frameworks
- Runtime Monitoring: A Practical Implementation Guide
- Incident Response Playbook (Expanded Template)
- Compliance Walkthrough: NIST AI RMF
- Compliance Walkthrough: EU AI Act
- The Real-World Cost of Prompt Injection Incidents
- Key Takeaway
Chapter 12. The Future of AI Security: Emerging Threats and Defenses
- Multimodal Injection
- Supply Chain Attacks in AI
- Adaptive Attacks
- Deterministic vs. Probabilistic Defenses
- The Role of Regulation and Standardization
- The Adaptive Arms Race: Attack and Defense Evolution
- Multimodal Injection: The Next Frontier
- The Supply Chain Attack Surface: Beyond Code
- The Adaptive Arms Race: Attack and Defense Evolution
- The Regulatory Landscape: A Practical Guide
- Supply Chain Security: Beyond Code
- The Regulatory Landscape: A Practical Guide
- Final Synthesis: Building a Security-First Culture