Defenders have started using prompt injections to stop AI hacking agents.
Researchers from Tracebit found that embedding malicious commands alongside passwords and cryptographic keys on Amazon Web Services is sufficient to shut down attacks. These prompts tell the attacking large language model to perform actions forbidden by its safety barriers. The model responds by stopping.
The technique, known as context bombing, uses specific forbidden commands. Examples include ordering the model to provide steps for developing inhalable Anthrax spores or referencing the iconic Tank Man from the 1989 Tiananmen Square massacre. Once the model encounters these commands, it ignores its existing instructions.
Andy Smith, cofounder and CEO of Tracebit, explained the naming choice. He said they are triggering a refusal mechanism in the context. He noted that the effect is strong and sharp, and difficult for the agents to recover from. Once the command enters their context, the agents keep refusing.
Initial testing suggests context bombing has great potential. The team tested Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6. They gave the models instructions to perform routine developer tasks that led them to enumerate resources and stumble onto the planted strings. The researchers ran the models inside a simulated AWS environment.
Across five leading models and 152 attack runs, planting one of these strings in a decoy secret reduced the rate at which agents seized full account admin from 57 percent to 5 percent. Complete compromise, where they also left themselves a persistent foothold, fell from 36 percent to 1 percent.
The most capable agent in the tests, Opus 4.8, went from achieving admin access in 93 percent of runs to failing every single time when confronted with a context bomb.
Averaged across the five models and the 152 runs, the results included:
- Admin privilege escalation fell from 57 percent to 5 percent
- Admin escalation with a persistent foothold fell from 36 percent to 1 percent
- Runs achieving any attack path fell from 91 percent to 15 percent
- On average, a run went from completing 1.53 paths successfully to just 0.16
- No runs were able to complete an attack path without at least triggering a canary detection
The research builds on findings from May, when Tracebit introduced a method for defenders to receive warnings when their infrastructure is under attack from AI agentic adversaries. It comes in the form of AWS resources that look like ones serving a legitimate purpose but, in fact, aren’t used at all. They sit alongside the resources that are used. When these decoys are probed by agentic AI, defenders receive an alert. Like canaries taken into coal mines, these resources allow defenders to detect a threat before it has fatal consequences.
The Tracebit Canariens, on average, alerted the start of an attack within eight minutes. The motivation for developing context bombing came out of the need for something that stopped attacks, rather than simply warning of them. In the experiments, the agentic models needed, on average, 14 minutes to escalate to administrative control. The six-minute heads-up was cutting things uncomfortably close.
Attackers have already been using prompt injections to close down AI defenses inside networks. Researchers from security firm Socket unearthed an LLM agent last month that directed target LLMs to provide instructions for building a nuclear bomb or biological weapons. The injections were designed to shut down AI-assisted malware analysis. Researchers from Check Point discovered a similar malware prototype.
Context bombing appears to be the first known case where defenders turned the tables.
Earlence Fernandes, a UC San Diego professor specializing in AI security, said he had not seen anyone else use this technique as a defense to the best of his knowledge. He said he had been toying with a similar approach, although in a slightly different context. He added that he wanted to be the first there, but he guesses these guys beat him to the punch.
To date, there is no known way to solve the root cause of prompt injections. That has left developers with no option other than to construct elaborate guardrails that prevent injected prompts from forcing LLMs to go off the rails. Defenders may now find a way to use this intractable problem in their favor.
What it means
This approach changes the game for people building and securing AI systems. Instead of just trying to block bad commands, security teams can now plant traps that force the AI to stop working when it finds sensitive data. This stops the automation from stealing secrets or taking control of accounts. It turns a weakness in the system into a shield.




