Defenders are now using prompt injection, a tactic previously used by attackers, to stop AI-based attacks. Researchers from Tracebit found that placing prompt injections alongside passwords and cryptographic keys on AWS often halted attacks from AI hacking agents. The prompts direct the attacking LLM to perform actions forbidden by its guardrails, leading the model to shut down. This method, called context bombing, was tested on five leading models, including Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6.

Initial testing showed context bombing significantly reduced the success rate of AI attacks. Across five models and 152 attack runs, planting a planted string in a decoy secret cut the rate at which agents seized full account admin from 57% to 5%, and complete compromise from 36% to 1%. Opus 4.8, the most capable agent in the tests, went from achieving admin access in 93% of runs to failing every single time when confronted with a context bomb. On average, a run went from completing 1.53 paths successfully to just 0.16, with no runs completing an attack path without triggering a canary detection.

The research builds on earlier findings from Tracebit, which introduced a method for defenders to receive warnings when their infrastructure is under attack from AI agentic adversaries. These canaries, which look like legitimate resources but aren't used, allow defenders to detect threats early. The Tracebit Canaries on average alerted the start of an attack within eight minutes. The motivation for developing context bombing was to stop attacks rather than just warn of them. In the experiments, agentic models needed on average 14 minutes to escalate to administrative control, making the six-minute heads up insufficient.

Source: arstechnica