CrowdStrike Prompt Injection Taxonomy — 200+ Techniques Cataloged

AI relevance: As organizations move from chatbots to autonomous AI agents with tool access, prompt injection is the primary attack vector for hijacking agent behavior — CrowdStrike's expanded taxonomy maps the full threat surface defenders must address.

  • CrowdStrike's AI security research team published 18 new prompt injection techniques, pushing the industry's largest taxonomy past 200 distinct methods.
  • Trigger-Activated Rule Addition (PT0201) — attackers inject "sleeping" instructions that remain dormant until a specific trigger phrase appears, then activate to alter agent behavior (e.g., forwarding emails to attacker-controlled addresses).
  • Cognitive Token Suppression (PT0197) — blocks safety-related vocabulary to prevent the model from generating refusal patterns, effectively disabling its ability to say "no."
  • Algorithmic Payload Decomposition (PT0200) — fragments malicious instructions into seemingly benign pieces (color-filtered word lists, arithmetic steps) that the model reassembles into a harmful command.
  • Special Token Injection (PT0198) — mimics structural markers like <tool_call> tags to trick models into treating user content as system-level directives.
  • Unwitting User Context-Data Injection (IM0018) — users unknowingly introduce malicious instructions by pasting text into CRMs, uploading attachments, or forwarding emails that AI later processes.
  • Composite attacks are now the norm: a single incident may combine indirect injection, boundary mimicry, and synonym substitution simultaneously.
  • CrowdStrike warns that simple "prompt injection" labels are insufficient — detection engineering must track multi-stage attack chains across the full context surface.
  • The taxonomy covers every context source: prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data.

Why It Matters

Prompt injection is no longer a model-safety curiosity — it's an enterprise attack surface. With AI agents now accessing file stores, executing shell commands, and calling APIs, the 200+ techniques in this taxonomy represent the full menu available to adversaries. The shift from chatbots to agentic systems means every data source the agent touches is a potential injection vector.

What To Do

  • Expand threat modeling to include every context source: RAG pipelines, agent memory, tool outputs, browser content, emails, SaaS integrations.
  • Red team beyond "ignore previous instructions" — test boundary mimicry, delayed activation, algorithmic decomposition, and special token spoofing.
  • Deploy runtime visibility for prompts and responses: log who uses AI, what's exchanged, which models/agents are involved, and whether sensitive data or unsafe instructions appear.
  • Enforce human authorization for high-consequence actions — never let a single injected instruction produce an irreversible outcome.

Sources