CrowdStrike Prompt Injection Taxonomy — 200+ Techniques Cataloged
AI relevance: As organizations move from chatbots to autonomous AI agents with tool access, prompt injection is the primary attack vector for hijacking agent behavior — CrowdStrike's expanded taxonomy maps the full threat surface defenders must address.
- CrowdStrike's AI security research team published 18 new prompt injection techniques, pushing the industry's largest taxonomy past 200 distinct methods.
- Trigger-Activated Rule Addition (PT0201) — attackers inject "sleeping" instructions that remain dormant until a specific trigger phrase appears, then activate to alter agent behavior (e.g., forwarding emails to attacker-controlled addresses).
- Cognitive Token Suppression (PT0197) — blocks safety-related vocabulary to prevent the model from generating refusal patterns, effectively disabling its ability to say "no."
- Algorithmic Payload Decomposition (PT0200) — fragments malicious instructions into seemingly benign pieces (color-filtered word lists, arithmetic steps) that the model reassembles into a harmful command.
- Special Token Injection (PT0198) — mimics structural markers like
<tool_call>tags to trick models into treating user content as system-level directives. - Unwitting User Context-Data Injection (IM0018) — users unknowingly introduce malicious instructions by pasting text into CRMs, uploading attachments, or forwarding emails that AI later processes.
- Composite attacks are now the norm: a single incident may combine indirect injection, boundary mimicry, and synonym substitution simultaneously.
- CrowdStrike warns that simple "prompt injection" labels are insufficient — detection engineering must track multi-stage attack chains across the full context surface.
- The taxonomy covers every context source: prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data.
Why It Matters
Prompt injection is no longer a model-safety curiosity — it's an enterprise attack surface. With AI agents now accessing file stores, executing shell commands, and calling APIs, the 200+ techniques in this taxonomy represent the full menu available to adversaries. The shift from chatbots to agentic systems means every data source the agent touches is a potential injection vector.
What To Do
- Expand threat modeling to include every context source: RAG pipelines, agent memory, tool outputs, browser content, emails, SaaS integrations.
- Red team beyond "ignore previous instructions" — test boundary mimicry, delayed activation, algorithmic decomposition, and special token spoofing.
- Deploy runtime visibility for prompts and responses: log who uses AI, what's exchanged, which models/agents are involved, and whether sensitive data or unsafe instructions appear.
- Enforce human authorization for high-consequence actions — never let a single injected instruction produce an irreversible outcome.