AI agents don’t just answer questions anymore. They browse websites, read internal documents, call APIs, and execute commands on behalf of the people who deployed them. That autonomy is what makes them useful. It’s also what’s created an entirely new security problem, and attackers have noticed.
CrowdStrike’s researchers recently expanded their prompt injection taxonomy with 18 new techniques, pushing the total past 200 documented methods. Five of these deserve a closer look. They’re quiet by design, built to slip past reviews meant to catch obvious jailbreak attempts. That’s the uncomfortable part: these techniques don’t look like attacks until after they’ve already worked.
Here’s what prompt injection actually is, why AI agents have widened the attack surface so dramatically, and how each of CrowdStrike’s five newest techniques operates. We’ll close with what security teams should be doing about it this quarter, not eventually.
What Is Prompt Injection and Why It’s Evolving
Prompt injection embeds instructions inside content an AI system processes, causing the model to act in ways its operators never intended. Early versions were blunt. Someone would type “ignore your previous instructions” straight into a chatbot and hope it worked.
That era is mostly over. Modern AI agents pull in web pages, emails, PDFs, Slack messages, and API responses, and any one of those can carry hidden instructions. Security researchers call this indirect prompt injection. It’s harder to catch precisely because the malicious content never comes from the user typing into the box. It arrives disguised as ordinary data the agent was told to trust in the first place.
CrowdStrike’s Expanded Taxonomy: What Changed
CrowdStrike’s taxonomy now documents more than 200 distinct prompt injection methods. That number alone says something about how fast this category has matured. But the 18 newest additions matter more for what they represent: a shift away from blunt-force jailbreaking toward patient, layered techniques. Hidden triggers. Structural mimicry. Payloads split apart and only dangerous once reassembled.
Five techniques from this update stand out. They’re not variations on old themes. They’re genuinely new attack logic.

Trigger-Activated Rule Addition (PT0201)
This one plants a hidden instruction inside content an AI agent will eventually process, but the instruction doesn’t do anything right away. It stays dormant until a specific condition or keyword shows up later in the interaction.
It works like a sleeper agent embedded in a document, a webpage, or a dataset. During an initial security review, everything checks out clean, because the trigger hasn’t fired yet. Then, days or weeks later, the AI agent encounters that keyword during a completely unrelated task. The hidden rule activates. Depending on what it was built to do, that could mean quietly exfiltrating sensitive data or altering the agent’s behavior with no visible warning sign at all.
Why this matters: A one-time review of AI inputs isn’t enough anymore. Content that looks perfectly safe today can turn into an active threat the moment its trigger condition is met.

Cognitive Token Suppression (PT0197)
This method goes after the model’s ability to say no. Instead of asking the AI to do something obviously harmful, the attacker crafts input designed to steer the model away from its own safety vocabulary, the language it typically reaches for when refusing an unsafe request.
Narrow that vocabulary enough, and the model becomes more likely to produce ambiguous or non-compliant output instead of a clean refusal.
Why this matters: Most content filters look for known jailbreak phrasing. This technique skips that entirely. It doesn’t ask the model to break its own rules. It tries to quietly take away the model’s ability to object.

Algorithmic Payload Decomposition (PT0200)
Rather than submitting one malicious instruction that a filter could catch in a single pass, this technique breaks the payload into smaller fragments. Each piece looks harmless on its own. None of them individually resembles an attack.
The AI agent is then guided, often across several steps or separate interactions, to reconstruct those fragments into a complete, executable command. Filters built to scan for obvious threat signatures never see the full picture, because there’s no single moment where the whole malicious instruction exists in one place.
Why this matters: Detection systems designed around scanning a single input in isolation weren’t built for attacks that assemble themselves across a conversation.

Special Token Injection (PT0198)
This technique targets structure rather than content. Attackers mimic internal formatting elements, things like tool call syntax or system-level instruction markers, to blur the line between trusted system input and untrusted user input.
If it works, the AI model treats the injected content as a legitimate, elevated-priority command instead of ordinary data it should be evaluating skeptically.
Why this matters: As AI agents lean more on structured tool-calling formats to get work done, the format itself becomes an attack surface. Not just the words inside it.

Unwitting User Delivery (IM0005)
Of the five, this is the only one built entirely on social engineering rather than technical trickery. Attackers persuade a legitimate user to unknowingly deliver a malicious prompt themselves, often through viral social content or deceptive instructions buried in shared media that gets copy-pasted straight into an AI system.
The request that lands on the AI system genuinely comes from a legitimate, authenticated user session. That makes it far harder for security tools to flag, because the agent has no reason to distrust its own user.
Why this matters: Part of the defense burden here shifts from technical controls to user awareness, a gap most AI security programs haven’t gotten around to closing yet.
Why These Techniques Evade Traditional Detection
What ties all five together is patience and misdirection. None of them rely on an aggressive, obvious jailbreak attempt that a keyword filter would flag immediately. Instead, they lean on:
- Delayed execution through dormant triggers
- Structural mimicry through fake system tokens
- Fragmentation through decomposed payloads
- Behavioral narrowing through refusal suppression
- Human trust through social engineering
Detection systems built to scan single inputs for known bad patterns simply aren’t equipped for attacks that unfold this way, stretched across time, formatting layers, or an unwitting human go-between.
CyberInfos Analyst Insight: Most organizations still threat-model AI systems the way they’d threat-model a traditional web app: input validation, output filtering, access controls. That approach breaks down fast once the “input” could be a webpage the agent reads six steps into a task, or a formatting trick buried in a tool response the agent trusts by default.
The mistake we keep seeing is treating prompt injection defense as a one-time content filter problem. It isn’t. It’s a continuous, multi-stage risk, and it requires watching agent behavior across an entire session, not just scanning whatever comes in at the start.
Business Impact
For organizations running AI agents in production, this isn’t an abstract research problem. A successfully triggered dormant rule or a reconstructed decomposed payload can lead directly to data exfiltration, unauthorized actions taken under a legitimate session, or compliance exposure if regulated data gets touched along the way. The operational cost of catching this after the fact, through incident response and disclosure, is far higher than the cost of building session-level monitoring now.
CrowdStrike -Taxonomy of Prompt Injection Methods poster/download
Recommended Actions
Immediate Actions
- Map every external data source your AI agents can access, not just the primary chat interface
- Review current agent permissions and tighten default access where possible
Short-Term Actions
- Build session-level monitoring rather than relying only on single-input scanning
- Treat tool-call and system-level formatting as an untrusted input channel
- Train users on how they might unknowingly deliver a malicious prompt themselves
Long-Term Actions
- Develop detection logic for delayed or triggered behavior, not just immediate jailbreak attempts
- Log and audit agent decision chains for forensic review
- Track ongoing taxonomy updates from CrowdStrike, OWASP, and MITRE ATLAS as this space keeps evolving
Actionable Checklist
- Map every external data source your AI agents can access, not just the chat interface
- Implement session-level monitoring, not just single-input scanning
- Treat tool-call and system-level formatting as an untrusted input channel
- Build detection logic for delayed/triggered behavior, not just immediate jailbreak attempts
- Train users on how they can unknowingly deliver malicious prompts
- Review AI agent permissions regularly, limiting what agents can access or execute by default
- Log and audit agent decision chains for later forensic review
- Stay current with taxonomy updates from CrowdStrike, OWASP, and MITRE ATLAS
Frequently Asked Questions
What is prompt injection in AI security?
Prompt injection is an attack technique where malicious instructions are embedded in content an AI system processes, causing it to behave in unintended ways. It can be direct, where a user types the instruction themselves, or indirect, where the instruction is hidden in data the AI reads, such as a webpage or document.
How many prompt injection techniques has CrowdStrike documented?
CrowdStrike’s taxonomy now includes more than 200 distinct prompt injection techniques, following the recent addition of 18 new methods identified through ongoing research into AI agent vulnerabilities.
What makes AI agents more vulnerable than chatbots?
AI agents can browse websites, access internal systems, and execute commands autonomously. This expands the attack surface far beyond a single chat box, since any data source the agent touches can potentially carry hidden malicious instructions.
What is trigger-activated rule addition?
It’s a technique where attackers embed a dormant instruction that only activates once a specific condition or keyword is later encountered, allowing it to bypass initial security reviews before executing.
How does algorithmic payload decomposition bypass filters?
It splits a malicious instruction into smaller, individually harmless fragments. The AI agent is later guided to reconstruct these fragments into a complete command, so no single input ever contains the full malicious payload for a filter to catch.
What is cognitive token suppression?
It’s a method that manipulates an AI model’s output to limit its use of refusal or safety-related language, increasing the chance the model produces ambiguous or non-compliant responses instead of declining a request outright.
What is special token injection?
This technique mimics internal formatting elements, such as tool call syntax, to make an AI model treat malicious input as a trusted, elevated-priority system command rather than ordinary data.
What is unwitting user delivery?
It’s a social engineering technique where attackers trick a legitimate user into unknowingly submitting a malicious prompt themselves, often through deceptive online content, making the resulting request harder to flag since it comes from an authenticated session.
Can traditional security filters catch these new techniques?
Not reliably. These techniques are designed specifically to evade filters that scan for obvious jailbreak language, using delayed execution, fragmentation, and structural mimicry instead.
Why should SOC teams care about AI-specific prompt injection?
As organizations deploy AI agents with access to internal systems and data, prompt injection becomes an operational risk, not just a research curiosity. Undetected attacks can lead to data exfiltration or unauthorized actions taken by the agent.
What data sources should be included in AI threat modeling?
Prompts, API responses, emails, SaaS platform data, and any web content an AI agent is permitted to access should all be treated as potential attack vectors.
How can organizations detect multi-stage prompt injection attacks?
By monitoring AI agent behavior across an entire session rather than scanning only the initial input, and by building detection logic that accounts for delayed or triggered actions.
Is prompt injection the same as a traditional exploit?
No. Traditional exploits typically target software vulnerabilities directly. Prompt injection targets the AI model’s interpretation of instructions, manipulating its behavior through crafted input rather than exploiting a code-level flaw.
What role does user training play in AI security?
Since techniques like unwitting user delivery rely on tricking legitimate users, training people to recognize suspicious content before pasting it into an AI system is now a meaningful part of defense.
Where can security teams track new prompt injection techniques?
Ongoing taxonomies from organizations like CrowdStrike, along with frameworks such as OWASP’s LLM Top 10 and MITRE ATLAS, are useful resources for tracking emerging AI attack techniques.
Final Thoughts
CrowdStrike’s five newest techniques point to a clear pattern: prompt injection attacks aren’t loud anymore. They hide in dormant triggers, structural mimicry, fragmented payloads, and sometimes in the hands of unsuspecting users themselves.
For security teams, the immediate move is straightforward. Expand your AI threat model to cover every data source an agent touches, and build detection that watches behavior across a whole session instead of just one input. The longer-term work matters just as much: treat AI agent security as an ongoing discipline, not a checkbox you clear once and forget.
Organizations that adapt now, before these techniques become standard attacker tooling, will be in a far better position than those still treating AI agents like static chatbots.
CyberInfos Recommendation
Stay ahead of emerging AI threats. Subscribe to CyberInfos for weekly breakdowns of the latest attack techniques and practical defense strategies.
