Primary source material on indirect prompt injection. Detection methodology, in-the-wild studies, EU AI Act compliance briefings, and the public IPI test corpus. Curated entry point for defenders, red-teamers, and audit firms working on AI-agent web security.
When ChatGPT browses the web to summarize a news article, it doesn’t just see the rendered text a human would see. It reads the full HTML — including elements hidden via CSS, comments, alt-text, metadata, and content cloaked to AI user-agents. This post walks through six concrete attack vectors and explains what traditional scanners miss.
Read →Burp Suite, OWASP ZAP, Snyk, and every other web vulnerability scanner share an architectural assumption that breaks the moment AI agents started reading websites on behalf of users. This post explains the gap, walks through three attack classes only multi-agent fetching detects, and frames why “AI-agent web security” is a category that requires different infrastructure.
Read →On May 7, 2026 the IMF named AI-driven cyber risk as a core financial stability issue. The framing focused on AI as attacker tool. It was silent on AI agents as new attack surface. This post connects the IMF systemic-risk argument to the public web that AI agents read on behalf of users, and lists three concrete implications for marketing-site operators ahead of late-2026 supervisory expectations.
Read →A deliberate IPI test target with twelve labeled patterns: zero-width Unicode, 1px font, transparent ARIA, off-screen positioning, canvas-rendered text, HTML comments, CSS display:none, noscript, white-on-white, SVG title/desc, JSON-LD injection, and a planned UA-cloaking stub. Each seeded instruction is benign and only directs an agent to emit a labeled TEST_PATTERN_NN string. Use it to evaluate any scanner — including ours — against known IPI vectors.
Consolidated long-form successor to the three live posts above. Multi-agent fetch, isolated browser contexts, baseline diffing, LLM-judged severity, attack-class taxonomy. Reproducible test cases against the EverHarden test corpus, with open-source detector components. Cites OWASP LLM Top 10, EchoLeak CVE, Forcepoint April 2026 research, Kai Greshake’s original IPI paper.
First public sweep against a single content category. Prevalence by attack class, severity distribution, anonymized case studies, disclosure-and-remediation timeline. Raw anonymized data published alongside.
Welche Systeme als Hochrisiko gelten, was der EU AI Act (Art. 15 Robustheit/Cybersicherheit) zu Prompt Injection sagt, Pflichten für Anbieter, Nachweis und Dokumentation, Checkliste zur IPI-Risikobewertung. Hinweis: Die Hochrisiko-Pflichten wurden per Digital Omnibus von August 2026 auf Dezember 2027 verschoben — die Robustheits-Pflicht selbst bleibt. Für deutsche Compliance-Verantwortliche.
Research is the product. The commercial scanner is the application of the research. Everything here is meant to stand without the scanner — citable by other defenders, useful to red-teamers, readable by a CISO who has never heard of us.
If a piece is missing a citation or you spot an error, write to hallo@everharden.com. We correct openly.