Detection methodology, in-the-wild studies, the public test corpus, and German-language EU AI Act compliance briefings. Each piece is technical, citable, and meant to stand as work product on its own — not as marketing for a scanner.
Six concrete attack vectors AI agents face when browsing webpages — CSS-hidden text, adversarial alt-text, HTML comments, SVG-embedded text, user-agent cloaking, markdown-as-instructions — and what traditional scanners structurally miss. Cross-posted to dev.to with canonical here.
The architectural gap between traditional scanners (Burp, ZAP, Snyk) and the AI-agent threat surface. Three attack classes only multi-agent fetching detects: user-agent cloaking, dynamic agent-conditional injection, agent-tuned payload variants.
The IMF May 7, 2026 statement named AI-driven systemic cyber risk for financial stability but did not name AI agents as new attack surface. This post connects the systemic-risk argument to the public-web threat surface and lists three implications for marketing-site operators ahead of late-2026 supervisory expectations.
A deliberate IPI test target. Twelve seeded patterns covering zero-width Unicode, 1px font, transparent ARIA, off-screen positioning, canvas-rendered text, HTML comments, CSS display:none, noscript, white-on-white, SVG title/desc, JSON-LD injection, and a planned UA-cloaking stub. Each pattern is labeled benign and documented inline. Use it to evaluate any scanner — including ours — against known IPI vectors.
First public sweep against a single content category. Prevalence by attack class, severity distribution, anonymized case studies, disclosure-and-remediation timeline. Raw anonymized data published alongside.
Stichtag August 2026. Welche Systeme als Hochrisiko gelten, was der EU AI Act zu Prompt Injection sagt, Pflichten für Anbieter, Nachweis und Dokumentation, Checkliste zur IPI-Risikobewertung. Für deutsche Compliance-Verantwortliche.
Consolidated long-form successor to the three blog posts above. Multi-agent fetch, isolated browser contexts, baseline diffing, LLM-judged severity, attack-class taxonomy. Reproducible test cases against the EverHarden test corpus, with open-source detector components. Cites OWASP LLM Top 10, EchoLeak CVE, Forcepoint April 2026 research, Kai Greshake's original IPI paper.
Research is the product. The commercial scanner is the application of the research. Everything here is meant to stand without the scanner — citable by other defenders, useful to red-teamers, readable by a CISO who has never heard of us.
If a piece is missing a citation or you spot an error, write to hallo@erpforgeai.de. We correct openly.