Rapid injections, Malicious commands that attackers embed in content to entice large language models to follow them have been attackers’ tool to turn AI platforms against their users. A well-worded command entered into an email or calendar invite is often all it takes for the LLM to leak sensitive data or perform other harmful actions.
Rapid injections, Malicious commands that attackers embed in content to entice large language models to follow them have been attackers’ tool to turn AI platforms against their users. A well-worded command entered into an email or calendar invite is often all it takes for the LLM to leak sensitive data or perform other harmful actions.
Now, advocates are also embracing rapid injection.
Tracebit researchers said Monday that they found that placing fast injections along with passwords, cryptographic keys and other secrets stored on Amazon Web Services was often all that was needed to stop attacks by AI hacking agents. The prompts direct the attacking LLM to perform an action prohibited by its guardrails, the guardrails that AI developers erect to prevent it from performing harmful actions. The LLM responds by closing.
Examples are a message ordering the LLM to provide steps for developing inhalable anthrax spores or, in the case of LLMs from Chinese developers, making references to the iconic Tank Man from the 1989 Tiananmen Square massacre. Once the LLM finds these banned commands, it no longer follows the existing commands. The researchers called this technique context bombing.
“Ultimately, we are activating a rejection mechanism in the context,” said Andy Smith, co-founder and CEO of Tracebit, explaining the name choice. “What we’re trying to capture is the fact that this has a strong, acute effect that can be difficult for officers to come back from. Once they have it in context, they will continue to refuse.”
Tracebit says initial testing suggests contextual bombardment has great potential. They tested Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6 by instructing them to perform routine developer tasks that led to the models enumerating resources and tripping over planted strings. They ran the models within a simulated AWS environment.
“Across five leading models and 152 attack runs, placing one of these chains in a decoy secret reduced the rate at which agents took over full account management from 57 percent to 5 percent, and total compromise (where they also left a persistent foothold) from 36 percent to 1 percent,” Monday’s publication reported. “The most capable agent in our tests, Opus 4.8, went from achieving administrator access in 93 percent of runs to failing every time it faced a context bomb.”
Averaged across the five models and 152 runs, the results included:
- Administrator privilege escalation dropped from 57 percent to 5 percent
- Administrative escalation with a persistent foothold fell from 36 percent to 1 percent
- Runs hitting any route of attack fell from 91 percent to 15 percent
- On average, a run went from successfully completing 1.53 paths to just 0.16.
- No execution was able to complete an attack path without at least triggering a canary detection.
The research builds on findings from May, when Tracebit introduced a method for defenders to receive warnings when their infrastructure is under attack by adversarial AI agents. It comes in the form of AWS resources that appear to have a legitimate purpose but are, in fact, not used at all. They sit next to the resources that are used. When the AI agent investigates them, defenders receive an alert. Like “canaries” brought into coal mines, these resources allow defenders to detect a threat before it has fatal consequences.
Check back often for more exciting news!

















