CrowdStrike's Prompt Injection Taxonomy Passes 200 Techniques
CrowdStrike added 18 new prompt injection techniques to its taxonomy, including dormant instructions that trigger later and a technique that suppresses a model's own refusal vocabulary — a sign the attack surface has moved well beyond single-shot jailbreaks.
Key Takeaways
- CrowdStrike expanded its prompt injection taxonomy by 18 techniques, taking the documented total past 200.
- Two of the new techniques stand out: a dormant instruction that only activates on a later trigger phrase, and a method that suppresses the vocabulary a model needs to refuse or flag a request.
- The additions target the reasoning, memory, and formatting layers agentic AI systems depend on — not just the initial prompt a user types.
- Filter-based defenses that scan for complete malicious strings miss techniques designed to fragment, delay, or disguise the payload.
Prompt injection has topped OWASP's list of LLM risks for several cycles running, but most defenders still picture it as a single crafted string that jailbreaks a chatbot in one turn. CrowdStrike's latest taxonomy update makes clear that the attack surface has moved well past that model. The company added 18 new techniques to its catalogue, bringing the documented total past 200, and five of the new additions specifically target the reasoning, memory, and formatting layers that agentic AI systems depend on.
Five techniques worth understanding
- Trigger-Activated Rule Addition (PT0201) plants an instruction that looks harmless during review but only executes once a specific phrase or condition later triggers it — CrowdStrike describes it as a 'sleeping' instruction that can change behavior well after it was first introduced.
- Cognitive Token Suppression (PT0197) blocks the vocabulary a model would normally use to refuse or flag a request — safety, apology, and policy-related terms — making it harder for the model to generate a secure response even when its underlying guardrails are intact.
- Algorithmic Payload Decomposition (PT0200) fragments a malicious instruction into puzzle-like pieces that look benign individually, relying on the model itself to reassemble them, which lets the payload slip past filters scanning for a complete malicious string.
- Special Token Injection (PT0198) mimics the internal formatting markers a model uses to separate system instructions from user input, undermining the instruction hierarchy the model relies on to know what to trust.
- Unwitting User Context-Data Injection (IM0018) hides instructions inside a data source a legitimate user pulls into the conversation themselves — a document, a web page, a support ticket — so the attacker never has to touch the target system directly.
Why this matters more for agents than chatbots
A single-turn jailbreak against a chatbot is bounded: it affects one response, to one user, in one session. Dormant, trigger-activated instructions and token-suppression techniques are built for systems with persistent memory, multi-step reasoning, and tool access — exactly what agentic AI deployments add. An instruction seeded today that only fires on a later condition, or that quietly blocks the model's ability to say 'I can't do that,' is far more dangerous when the model can also call APIs, write files, or take actions on a user's behalf. CrowdStrike frames the update around its Falcon AI Detection and Response product, underscoring that static, one-time review of prompts and system messages is no longer sufficient — the techniques are explicitly designed to defeat that kind of point-in-time check.
What this means for defenders
- Treat every piece of external content an agent ingests — retrieved documents, web pages, tickets, tool outputs — as untrusted input, not just the user's direct prompt.
- Don't rely solely on keyword or pattern filters; decomposition and token-mimicry techniques are built to defeat exactly that kind of static matching.
- Log and monitor agent behavior continuously rather than just vetting prompts at deployment time, since trigger-activated instructions are designed to pass initial review.
- Scope tool and data permissions tightly, so that even a successful injection has a narrow blast radius.
The takeaway
This is a taxonomy update, not a disclosed breach — no specific product or victim was named. But the direction is instructive: as organizations move from single-turn chatbots to agents with memory and tool access, the injection techniques are evolving in step, and static prompt review alone won't catch a payload designed to stay dormant until it matters.
Frequently Asked Questions
What is prompt injection?
Prompt injection is a technique where an attacker embeds instructions inside content an AI model processes — a user message, a retrieved document, a web page — to override or manipulate the model's intended behavior, often without needing direct access to the system.
What is a 'trigger-activated' or dormant prompt injection?
It's an instruction planted in content the model will process that stays inactive during normal review and only executes once a later condition or trigger phrase appears, making it harder to catch with a one-time check of the prompt or system message.
How is this different from a typical jailbreak?
A jailbreak is usually a single crafted prompt aimed at getting one harmful response in one turn. The newly documented techniques target persistent, multi-step agentic systems — exploiting memory, tool access, and instruction-formatting rather than trying to win a single exchange.