2026 / Free online book · Technical Deep Dives
Prompt Injection Is Not a Joke
Security for AI Systems That Read Untrusted Text
Access
Free
Chapters
17
Read time
206 min
Alpesh Nakrani
CRO at Devlyn · former CTO & COO
When the input is instructions, every text field is an attack surface. A practitioner’s account of defending AI systems in the wild.
This edition is free to read onsite. Each chapter has its own URL, so readers can bookmark, share, and return to the exact section they need.
Table of contents
FM Front Matter: Prompt Injection Is Not a Joke Security for AI Systems That Read Untrusted Text 6 min INT Introduction: The String in the Ticket The details here are composited from several real production systems, but the shape is exact, and if you operate an LLM application that reads anything a stranger can write, you have either seen this or you are going to. 11 min 01 The Ticket That Tried to Email Itself > **Working claim: ** Prompt injection is not one attack; it is a *class* of attacks unified by a single mechanism, untrusted text reaching a model that treats text as instruction. 11 min 02 A Prompt Is Not a Security Boundary > **Working claim: ** The reason prompt injection is hard is not that engineers write weak system prompts. 11 min 03 Assets, Trust Boundaries, and the TRUST Framework > **Working claim: ** You cannot defend a system you have not threat-modeled, and most LLM applications have never been threat-modeled at all, they were prompt-engineered. 12 min 04 The Confused Deputy, Least Privilege, and Blast Radius > **Working claim: ** The damage of a successful injection is not set by the attacker's privileges. It is set by *your system's* privileges, exercised on the victim's behalf. 11 min 05 Talking the Model Out of Its Instructions > **Working claim: ** Direct prompt injection, the attacker as the user, is the form everyone pictures and the form least likely to cause a catastrophe, because the attacker acts with their own authority. 11 min 06 Input Handling: What Classifiers and Boundaries Can and Cannot Do > **Working claim: ** Input-side defenses, delimiters, role framing, sanitization, injection classifiers, are worth building, and every one of them is a probability reducer, not a boundary. 10 min 07 The Supply Chain of Untrusted Text This chapter turns the supply chain of untrusted text into a concrete operating problem for the ai native security book. 11 min 08 RAG Is an Attack Surface: Ingestion and Retrieval Defenses > **Working claim: ** Retrieval-augmented generation is a machine for moving text from storage into the model's reasoning. 10 min 09 Read Tools, Write Tools, and the Argument Nobody Validated > **Working claim: ** A model that can only emit text produces, at worst, a wrong sentence. The moment you give it a tool, you give injection a way to reach the world. 11 min 10 Capability Manifests, Tool-Call Gates, and Approval Flows > **Working claim: ** This is the chapter where the book's central promise becomes a system you can build. The model is an untrusted client; the tool layer is a hardened server. 9 min 11 The Many Doors Data Leaves By This chapter turns the many doors data leaves by into a concrete operating problem for the ai native security book. 11 min 12 Secrets, Minimization, Canaries, and the Limits of Output Filtering > **Working claim: ** The most reliable way to stop a secret from leaking through a model is to ensure the model never had it. Everything else, output filters, canaries, redaction, is what you do for the data the model legitimately must touch. 10 min 13 When the Attack Outlives the Session > **Working claim: ** Every attack so far has been transient, it happens in a session and ends with it. Memory poisoning is different and worse, because it makes injection *persistent*. 10 min 14 Defense-in-Depth: The Whole Architecture > **Working claim: ** No single control in this book stops prompt injection. That is not a weakness in the controls; it is the nature of the problem, because the model layer is irreducibly probabilistic. 9 min 15 Red Teams, Fixtures, and Tests That Load Malicious Documents > **Working claim: ** An injection defense you have not tested with malicious inputs is a belief, not a control. 9 min 16 Monitoring, Forensics, and the Injection Incident > **Working claim: ** You will have an injection incident. 8 min 17 Ten Systems, Ten Threat Models, Ten Launch Checklists > **Working claim: ** The frameworks of this book only matter if they survive contact with real systems. 14 min A Appendix A: Back Matter Glossary, implementation checklist, and source register for the book. 11 min