system: OPERATIONAL
← back to all hacks
PROMPT INJECTION MEDIUM NEW

CrowdStrike's prompt injection taxonomy passes 200 techniques

On July 7, 2026, CrowdStrike added 18 entries to its prompt injection taxonomy — now over 200 techniques. Five new classes show how attacks hide in delayed triggers, forged control tokens, and trusted context data.

2026-07-15 // 7 min affects: llm-agents, rag-pipelines, ai-assistants, coding-agents, browser-agents

What is this?

On July 7, 2026, CrowdStrike’s AI security research team published an update to what it calls the industry’s largest prompt injection taxonomy. The update adds 18 new entries, bringing the catalog to over 200 distinct techniques, and the blog post details five of them in depth. This is a defensive artifact, not an attack release: a shared vocabulary that lets red teams, detection engineers, and threat modelers describe how injection attacks actually behave in production instead of collapsing everything into the label “prompt injection.”

The framing matters because the attack surface has shifted. As deployments move from chatbots to agents that crawl webpages, read file stores, query databases, and write shell commands, indirect prompt injection — malicious instructions hidden in the data an agent consumes — has become the dominant concern. The five newly described classes are notable less for novelty of any single trick than for how they systematize evasion patterns defenders keep seeing. This write-up summarizes the public taxonomy; it reproduces no working payloads.

How it works

The five highlighted techniques each target a different assumption a model makes about its input.

Trigger-activated rule addition plants an instruction that stays dormant until a later keyword, event, or condition fires. During review the injected text looks inert, which is exactly the point — the malicious behavior only surfaces once the trigger appears, defeating point-in-time inspection.

Cognitive token suppression does not command compliance directly. Instead it discourages the model from producing the tokens associated with refusal — apology phrases, policy language, safety caveats — nudging its linguistic choices away from established refusal patterns toward riskier output.

Algorithmic payload decomposition fragments a malicious instruction into pieces — words scattered in a list, characters, variables, or steps — and asks the model to reassemble and act on them. Each fragment looks benign to a scanner; the model does the dangerous synthesis itself.

Special token injection mimics the structural markers models use to separate system instructions, user input, and tool output — role identifiers, delimiters, or tool-call formatting. By forging these boundaries, an attacker tries to elevate untrusted content to the authority of a system directive or a fresh instruction block.

Unwitting user context-data injection exploits the gap between trusted context and executable instruction. The victim’s own prompt is harmless; the payload rides inside surrounding data they introduce without realizing it — a pasted note, an uploaded attachment, a forwarded email, a CRM record, or content inserted by a compromised extension or sync tool. The model then processes the hidden instruction inside the user’s authenticated environment.

The common thread is that none of these rely on the classic “ignore previous instructions.” They work through delayed activation, semantic constraint, boundary spoofing, fragmentation, and implied procedure — and they compose, so a single incident can combine several at once.

Why it matters

A flat “prompt injection” label hides the attack chain and starves detection engineering of the detail it needs. If an incident is actually an indirect injection carrying a forged tool-call boundary plus a decomposed payload, calling it one thing tells responders nothing about which control failed. A structured taxonomy gives teams a map: it names the technique, points at where in the pipeline it enters, and makes composite attacks describable.

The exposure is broad because model context now originates in many places — prompts, files, RAG corpora, agent memory, APIs, tool outputs, browser content, emails, and SaaS data. Every one of those is a potential injection vector, and delayed-trigger and context-data techniques specifically defeat the intuition that reviewing the user’s prompt is enough.

Defenses

Treat every source of model context as untrusted input, not just the user prompt. Files, retrieved documents, memory entries, tool outputs, and third-party data should all be in scope for your threat model, because that is where indirect and context-data injection live.

Move red teaming beyond “ignore previous instructions.” Test for boundary mimicry, delayed activation, algorithmic decomposition, uncommon character or synonym substitution, and instructions implied rather than stated. A test suite that only covers overt jailbreaks will miss the classes above.

Engineer detection for composite attacks. Log prompts and responses with enough structure to reconstruct a chain, and avoid tagging incidents with a single generic “prompt injection” label — capture the constituent techniques so controls can be tuned.

Harden structural boundaries. Do not let user- or tool-supplied text reintroduce the delimiters, role tags, or tool-call markers your framework uses internally; strip or escape them and validate that untrusted content cannot be promoted to a system role.

Add runtime visibility for AI traffic. Knowing who is invoking which models and agents, and whether prompts or responses carry unsafe instructions or sensitive data, is what turns the taxonomy from a reference document into an operational control.

Status

ItemDetail
PublishedCrowdStrike blog, July 7, 2026 (updated July 8, 2026)
AuthorDavid Keller, CrowdStrike AI security research
Change18 new taxonomy entries; catalog now 200+ techniques
New classes detailedTrigger-Activated Rule Addition (PT0201); Cognitive Token Suppression (PT0197); Algorithmic Payload Decomposition (PT0200); Special Token Injection (PT0198); Unwitting User Context-Data Injection (IM0018)
NatureDefensive taxonomy / red-team and detection reference — no CVE, no exploit release

Sources