Task-alignment reasoning beats pattern-matching against adaptive prompt injection
A June 2026 paper shows static benchmarks overstate injection defenses: adaptive attackers lift the worst-case success rate by ~16 points. RETA anchors decisions on the user's task instead of the attacker's text.
What is this?
On June 13, 2026, researchers from the University of Waterloo, Zhejiang University and KTH published Defending against Adaptive Prompt Injection Attacks via Reasoning-enabled Task Alignment. The paper makes an uncomfortable claim and then does something about it: most indirect prompt-injection (IPI) defenses that report near-zero attack success rate are being measured wrong, and their protection largely evaporates once the attacker is allowed to optimize against the deployed defense.
Indirect prompt injection is the case where an agent retrieves third-party data — a web page, an email, an API response, a database record — and that data contains instructions the attacker wants the agent to follow. The user’s task is legitimate; the data channel is not. A good defense has to keep three things true at once: reject the injected task, still finish the user’s real task, and not degrade behavior on clean inputs. The paper measures these as attack success rate (ASR), utility-under-attack (UA) and benign utility (BU).
How it works
The authors first quantify the gap between static and adaptive evaluation. On AgentDojo’s Slack, Banking, Workspace and Travel suites, they run seven representative defenses spanning four paradigms — prompting (Spotlighting, Sandwiching), filtering (PromptGuard, PIGuard), secret-knowledge (DataSentinel, MELON) and training (MetaSecAlign) — against both fixed benchmark attacks and adaptive black-box attackers that observe rollout outcomes and iteratively rewrite the injection.
The static-to-adaptive gap is large. Averaged across defenses on Qwen3-4B, the worst-case ASR rises from 21.7% under static attacks to 41.8% under adaptive attacks — a 20.1-point jump — with an 11.5-point gap on Llama-3.1-8B for a cross-model average of 15.8 points. Defenses that look strongest on static leaderboards, including PIGuard, MELON and MetaSecAlign, reach up to 50% adaptive ASR.
The diagnosis is the interesting part. Every one of those defenses answers an observation-level question — “does this retrieved text look or behave like an injection?” — rather than the task-level one: “does the agent’s next action actually follow from the user’s request?” Because the attacker controls the observation surface, they can preserve the malicious goal while changing whatever the defense inspects. The paper illustrates four families of rewrite, all defensive demonstrations rather than actionable payloads: framing an injected instruction as an urgent system alert to slip past delimiter-based prompting defenses; rewriting an imperative into a passive noun phrase to fall below a filter’s decision boundary; telling the model to complete its normal safety routine before acting, so canary and shadow-execution signals still fire; and recasting the instruction as a first-person past-tense narrative with no imperative verbs to dodge a trained model’s learned cues.
Their fix, RETA (REasoning-enabled Task Alignment), is a training-based defense built in two stages. Stage I red-teams a frozen baseline and records successful injections, with a rolling dictionary that rewards reformulations whose strategies are not already explained by prior attacks — this counters a second failure mode the authors identify, where an RL attacker collapses onto a handful of winning templates and leaves the defender trained on a narrow slice. Stage II trains the defender with trajectory-level rewards for three behaviors together: reject the injected task, complete the trusted user task, and produce explicit chain-of-thought reasoning that checks each tool call against the user’s intent. The anchor is that the user’s task is stable under rewording, so reasoning about whether an action follows from it generalizes where surface pattern-matching does not.
Why it matters
Across six adaptive attack families, RETA keeps every per-attack ASR below 10%, averaging 2.92% and 3.75% on the two target models while preserving most utility under attack and on clean inputs. The headline for defenders is not one number, though — it is the evaluation lesson. If you are choosing an IPI defense for an agent that reads untrusted data, static benchmark scores are close to meaningless; a defense that posts near-zero ASR on fixed templates can still be pushed above 40–50% by an attacker who iterates. This extends to agentic injection a warning the jailbreak-robustness literature already learned the hard way: adaptive evaluation is the only evaluation that counts.
Defenses
Concrete takeaways you can apply now:
- Re-test defenses adaptively. Treat static IPI benchmark numbers as an upper bound on your knowledge, not on your risk. Before trusting a filter or a trained defense, evaluate it against attackers that rewrite the injection in response to your specific deployment.
- Shift the decision from the observation to the task. Defenses that ask “does this text look malicious?” are evadable by paraphrase. Prefer mechanisms that check whether each tool call is justified by the user’s actual request, and keep the trusted task in a channel the attacker cannot rewrite.
- Reward strategy diversity in adversarial training. If you fine-tune a defender, an RL attacker that maximizes only attack success will converge on a few templates and leave you blind elsewhere. Explicitly reward coverage of distinct reformulation strategies.
- Don’t rely on a single signal. Canary recital and shadow-execution divergence can be satisfied while the injection still runs. Layer task-alignment reasoning on top rather than trusting any one observable signature.
- Preserve task integrity, not just refusal. A defense that lowers ASR by refusing the user’s own task has not solved the problem. Track utility-under-attack alongside ASR so you notice over-refusal.
Status
The work is a research preprint (arXiv 2606.15441, submitted June 13, 2026), evaluated on the open AgentDojo benchmark against Qwen3-4B-Instruct and Llama-3.1-8B-Instruct. It is a defensive method and a measurement critique, not a disclosed product vulnerability; there is no CVE and no patch to apply. The reported numbers are the authors’ own and await independent replication.