Cybersecurity AI: Hacking the AI Hackers via Prompt Injection
Víctor Mayoral-Vilches, Per Mannermaa Rynning
TL;DR
Prompt injection exposes a fundamental, systemic vulnerability in LLM-based security agents by allowing malicious external content to override or hijack agent behavior. The authors present a four-stage attack flow, a seven-category taxonomy of injection techniques, and a validated four-layer defense that achieves 0% attack success in testing while preserving performance. They demonstrate rapid exploitation (often under 20 seconds) and significant real-world risk, including remote code execution and zombie-agent scenarios, underscoring the need for defense-in-depth and potential architectural changes. The work bridges empirical vulnerability assessment with practical mitigations and highlights a cybersecurity arms race between attacker ingenuity and defensive guardrails in AI systems.
Abstract
We demonstrate how AI-powered cybersecurity tools can be turned against themselves through prompt injection attacks. Prompt injection is reminiscent of cross-site scripting (XSS): malicious text is hidden within seemingly trusted content, and when the system processes it, that text is transformed into unintended instructions. When AI agents designed to find and exploit vulnerabilities interact with malicious web servers, carefully crafted reponses can hijack their execution flow, potentially granting attackers system access. We present proof-of-concept exploits against the Cybersecurity AI (CAI) framework and its CLI tool, and detail our mitigations against such attacks in a multi-layered defense implementation. Our findings indicate that prompt injection is a recurring and systemic issue in LLM-based architectures, one that will require dedicated work to address, much as the security community has had to do with XSS in traditional web applications.