Module SDD-12 — InjecAgent

InjecAgent

The indirect prompt injection benchmark as a quality gate: ~50% of agentic tasks vulnerable to injection via tool outputs, measured per-tool, regression-gated in CI.

45
minutes
8
artifacts
3
sub-sections
InjecAgent is the benchmark that found roughly half of agentic tasks vulnerable to indirect prompt injection delivered through tool outputs — the defining attack surface of agentic harnesses, because the agent cannot structurally distinguish a tool's output (data) from its instructions (policy). This deep-dive covers how to run it against your harness, how to interpret the ~50% as a population baseline for un-defended agents, and how to use it as a pass/fail CI gate that catches any change (new tool, prompt edit, model swap) that opens an injection surface. It is the closing deep-dive of Course 2A and the bridge to Course 2B: the defenses it implies are exactly what 2B's offensive techniques target.
Key Claims
Load-Bearing Claims

Indirect injection via tool outputs is the defining agentic attack surface. The agent cannot structurally distinguish a tool's output (data) from its instructions (policy) — both arrive as text in the context window. Security harnesses read target data constantly; every read is an injection opportunity. This is the S01 inversion made measurable.

The ~50% is a population baseline, not your number. It describes un-defended, out-of-the-box agentic harnesses. A defended harness (structured tool outputs, deterministic egress) should be dramatically lower. The metric that justifies a defense's cost is the before/after defense-effectiveness delta, not the absolute rate.

The operational payoff is the per-tool scorecard and the CI gate. The 50% is a headline; the per-tool scorecard (which tools are injectable) plus the failure transcript (exactly how each injection steered the agent) is the defense-design surface. The CI gate catches any change that opens an injection surface — turning resistance from an opinion into an enforced build-pipeline property.

InjecAgent is the bridge to Course 2B. The defenses it implies (treat tool outputs as untrusted data, enforce structure, gate egress deterministically — DD-19 CrabTrap, DD-20 IronCurtain) are exactly what Course 2B's offensive techniques attack. A measured-but-indefended injection rate is a documented vulnerability — the starting point for 2B's red-teaming.

After This Module
01
Explain indirect prompt injection via tool outputs and why it is the defining agentic attack surface.
02
Describe InjecAgent's methodology (task set, injected outputs, success criteria) and what the ~50% measures.
03
Run InjecAgent against your harness, interpret results, and identify which capabilities are injectable.
04
Use InjecAgent as a pass/fail quality gate in CI that catches injection-surface regressions.
05
Score the benchmark-as-gate on the 12-module rubric (27/45) and identify the defenses it implies.
Artifacts