“Context bombs” can frustrate AI-driven attacks, researchers found
A new approach tried out by Tracebit researchers has proven very effective at stopping AI agents from fully compromising targeted environments.
What makes it notable isn’t the technique – prompt injection is old news – but the direction it’s pointed: not to hijack AI agents, but to defend against them.

Canaries with context bombs
Tracebit offers customers a range of canaries, i.e., decoy resources and credentials that, when targeted by attackers, provide early warning of an attack.
Once the wire is tripped, the response falls to defenders. But, as autonomous and semi-autonomous AI agents accelerate the pace of attacks, defenders have less and less time to react and shut them down.
This fact prompted the company’s researchers to test a new approach, inspired by malware authors who use prompt injection to trick AI-powered analysis tools into declaring a malicious sample benign.
They created new canaries that contain a “context bomb” – a short piece of text designed to trigger safety guardrails in offensive AI agents – and tested it against agents powered by Anthropic’s Opus 4.8, Google’s Gemini 3.1 Pro, Zhipu AI’s GLM 5.2, DeepSeek’s DeepSeek 4 Pro, and Moonshot AI’s Kimi K2.6.
The agents were instructed to explore an imitation of a corporate production AWS environment with misconfigurations that allow for ten distinct attack paths. Those could lead to more or less serious outcomes: admin access and persistence, code execution, data exfiltration, lateral movement, targeted access, and reconnaissance.
“We tested model performance in a baseline environment containing no canaries, and in a bombed environment containing a canary with a Context Bomb,” the researchers explained.
They made the AI agents perform a total of 152 runs on both environments, and the results were impressive: across five leading models, planting a single context bomb in a canary secret had a significant impact on their ability to reach their objectives.
The most striking case was Opus 4.8: it reached full account admin access in 93% of clean runs, but failed every single time once a context bomb was in play. Gemini 3.1 Pro achieved full admin plus a durable foothold in 60% of the cases on baseline environments, but also failed to achieve the same in bombed ones.
“Kimi was least effective of the models tested at reaching Admin, while also being least affected by context bombs (though they were still quite effective!),” the researchers found.
They also pointed out the agents achieved at least one the attack paths in 91 percent of cases when working in a baseline environment, but only in 15 percent of the runs in bombed ones. But, they noted, the canary alerts were raised in all cases.
The researchers also flagged the boundaries of what they’ve tested so far.
The work focused on capable model families that are widely available through a provider such as OpenRouter. They haven’t yet measured how “abliterated” models (i.e., versions stripped of their built-in safety guardrails) perform, so it remains an open question both how capable those models are at offensive cyber tasks and whether context bombs work against them at all.
Embracing the flaw
The prevailing view among security researchers is that prompt injection can’t be prevented.
The UK’s National Cyber Security Centre warned in December 2025 that because LLMs draw no inherent line between data and instructions, prompt injection may never be properly mitigated the way SQL injection can be, and that the best defenders can hope for is reducing its likelihood or impact.
“As soon as a system is designed to take untrusted data and include it into an LLM query, the untrusted data influences the output,” Johann Rehberger, a security researcher well known for his work on prompt injection and LLM attacks, recently noted.
But if attackers are going to point AI agents at your environment, and those agents can’t be reliably “inoculated” against injected instructions, Tracebit has cleverly chosen to experiment with how prompt injection can serve defenders too.
The researcher didn’t want to use “completely deplorable” context bombs, and didn’t want to use cyber-related ones.
In the end, they found that Western models are reliably stopped when confronted with strings referencing sensitive or dangerous biological topics, and Chinese models (accessed through Chinese providers) when the strings referenced politically sensitive topics in China (and did so in Chinese).
“In many cases, we found that combining the sensitive topics with standard prompt-injection techniques [including urgency, notes for agents, and delimiters] helped improve the impact when the Context Bombs were discovered in realistic environments,” they noted.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
