Lakera

𝗘𝘃𝗲𝗿𝘆 𝘁𝗶𝗺𝗲 𝗔𝗜 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 𝗴𝗮𝗶𝗻 𝗮 𝗻𝗲𝘄 𝗰𝗮𝗽𝗮𝗯𝗶𝗹𝗶𝘁𝘆, 𝘀𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴 𝗲𝗹𝘀𝗲 𝗾𝘂𝗶𝗲𝘁𝗹𝘆 𝗴𝗿𝗼𝘄𝘀 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲𝗺. The security perimeter. Give a model the ability to browse. Give it access to tools. Let it write code, open files, or pull context from memory. Each new power extends the boundary you have to defend. ⚠️ What used to be a single model prompt is now a collection of moving parts: • Tools • Agents ��� Context builders • Memory layers • Orchestrators • Validators • Sandboxes • Allowlists • Human-in-the-loop logic The model is only one component inside a much larger attack surface. This shift is easy to miss. You do not see it in the UI. You only notice it when something unexpected happens and the agent acts on text it was never supposed to trust. This is why tunnel vision around the model can be risky. As autonomy increases, the real boundary emerges in the surrounding layers: the components that filter, shape, constrain, and verify what the agent is allowed to do. That broader system is where security wins or breaks. 🔐 The image below highlights some of the layers that matter most when thinking about where the boundary actually sits and how it shifts as capabilities grow. It is a useful way to step back from the model and see the application as a whole. We will be exploring this perspective in more depth during our 𝗗𝗲𝗰𝗲𝗺𝗯𝗲𝗿 𝟭𝟬 𝘀𝗲𝘀𝘀𝗶𝗼𝗻, along with the themes from our recent piece on indirect prompt injection. 𝗔𝗹𝗹 𝗹𝗶𝗻𝗸𝘀 𝗮𝗿𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝗰𝗼𝗺𝗺𝗲𝗻𝘁. 👇 #AIsecurity #GenAI #AgenticAI #RedTeam #Cybersecurity

𝗛𝗮𝗽𝗽𝗲𝗻𝗶𝗻𝗴 𝘁𝗼𝗺𝗼𝗿𝗿𝗼𝘄 𝗶𝗻 𝗭𝘂𝗿𝗶𝗰��� 🎙️ We’re joining the 𝗭𝘂𝗿𝗶𝗰𝗵 𝗔𝗜 𝗠𝗲𝗲𝘁𝘂𝗽, where Max Mathys will share fresh insights from 𝘎𝘢𝘯𝘥𝘢𝘭𝘧 and 𝘎𝘢𝘯𝘥𝘢𝘭𝘧: 𝘈𝘨𝘦𝘯𝘵 𝘉𝘳𝘦𝘢𝘬𝘦𝘳, powered by the world’s largest #GenAI red team. Expect a clear look at how attackers actually break #agentic systems, the patterns we see across thousands of real prompt-injection attempts, and what this means for 𝘀𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝗚𝗲𝗻𝗔𝗜 𝗶𝗻 𝟮𝟬𝟮𝟱 🔍 There are only a handful of spots left. If you want to understand what’s really happening in agent security right now, this is the place to be. 👉 𝗘𝘃𝗲𝗻𝘁 𝗽𝗮𝗴𝗲: https://lnkd.in/dsZW_Xpf #AI #Security #GenAI #Agents #Zürich #Meetup #Lakera

🚨 𝗧𝗵𝗲 𝗬𝗲𝗮𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗔𝗴𝗲𝗻𝘁 𝗶𝘀 𝗵𝗲𝗿𝗲 𝗮𝗻𝗱 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗱𝗶𝗱 𝗻𝗼𝘁 𝘄𝗮𝘀𝘁𝗲 𝗮𝗻𝘆 𝘁𝗶𝗺𝗲. 2025 was the year AI #agents crossed the line from prototypes to practical, real workflows. 𝗕𝗿𝗼𝘄𝘀𝗶𝗻𝗴. 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁 𝗵𝗮𝗻𝗱𝗹𝗶𝗻𝗴. 𝗧𝗼𝗼𝗹 𝘂𝘀𝗲. 𝗠𝘂𝗹𝘁𝗶-𝘀𝘁𝗲𝗽 𝘁𝗮𝘀𝗸𝘀. And every one of those capabilities created a new path for attackers to explore. In Q4 we watched adversaries move faster, learn quicker and adjust their techniques almost instantly. Some of the patterns we saw did not even exist a few months earlier. We are bringing researchers, engineers and industry leaders together for a 𝟰𝟱 𝗺𝗶𝗻𝘂𝘁𝗲 𝘀𝗲𝘀𝘀𝗶𝗼𝗻 that breaks down what really happened and what these signals mean for 2026. If you want a clear view of where #AI threats are heading, this one is worth your time. 👉 𝗗𝗲𝗰 𝟭𝟬. 𝗧𝗵𝗲 𝗬𝗲𝗮𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗔𝗴𝗲𝗻𝘁: 𝗔𝗜 𝗧𝗵𝗿𝗲𝗮𝘁𝘀 𝗮𝗻𝗱 𝗗𝗲𝗳𝗲𝗻𝘀𝗲𝘀 𝘁𝗵𝗮𝘁 𝗗𝗲𝗳𝗶𝗻𝗲𝗱 𝟮𝟬𝟮𝟱 𝗮𝗻𝗱 𝗪𝗵𝗮𝘁’𝘀 𝗖𝗼𝗺𝗶𝗻𝗴 𝗶𝗻 𝟮𝟬𝟮𝟲 🔗 https://lnkd.in/d4-BfYQT

𝗣𝗼𝗲𝘁𝗿𝘆 𝗮𝘀 𝗮 𝗿𝗲𝗹𝗶𝗮𝗯𝗹𝗲 𝗷𝗮𝗶𝗹𝗯𝗿𝗲𝗮𝗸 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲? A new study tested 25 major #LLMs and found that simply rewriting dangerous prompts as verse—nothing else—caused many models to fail. No DAN prompts. No Pliny. Just rhyme, rhythm, and metaphor. Our own Steve Giguere recorded a short breakdown of how this works, what it means for AI security, and how it aligns with the #Lakera 𝗔𝗜 𝗠𝗼𝗱𝗲𝗹 𝗥𝗶𝘀𝗸 𝗜𝗻𝗱𝗲𝘅 (link in comments). 𝗦𝗽𝗼𝗶𝗹𝗲𝗿: Capability without security alignment is volatility. If you’re building, testing, or deploying #AI systems, there are some key takeaways.

𝗪𝗲𝗹𝗹, 𝘁𝗵𝗲 𝘁𝗶𝗺𝗶𝗻𝗴 𝗰𝗼𝘂𝗹𝗱 𝗻𝗼𝘁 𝗯𝗲 𝗯𝗲𝘁𝘁𝗲𝗿. We just released a deep dive on 𝗶𝗻𝗱𝗶𝗿𝗲𝗰𝘁 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻, and today we already have a real incident that reads like a case study pulled straight from the article. 🔍 #Google’s new #Antigravity environment was shown to 𝗹𝗲𝗮𝗸 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 through an 𝗶𝗻𝗱𝗶𝗿𝗲𝗰𝘁 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗵𝗶𝗱𝗱𝗲𝗻 𝗶𝗻𝘀𝗶𝗱𝗲 𝗮 𝗵𝗮𝗿𝗺𝗹𝗲𝘀𝘀 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗴𝘂𝗶𝗱𝗲. One instruction in 1-point font and suddenly the agent is collecting secrets, bypassing protections, building an exfiltration URL, and sending the whole package out through a browser subagent. ⚠️ If you have been following our indirect prompt injection work or the Agentic Threats series, this pattern will feel very familiar:  1. The attack slips in through an ingestion surface.  2. The model reads it.  3. The architecture takes over.  4. The system acts before anyone notices. This is exactly the kind of behaviour we keep seeing in real red teaming and in 𝘎𝘢𝘯𝘥𝘢𝘭𝘧: 𝘈𝘨𝘦𝘯𝘵 𝘉𝘳𝘦𝘢𝘬𝘦𝘳. And it is exactly what we will be covering in our live event on 𝗗𝗲𝗰𝗲𝗺𝗯𝗲𝗿 𝟭𝟬, along with the broader agentic risks emerging across the industry. 𝗟𝗶𝗻𝗸𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗯𝗿𝗲𝗮𝗸𝗱𝗼𝘄𝗻, 𝗼𝘂𝗿 𝗮𝗿𝘁𝗶𝗰𝗹𝗲𝘀, 𝗮𝗻𝗱 𝗲𝘃𝗲𝗻𝘁 𝗿𝗲𝗴𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗮𝗿𝗲 𝗮𝗹𝗹 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝗰𝗼𝗺𝗺𝗲𝗻𝘁. 👇 #AIsecurity #GenAI #PromptInjection #AgenticAI #RedTeam

A lot of teams still assume #PromptInjection is something you fix with 𝘴𝘵𝘳𝘰𝘯𝘨𝘦𝘳 𝘴𝘺𝘴𝘵𝘦𝘮 𝘱𝘳𝘰𝘮𝘱𝘵𝘴 or a splash of sanitization. That idea lasts right up until its quieter sibling walks in and quietly rewires the whole system: 𝗶𝗻𝗱𝗶𝗿𝗲𝗰𝘁 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻. 🔍💥 Direct attacks hit the prompt you can see. Indirect attacks hide in the places your AI strolls through without thinking. 📄 PDFs 🌐 Webpages 📬 Emails 📚 RAG docs 🧩 MCP schemas 💾 Memory entries Slip a single instruction into any of those and the model eats it whole. No alerts. No red flags. No “𝘢𝘳𝘦 𝘺𝘰𝘶 𝘴𝘶𝘳𝘦?” Just a calm AI assistant suddenly helping the attacker because it believes the hidden text is part of the plan. 🤝😬 Here’s the real kicker. Indirect attacks don’t just confuse the model. They exploit the 𝘢𝘳𝘤𝘩𝘪𝘵𝘦𝘤𝘵𝘶𝘳𝘦. Once you blend trusted and untrusted inputs in the same context, the model treats everything as fair game. The 𝗰𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝘁𝗮𝗯𝗹𝗲 𝗯𝗲𝗹𝗼𝘄 shows exactly how direct and indirect attacks differ and why indirect prompt injection keeps showing up in red teaming and real deployments. This is the part that product teams and leadership often miss until they see it mapped out. If your system ingests untrusted content, indirect prompt injection is already in your threat model. The question is whether you have looked for it yet. 👇 𝗙𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝗰𝗼𝗺𝗺𝗲𝗻𝘁. #AI #GenAI #RedTeam #Cybersecurity #LLMapps

𝗧𝗵𝗲 𝗻𝗲𝘄 𝗠𝗖𝗣 𝘀𝗽𝗲𝗰 𝗹𝗮𝗻𝗱𝘀 𝘁𝗼𝗺𝗼𝗿𝗿𝗼𝘄. Before it drops, here’s one moment from the article that still surprises people who work with agents every day. When an #agent connects to an #MCP server, the very first thing it does is ask: “𝘞𝘩𝘢𝘵 𝘤𝘢𝘯 𝘐 𝘥𝘰 𝘩𝘦𝘳𝘦?” That single request, tools/list, hands the agent its entire identity.  • 𝗘𝗺𝗮𝗶𝗹 ✉️  • 𝗦𝗤𝗟 🗄️  • 𝗝𝗶𝗿𝗮 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻 🧩  • 𝗖𝗹𝗼𝘂𝗱 𝗮𝗰𝗰𝗲𝘀𝘀 ☁️ Whatever the server claims instantly becomes the agent’s worldview. And until this new spec, the agent trusted 𝘦𝘷𝘦𝘳𝘺 𝘸𝘰𝘳𝘥. A server could reinvent itself overnight and quietly add dangerous “abilities.” ⚠️ A tool description could hide an extra instruction. And unless someone caught the exact moment the list changed, no one would know. If you want to understand why these issues needed fixing and what tomorrow’s spec actually changes, this breakdown by Lakera’s Steve Giguere is a perfect primer. 👉 𝗪𝗵𝗮𝘁 𝘁𝗵𝗲 𝗡𝗲𝘄 𝗠𝗖𝗣 𝗦𝗽𝗲𝗰𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗠𝗲𝗮𝗻𝘀 𝘁𝗼 𝗬𝗼𝘂 𝗮𝗻𝗱 𝗬𝗼𝘂𝗿 𝗔𝗴𝗲𝗻𝘁𝘀 https://lnkd.in/dpcN_5Y7

𝗜𝗻𝗱𝗶𝗿𝗲𝗰𝘁 𝗣𝗿𝗼𝗺𝗽𝘁 𝗜𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗵𝗮𝘀 𝗯𝗲𝗰𝗼𝗺𝗲 𝗼𝗻𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗺𝗼𝘀𝘁 𝗰𝗼𝗺𝗺𝗼𝗻 𝗮𝘁𝘁𝗮𝗰𝗸 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀 𝘄𝗲 𝘀𝗲𝗲 𝗮𝗰𝗿𝗼𝘀𝘀 𝗿𝗲𝗮𝗹 𝗔𝗜 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁𝘀. The reason is simple. These attacks enter through the places teams rarely look. Hidden instructions sit inside the data your AI consumes every day. Webpages. PDFs. Emails. #MCP metadata. #RAG documents. Memory stores. Code comments. Once the model reads the poisoned content, the instructions blend into its context and shape behavior without any user interaction. Here is what the lifecycle actually looks like: 1️⃣ 𝗣𝗼𝗶𝘀𝗼𝗻 𝘁𝗵𝗲 𝘀𝗼𝘂𝗿𝗰𝗲 2️⃣ 𝗔𝗜 𝗶𝗻𝗴𝗲𝘀𝘁𝘀 𝘁𝗵𝗲 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 3️⃣ 𝗜𝗻𝘀𝘁𝗿𝘂𝗰𝘁𝗶𝗼𝗻𝘀 𝗮𝗰𝘁𝗶𝘃𝗮𝘁𝗲 4️⃣ 𝗧𝗵𝗲 𝗺𝗼𝗱𝗲𝗹 𝘁𝗿𝗶𝗴𝗴𝗲𝗿𝘀 𝗵𝗮𝗿𝗺𝗳𝘂𝗹 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿 We have published a full breakdown of how these attacks unfold in practice, why #agentic systems amplify the impact, and which architectural controls help reduce the risk. If you are building or securing #GenAI applications, this is a pattern worth understanding early. 🔗 𝗟𝗶𝗻𝗸 𝘁𝗼 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 𝗯𝗲𝗹𝗼𝘄 👉 𝘐𝘯𝘥𝘪𝘳𝘦𝘤𝘵 𝘗𝘳𝘰𝘮𝘱𝘵 𝘐𝘯𝘫𝘦𝘤𝘵𝘪𝘰𝘯: 𝘛𝘩𝘦 𝘏𝘪𝘥𝘥𝘦𝘯 𝘛𝘩𝘳𝘦𝘢𝘵 𝘉𝘳𝘦𝘢𝘬𝘪𝘯𝘨 𝘔𝘰𝘥𝘦𝘳𝘯 𝘈𝘐 𝘚𝘺𝘴𝘵𝘦𝘮𝘴 👉

𝗧𝗵𝗲 𝗠𝗼𝗱𝗲𝗹 𝗖𝗼𝗻𝘁𝗲𝘅𝘁 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 𝗶𝘀 𝗷𝘂𝘀𝘁 𝗮𝗯𝗼𝘂𝘁 𝘁𝗼 𝗴𝗲𝘁 𝗮 𝗺𝗮𝗷𝗼𝗿 𝘂𝗽𝗴𝗿𝗮𝗱𝗲. #MCP has quietly become the wiring behind modern #agentic systems, and with the new spec landing on 𝗡𝗼𝘃𝗲𝗺𝗯𝗲𝗿 𝟮𝟱, the protocol finally steps into real enterprise territory. #Lakera’s own Steve Giguere just published a crisp breakdown of 𝘄𝗵𝗮𝘁’𝘀 𝗰𝗵𝗮𝗻𝗴𝗲𝗱, 𝘄𝗵𝘆 𝗶𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀, and 𝗵𝗼𝘄 𝘁𝗵𝗲𝘀𝗲 𝘂𝗽𝗱𝗮𝘁𝗲𝘀 𝗿𝗲𝘀𝗵𝗮𝗽𝗲 𝘁𝗵𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗺𝗼𝗱𝗲𝗹 for anyone building or defending #AIagents. ⚙️🤖 If MCP powers your workflows (or soon will) this is the piece you’ll want to read. 👉 𝘞𝘩𝘢𝘵 𝘵𝘩𝘦 𝘕𝘦𝘸 𝘔𝘊𝘗 𝘚𝘱𝘦𝘤𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯 𝘔𝘦𝘢𝘯𝘴 𝘵𝘰 𝘠𝘰𝘶, 𝘢𝘯𝘥 𝘠𝘰𝘶𝘳 𝘈𝘨𝘦𝘯𝘵𝘴 👉 https://lnkd.in/dpcN_5Y7

We’re joining the Zürich AI Meetup next Friday 🎙️ Catch Max Mathys on stage with insights from #Gandalf and Gandalf: Agent Breaker. Max will walk through what thousands of real attacks reveal about agentic systems today, the techniques that break them most often, and what this means for the state of AI security in 2025 🔍 If you want a clear picture of where #GenAI risks are heading and what we’re uncovering through Agent Breaker, don’t miss this session. #AI #Security #Agents #Zürich #Meetup #Lakera