I red-team AI for a living. Prompt injections, jailbreaks, agents tricked into doing things they shouldn't. This account is where I'll share how AI systems actually break — and how to stop it.
Your AI gateway: one proxy for all your models, and one handy door for attackers. Let them command-inject LiteLLM, now on CISA's exploited list. Centralize traffic, centralize the headache.
https://t.co/v2Uh9hqy5E
#AISecurity#PromptInjection#LLMSecurity
Prompt-to-RCE: when an agent can run code, a prompt injection becomes remote code execution.
CVE-2026-26030 turned one crafted prompt into a shell. It can execute... whats the defense?
https://t.co/wzrH8tuhRC
#AISecurity#PromptInjection#LLMSecurity
The Lethal Trifecta: private data + untrusted content + an outbound channel in one agent.
Any one is safe; all three let one poisoned page exfiltrate your secrets. Design to break the Trifecta... not out prompt the flaw.
https://t.co/VLpakEIG0n
#AISecurity#PromptInjection #LLMSecurity
Allowlist bypass via shell built-ins: Cursor checked external commands but not built-ins. CVE-2026-22708 let prompt injection poison PATH so "git" ran attacker code.
https://t.co/ZvhmLEWg11
#AISecurity#PromptInjection#LLMSecurity
Data poisoning is the AI attack that doesn't trip an alarm.
Model trains fine. Passes eval. Ships. Then months later it does something it learned from a poisoned source, at the worst possible moment.
And your training pipeline is just one door. Third-party checkpoints, RAG indexes, public datasets, agent-to-agent. Every one's a way in.
Mindgard's guide on it: https://t.co/tinscWk0Ma
#LLMSecurity
Parameter-to-Prompt Injection (P2P): the attacker controls a parameter that flows into the prompt. SearchLeak turned one Copilot link into 1-click data theft.
If a value can reach the prompt, treat it as hostile.
https://t.co/8WBFzquWK3
#AISecurity#PromptInjection#LLMSecurity
None of these were "hacks." People just typed the right words into a live system nobody stress-tested first.
That's the whole job: find the moment in a safe environment...not in a screenshot with 4M views.
#AISecurity#PromptInjection
NYC's own MyCity bot told business owners they could take workers' tips and refuse Section 8 tenants.
An official government bot, confidently handing out illegal advice.
https://t.co/dNFrvu80KY
If you build, secure, or just worry about AI systems — follow along. And reply, push back, ask things. The sharpest conversations in this field happen here.
I red-team AI for a living. Prompt injections, jailbreaks, agents tricked into doing things they shouldn't. This account is where I'll share how AI systems actually break — and how to stop it.
Why it matters: most AppSec wasn't built for AI. Agents that plan, call tools, and act turn a single bad output into a real kill chain. That gap is what I work in every day.