The latest articles on DEV Community by 9hannahnine-jpg (@9hannahninejpg). https://dev.to/9hannahninejpg https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3935667%2F189ac222-8d42-4d5b-89ba-2b9792e512c3.png https://dev.to/9hannahninejpg en 9hannahnine-jpg Sun, 17 May 2026 01:52:48 +0000 https://dev.to/9hannahninejpg/why-prompt-filtering-fails-and-what-to-do-instead-55p5 https://dev.to/9hannahninejpg/why-prompt-filtering-fails-and-what-to-do-instead-55p5 <p>Every prompt injection defense I’ve seen makes the same mistake. It asks the wrong question.<br> The wrong question: “Does this prompt contain dangerous words?”<br> The right question: “Is untrusted content trying to become an instruction source?”<br> These are fundamentally different problems.</p> <p>The problem with filtering<br> Keyword filters fail because attackers adapt. Base64 encode your attack. ROT13 it. URL encode it. Space out the characters. Wrap it in a code block. The filter sees nothing dangerous. The model follows the instructions.<br> We patched all of those encoding variants last week after someone found them in our public red team environment. The attacker had to work harder. But they got through on the first try.<br> Filtering is an arms race you will always lose eventually.</p> <p>The real threat model<br> Prompt injection isn’t about dangerous vocabulary. It’s about unauthorized instruction-authority transfer.<br> Your agent has a clear hierarchy: system prompt at the top, developer instructions below that, user requests below that. The attack is when content from outside that hierarchy — a webpage, an email, a tool result, a retrieved document — tries to insert itself as a higher-authority instruction source.<br> A webpage telling your agent to “ignore previous instructions” isn’t dangerous because of the words. It’s dangerous because a zero-authority source is attempting to override a high-authority one.</p> <p>The fix: source-aware authority enforcement<br> Every content chunk should carry a trust level:<br> • System prompt: 100<br> • Developer instructions: 90<br> • User input: 50<br> • Tool output: 10<br> • Webpage: 10<br> • Email: 10<br> • Retrieved document: 10<br> Rule: lower-authority sources can provide data. They cannot issue instructions.<br> When a webpage footer says “ignore previous instructions” — that’s not a dangerous phrase. That’s a source boundary violation. A zero-authority source attempting behavioral authority.</p> <p>What this looks like in practice</p> <p>from langchain_arcgate import ArcGateCallback<br> from langchain_openai import ChatOpenAI</p> <p>llm = ChatOpenAI(callbacks=[ArcGateCallback(api_key="demo")])</p> <p>One line. Every prompt gets source-tagged before it reaches the model. Untrusted content that attempts instruction-authority transfer gets blocked or sandboxed before the model sees it.<br> For ambiguous cases — content that’s suspicious but not clearly malicious — capabilities get reduced rather than hard blocking. The agent continues safely with tool calls and external actions stripped. Graceful degradation instead of binary block/allow.</p> <p>Try to break it<br> We run a public adversarial evaluation environment. Submit attacks, get a full security trace back, download the JSON report.<br> <a href="https://web-production-6e47f.up.railway.app/break-arc-gate" rel="noopener noreferrer">https://web-production-6e47f.up.railway.app/break-arc-gate</a><br> Someone found a nested encoding bypass last week. It’s patched and documented in the public failure archive.<br> GitHub: <a href="https://github.com/9hannahnine-jpg/arc-gate" rel="noopener noreferrer">https://github.com/9hannahnine-jpg/arc-gate</a><br> Built by Bendex Geometry.</p> llm security ai agents