Agentic AI · injection exposure

A web page told your agentto do it. Did it obey?

Indirect prompt injection — a hidden instruction buried in a page, email, ticket, or document the agent reads — is the top agentic-AI risk. It becomes a breach only when the kill-chain is open end to end. Grade an agent on the six design controls that close it, before an attacker walks it.

Get the Gate — $79one-time · instant download · yours to keep

Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.

Five deliverables · runnable
Runnable Python engine
stdlib
Exposure workbook
.xlsx
Exposure-Mapping Playbook
.docx
Control-Hardening Runbook
.docx
5-agent worked sample
.csv
Works alongside
Go-Live Gate · Connector Access Auditor · Output Risk Triage
01.The Problem

The attacker doesn't prompt your agent. The content does.

#1

Indirect prompt injection / goal hijacking is the top-ranked risk in the OWASP agentic-AI top ten.

Enter · act · catch

the three-link chain an injection has to complete. Break one link and the whole attack fails.

Reads ≠ runs

the fix isn't a smarter filter — it's a design that treats everything the agent reads as untrusted data, not commands.

An agent that reads a support ticket, a web page, or a PDF can be carrying someone else's instructions without knowing it. You can't filter your way to safety — but you can design so the injection has nowhere to go. This Gate measures whether your agent's design closes the chain, agent by agent.

02.See It Work

Mark six controls. Watch the kill-chain gate override a 72.

Try it — Customer-support copilot (reads tickets)

Mark each control. Three of them (★) form the injection kill-chain — leave all three below Controlled and the gate overrides the score.

Input / instruction separation
Tool & retrieved output treated as untrusted
Least-privilege tool scope (blast radius)
Output validation before downstream use
Human-in-the-loop on high-impact actions
Egress / exfiltration controls
HIGH EXPOSUREscore 72/100

Gate tripped: the kill-chain is open end to end — untrusted output can enter, an unscoped high-impact tool can act, and no human is in the loop to catch it. HIGH EXPOSURE regardless of score — close any one ★ control and it releases.

Fix first: Treat output as untrusted.

Grades the agent's design, never people. Not a scanner or red-team. Runs offline in the workbook and engine.

03.What's Inside

A runnable engine, a workbook that reproduces it, and two playbooks.

The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-agent sample:

==================================================================
INDIRECT PROMPT-INJECTION EXPOSURE GATE
Grades the agent's design, not people. Not a scanner or red-team.
==================================================================

  AGENT: Customer-support copilot (reads tickets)
  Verdict: HIGH EXPOSURE   (exposure score 72/100)
  >> GATE: the injection kill-chain is open end to end —
     untrusted output can ENTER, an unscoped high-impact tool
     can ACT, and no human is in the loop to CATCH it. HIGH
     EXPOSURE regardless of score. Close any one link to release.
  Fix first: Tool & retrieved output treated as untrusted
  Controls:
    [2] CONTROLLED Input / instruction separation
    [1] PARTIAL    Tool & retrieved output treated as untrusted  <-- kill-chain
    [1] PARTIAL    Least-privilege tool scope (blast radius)  <-- kill-chain
    [2] CONTROLLED Output validation before downstream use
    [1] PARTIAL    Human-in-the-loop on high-impact actions  <-- kill-chain
    [2] CONTROLLED Egress / exfiltration controls

  AGENT: Email triage & auto-reply agent
  Verdict: HIGH EXPOSURE   (exposure score 40/100)
  >> GATE: the injection kill-chain is open end to end —
     untrusted output can ENTER, an unscoped high-impact tool
     can ACT, and no human is in the loop to CATCH it. HIGH
     EXPOSURE regardless of score. Close any one link to release.
  Fix first: Tool & retrieved output treated as untrusted
  Controls:
    [1] PARTIAL    Input / instruction separation
    [0] OPEN       Tool & retrieved output treated as untrusted  <-- kill-chain
    [1] PARTIAL    Least-privilege tool scope (blast radius)  <-- kill-chain
    [1] PARTIAL    Output validation before downstream use
    [1] PARTIAL    Human-in-the-loop on high-impact actions  <-- kill-chain
    [1] PARTIAL    Egress / exfiltration controls

  AGENT: Internal RAG research assistant
  Verdict: CONTAINED   (exposure score 90/100)
  Fix first: Tool & retrieved output treated as untrusted
  Controls:
    [2] CONTROLLED Input / instruction separation
    [1] PARTIAL    Tool & retrieved output treated as untrusted  <-- kill-chain
    [2] CONTROLLED Least-privilege tool scope (blast radius)  <-- kill-chain
    [2] CONTROLLED Output validation before downstream use
    [2] CONTROLLED Human-in-the-loop on high-impact actions  <-- kill-chain
    [2] CONTROLLED Egress / exfiltration controls

  AGENT: Code-review bot (reads PRs)
  Verdict: CONTAINED   (exposure score 77/100)
  Fix first: Least-privilege tool scope (blast radius)
  Controls:
    [2] CONTROLLED Input / instruction separation
    [2] CONTROLLED Tool & retrieved output treated as untrusted  <-- kill-chain
    [1] PARTIAL    Least-privilege tool scope (blast radius)  <-- kill-chain
    [1] PARTIAL    Output validation before downstream use
    [2] CONTROLLED Human-in-the-loop on high-impact actions  <-- kill-chain
    [1] PARTIAL    Egress / exfiltration controls

  AGENT: Read-only analytics summarizer
  Verdict: CONTAINED   (exposure score 100/100)
  Controls:
    [2] CONTROLLED Input / instruction separation
    [2] CONTROLLED Tool & retrieved output treated as untrusted  <-- kill-chain
    [2] CONTROLLED Least-privilege tool scope (blast radius)  <-- kill-chain
    [2] CONTROLLED Output validation before downstream use
    [2] CONTROLLED Human-in-the-loop on high-impact actions  <-- kill-chain
    [2] CONTROLLED Egress / exfiltration controls

------------------------------------------------------------------
  FLEET: EXPOSED   (2 of 5 high exposure, exposure rate 40%)
  Worst agent to fix first: Email triage & auto-reply agent
------------------------------------------------------------------
Input / instruction separation

The agent's own instructions stay structurally apart from the content it reads — so a document can't pose as a system command.

Treat output as untrustedkill-chain

Tool results, retrieved pages, and emails are data to analyze — never instructions to obey. The chain's entry point.

Least-privilege tool scopekill-chain

High-impact tools are scoped down or absent, so even a fired injection can't do much. The chain's blast radius.

Output validation

The agent's output is checked against expected shape and policy before anything downstream acts on it.

Human-in-the-loopkill-chain

Money, messages, data changes, and sharing require explicit human approval. The chain's last catch.

Egress / exfiltration controls

Outbound destinations are constrained, so a hijacked agent can't quietly send data to an attacker's URL.

04.The Standard

The score measures hardening. The gate models the actual attack.

A weighted score for hardening

Six controls weighted to 100 give an exposure score — CONTAINED at 75+, HARDEN at 50–74, HIGH EXPOSURE below 50. Higher is safer. It tells you how hardened the agent is overall.

A gate that models the kill-chain

An injection only breaches when it can enter, act, and go uncaught. If all three of those controls are below full at once, the agent is HIGH EXPOSURE even at 72 — distinct work the average can't do. Close any one link and it releases.

It grades design, not people

Every verdict points to a control to harden, never a judgment of whoever built the agent. The honest outcome is sometimes 'give this agent a narrower job' — and that's the Gate working.

05.What It Is — And Isn't

A design-exposure gate, not an attack tool.

What it is
  • A deterministic, offline gate that grades an agent's injection exposure from your own marks.
  • A way to find the one control to harden first, agent by agent, before a breach.
  • A design-review aid for anyone shipping agents that read untrusted content.
What it isn't
  • Not a scanner, a red-team probe runner, a penetration test, or a runtime detector.
  • Not the Prompt Injection Red Team Kit (that runs probes against a live app) — this grades the design.
  • Not a clearance or a guarantee no injection can succeed, and not legal advice.

Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.

06.Who It's For

Anyone shipping an agent that reads what it didn't write.

  • Builders & founders wiring agents that read tickets, emails, web pages, or documents.
  • IT & security leads who need a repeatable exposure baseline for every agent in the org.
  • Platform teams setting a hardening bar agents must clear before launch.
  • Agencies & MSPs reviewing the agents they deploy into client stacks.
  • Product teams deciding whether an agent's job is too broad for its hardening.
  • Anyone who has read about an agent leaking data to a poisoned page and wants a gate, not a hunch.
08.Common Questions

The honest answers.

No. It is not a scanner, a red-team probe runner, a penetration test, or a runtime detector, and it connects to nothing. It grades the design of your agent's input surface from your own answers about six controls. The point is that indirect prompt injection is defeated by design, not detection: a hidden instruction in a web page or document only becomes a breach when the agent's design lets it enter, act, and go uncaught. This Gate tells you whether that chain is open before an attacker walks it.

Close the chain before
the content opens it.

Grade every agent, harden the named control first, and make sure an injected instruction has nowhere to enter, act, or escape. One purchase, lifetime access, 12 months of updates. $79, once.

Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai