SOP-006: Prompt Injection Security
Fresh Updated January 2026| Document Control | |
|---|---|
| SOP ID | SOP-006 |
| Version | 1.0 |
| Status | Active |
| Source | OWASP, Anthropic MCP (2024) |
Overview
Prompt injection vulnerabilities exist because LLMs have no architectural separation between system instructions, tool specifications, and user input. All are processed as tokens in the same sequence.
The Fundamental Problem
Core Issue
Models cannot intrinsically distinguish "trusted" vs. "untrusted" content. Everything is just tokens.
Attack Vectors
1. Direct Prompt Injection
User input contains instructions that override system prompts:
- "Ignore previous instructions and..."
- "Your new task is to..."
- Hidden instructions in seemingly normal text
2. Indirect Prompt Injection
Malicious instructions embedded in:
- Websites being summarized
- Documents being analyzed
- Emails being processed
3. Context Poisoning (Multi-Turn)
WARNING
Early responses influence later generations. Long conversations accumulate unintended priming.
Impact on GEO/AEO
| Risk | Impact | Relevance |
|---|---|---|
| Instruction drift | Content strategy deviates | High |
| Competitor manipulation | External content poisons your prompts | High |
| Citation manipulation | Embedded instructions affect citations | Medium |
| Output unreliability | Long sessions produce inconsistent content | High |
Mitigation Strategies
1. External Guardrails
- Structured output enforcement
- Constrained generation
- Pre/post processing filters
2. Model Context Protocol (MCP)
Anthropic's MCP (2024) provides:
- Sandboxed tool invocation
- Clearer context boundaries
- Structured communication channels
INFO
MCP is not a complete solution but provides partial mitigation through architectural redesign.
3. Session Management
| Strategy | Implementation |
|---|---|
| Fresh sessions | Start new conversations for critical tasks |
| Turn limits | Cap multi-turn conversations |
| Context clearing | Periodically reset context |
| Output verification | Check outputs against expectations |
Long Session Impact
Qualitative evidence shows content drift in long sessions. Multiple short sessions are safer than single long sessions.
Best Practices for GEO/AEO
Content Creation
- Use fresh sessions for each content piece
- Avoid multi-turn for critical generation
- Verify outputs against original requirements
- Don't trust external content in prompts without review
System Design
- Implement validation layers
- Use structured outputs where possible
- Monitor for drift in automated pipelines
- Log and audit prompt-response pairs
Verification Checklist
- [ ] Understand no architectural separation exists
- [ ] Implement input validation for user-facing systems
- [ ] Use fresh sessions for critical content
- [ ] Limit multi-turn conversation length
- [ ] Review external content before including in prompts
- [ ] Consider MCP for tool-using applications
OWASP LLM Top 10 Reference
| Rank | Vulnerability | Relevance to GEO/AEO |
|---|---|---|
| #1 | Prompt Injection | High - Direct impact |
| #2 | Insecure Output Handling | Medium |
| #3 | Training Data Poisoning | Low |
| #4 | Model Denial of Service | Low |
| #5 | Supply Chain Vulnerabilities | Low |
See Also
Citations
"System prompts, tool specs, and user input all tokens in same sequence; models can't intrinsically distinguish 'trusted' vs. 'untrusted'" — OWASP LLM Security Literature
"MCP provides sandboxed tool invocation, but not complete solution" — Anthropic MCP (2024)