Analysis of AI agent vulnerabilities, attack techniques, and defensive patterns — plus findings from scans I run against public targets.
Input classifiers that detect prompt injection are the most common defense deployed in production. They're also trivially bypassable with encoding, fragmentation, and indirect injection. Here's why they fail and what to layer on top.
Read post →You found a prompt injection. You wrote a report. The triager closed it as informational. Here's why that keeps happening, and how to write LLM vulnerability reports that actually get accepted.
Read post →A step-by-step checklist for security-testing your AI agent in 4 hours. Six attack classes, specific prompts to try, and what each finding actually means for your product.
Read post →A junior contractor doesn't have access to the CFO's salary review notes. But they have edit access to a shared Notion page, and the company AI assistant indexes Notion. Three days later, every employee can ask the AI for a 'memory diagnostic' and get the CFO's notes back.
Read post →The OWASP Top 10 for LLM Applications is the best framework we have. It also has three blind spots that account for a disproportionate share of what I'm finding in the field — multi-tenant context bleed, agent-to-agent handoff attacks, and temporal/memory attacks.
Read post →Pure-LLM CTFs are unreliable because model alignment training fights your characters. Pure-deterministic CTFs teach pattern matching, not attack patterns. Here's the hybrid approach the Wraith Academy uses, and why it took a few iterations to get there.
Read post →I built a deliberately vulnerable chatbot, pointed Wraith at it, and watched it extract the full system prompt — including a production API key and admin database credentials. Here's exactly how.
Read post →Most security tools don't know how to test AI agents. That's a gap worth building a product around.
Read post →