Sat 18 Jul 2026 / 10:12 ET
Kernel
Internet 4 min read

Tracebit tests prompt traps that stall AI hacking agents

The security firm says decoy AWS secrets containing forbidden prompts sharply reduced simulated account takeovers by AI agents.

June Castellano

By June Castellano / Platforms & Power Reporter

Tracebit tests prompt traps that stall AI hacking agents
img: WIRED

Tracebit says it has found a way to use one of large language models’ messiest security failures against AI-driven attackers: plant prompt injections where an autonomous hacking agent is likely to read them, then let the model’s own safety rules get in the way.

The company said Monday that it placed malicious-looking instruction strings next to decoy passwords, cryptographic keys and other secrets in a simulated Amazon Web Services environment. When AI agents enumerated cloud resources and encountered the strings, the prompts asked the underlying model to produce content blocked by its guardrails, such as banned weapons-related material or politically censored references for some Chinese-developed models. According to Tracebit, the models then refused to continue and often failed to recover the original attack task.

Tracebit calls the technique “context bombing,” a name that is a little theatrical but describes the mechanism well enough. The planted text enters the model’s context window, triggers a refusal behavior, and poisons the rest of the agent’s run.

“Ultimately we’re triggering a refusal mechanism in the context,” Tracebit cofounder and CEO Andy Smith said, according to the company’s write-up. Smith said the effect can be hard for agents to come back from because the refusal remains in the active context they are using to decide what to do next.

What Tracebit tested

Tracebit said it ran 152 simulated attack attempts across five models: Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro and Kimi 2.6. The company gave the agents routine developer-style tasks that led them to inspect AWS resources and eventually encounter the planted text.

The results, as reported by Tracebit, were blunt:

  • Administrative privilege escalation dropped from 57 percent of runs to 5 percent.
  • Administrative escalation with persistence dropped from 36 percent to 1 percent.
  • Runs completing any attack path dropped from 91 percent to 15 percent.
  • The average number of completed attack paths per run fell from 1.53 to 0.16.
  • Tracebit said no run completed an attack path without also triggering one of its canary detections.

The company said Opus 4.8 was the strongest attacker in its test setup, reaching administrative access in 93 percent of baseline runs. With a planted context bomb present, Tracebit said that model failed in every run.

Those are vendor-run experiments in a simulated cloud account, so they should be read as promising results, not field evidence that this stops real intrusions. The setup still matters because AI agents are especially prone to reading whatever looks operationally relevant. Secrets, keys and cloud inventory are exactly the kind of material an automated attacker would scrape while trying to expand access.

From warning system to speed bump

The new work extends a Tracebit method from May that used unused AWS resources as canaries. Those resources looked legitimate but had no business purpose. If an agent probed them, defenders received an alert.

Tracebit said those canaries warned defenders, on average, within eight minutes of an attack starting. In its experiments, agentic models took about 14 minutes on average to reach administrative control. That left defenders roughly six minutes, which is not much time unless your incident response plan is “panic, but with dashboards.”

Context bombing is meant to slow or stop the agent, not just ring the bell.

The defensive idea mirrors attacker behavior already seen in the wild. Security firm Socket reported last month that an LLM agent used prompt injections asking target models for prohibited weapons-related content, apparently to disrupt AI-assisted malware analysis. Check Point researchers found a similar malware prototype.

Earlence Fernandes, a UC San Diego professor who studies AI security, told Ars Technica he was not aware of another defensive use of the same technique. He said he had been considering a related approach himself.

The larger problem remains unsolved. Researchers still have no general fix for prompt injection, which lets untrusted text steer a model away from its intended instructions. Tracebit’s work suggests defenders may be able to turn that weakness into a tripwire and a brake, at least against agents that obediently read the bait.

This story draws on original reporting from WIRED.

More Internet/

view all ↗