The Surface You Test Is Not the Surface That Breaks
Researchers demonstrate that LLM agent vulnerabilities to prompt injection attacks vary dramatically depending on the injection surface used, with the same attack payload showing 96% success on one model via tool outputs but only 4% via tool descriptions. The study reveals that vulnerability is determined by model-surface interaction rather than the injection channel alone, exposing critical blindspots in current AI security evaluation methodology.
This research exposes a fundamental flaw in how AI security is currently measured and reported. Rather than treating prompt injection vulnerability as a fixed property of a model, the study reveals it is fundamentally relational—dependent on which part of the agent's context an attacker exploits. Testing GPT-4.1 and Gemini-3-Flash with identical attack payloads delivered through different surfaces produces inverse outcomes, suggesting evaluation methodologies have been inadvertently measuring only partial vulnerability landscapes. The 16.7% variance attributed to model-surface interaction indicates this pairing effect is substantial and systematic across different LLM architectures.
The research builds on growing concerns about prompt injection as AI systems become increasingly agentic and integrated with external tools. Previous evaluations created a false sense of relative security by reporting single attack success rates, masking the reality that defenders would need to secure multiple attack surfaces simultaneously. The Adaptive Attack Rate metric reveals that worst-case vulnerability exceeds strongest defenses by over 9 percentage points, suggesting attackers have inherent advantages in this asymmetric threat model.
For developers deploying LLM agents, this creates immediate practical challenges. Current defensive mechanisms like prompt-level defenses reduce attack success on tool outputs to 10-18% while remaining ineffective against description-channel attacks above 54%. This incomplete protection creates false confidence. Organizations must now evaluate security across all injection surfaces rather than relying on single-channel testing. The finding that vulnerability depends on model-surface pairing rather than surface alone means security postures cannot be generalized—each deployment requires comprehensive multi-surface evaluation against its specific LLM choice.
- →LLM vulnerability to prompt injection is determined by model-surface interaction, not the injection channel alone
- →GPT-4.1 and Gemini-3-Flash show inverse vulnerability patterns across different attack surfaces, indicating no universal vulnerability profile
- →Standard prompt-level defenses leave tool description channels 54%+ vulnerable while reducing tool output attacks to 10-18%
- →Adaptive attacks exploiting multiple surfaces exceed fixed-surface baselines by 9.1 percentage points on average
- →Current security evaluations report incomplete vulnerability by testing only single surfaces, requiring methodology redesign