Prompt Injection Defense: Testing, Hardening, and Cryptographic Attestation

The problem

An LLM with access to private data and the ability to act becomes dangerous the moment untrusted content reaches it — Simon Willison's "lethal trifecta." Indirect injection (through a retrieved document or a tool's output) means the attacker never has to touch your prompt directly. Filtering for bad strings is a losing game on its own.

How we harden it

We shrink the attack surface in layers rather than betting on one filter:

• Structured-output-only triage — constrain the model to a fixed schema so injected behavior has nowhere to land downstream.
• Data-fencing / spotlighting — per-request delimiting so the model treats untrusted input as data, never instructions.
• Output validation & sanitization — enforce enums and ranges, strip links and active content before any human or system trusts the output.
• Canary & leak detection — detect when an instruction has redirected the model and route to human review.
• Tool-permission minimization — reduce what a compromised prompt can actually reach.

Cryptographic prompt attestation

For high-stakes systems we replace brittle "injection detection" with provenance. Our research project Seal wraps every prompt in an Ed25519-signed Verified Prompt Envelope that proves who authorized it and that it wasn't tampered with — injection defense by construction, that fails closed instead of failing silent.

What you get

• A threat model of your specific injection surface.
• A layered-defense design your team can implement — the blueprint, not a black box.
• Optional cryptographic-attestation integration design where it's warranted.