Cracking the Code: Addressing Enterprise Security Teams’ Concerns on Injection Failure Rates

Revealing the Risks of Prompt Injection Attacks

When it comes to prompt injection attacks, the success rates can vary significantly depending on the coding environment and safeguards in place. A recent study compared the performance of prompt injection attacks on Claude Opus 4.6 in two different settings: a constrained coding environment and a GUI-based system with extended thinking capabilities.

In the constrained coding environment, the prompt injection attack against Claude Opus 4.6 failed every time, with a 0% success rate across 200 attempts. Surprisingly, no safeguards were needed to prevent the attacks from succeeding in this environment. However, when the same attack was moved to a GUI-based system with extended thinking enabled, the success rate increased dramatically. In this setting, a single attempt was successful 17.8% of the time without safeguards. By the 200th attempt, the breach rate reached 78.6% without safeguards and 57.1% with safeguards.

Understanding the Latest Models

The latest system cards released by various AI developers provide valuable insights into the success rates of prompt injection attacks and the effectiveness of safeguards. For example, Anthropic’s Opus 4.6 system card breaks down attack success rates by surface, attempt count, and safeguard configuration. This level of detail allows security leaders to make more informed decisions when procuring AI systems.

On the other hand, OpenAI’s GPT-5.2 system card includes benchmark scores but does not provide specific attack success rates by agent surface or across repeated attempts. Similarly, Google’s Gemini 3 model card focuses on relative safety improvements without publishing absolute attack success rates by surface or persistence scaling data.

The Importance of Vendor Disclosures

Vendor disclosures play a crucial role in understanding the risks associated with AI systems. By comparing the disclosure categories of different vendors, such as Anthropic, OpenAI, and Google, security teams can assess the level of transparency and detail provided by each vendor.

Implications for Enterprise Risk

The granular vendor disclosures provided by Anthropic and other AI developers highlight the importance of understanding the specific risks associated with prompt injection attacks. By analyzing attack success rates, persistence scaling data, and safeguard configurations, security leaders can better assess the risks and make informed decisions when deploying AI systems.

It is essential for security teams to consider the surface-level differences that determine enterprise risk when evaluating AI systems. By understanding the attack success rates and vulnerabilities associated with different agent surfaces, organizations can better protect themselves from potential threats.

Conclusion

In conclusion, prompt injection attacks pose a significant risk to AI systems, and it is crucial for security leaders to carefully evaluate the risks and safeguard configurations provided by vendors. By understanding the specific vulnerabilities associated with different agent surfaces and attack persistence scaling, organizations can enhance their security posture and mitigate potential threats effectively.

For security teams, the key takeaway is to prioritize architectural measures that limit an agent’s access, control its action space, and require human approval for high-risk operations. By implementing these safeguards, organizations can reduce the likelihood of successful prompt injection attacks and protect their AI systems from malicious actors.