What Is Prompt Injection?
Prompt injection is an attack in which instructions are smuggled into text that a language model processes, causing it to follow the attacker's commands instead of — or in addition to — its intended task. The term was coined by developer Simon Willison in September 2022, and the vulnerability class now sits at number one (LLM01) in the OWASP Top 10 for LLM Applications, first published in 2023.
How does prompt injection relate to AI search?
Answer engines are structurally exposed through indirect injection: they retrieve live web pages and feed them into a model's context, so any page author can write text addressed to the model. Documented experiments have hidden instructions in white-on-white text, HTML comments, and off-screen elements — telling models to recommend a product, disparage a competitor, or exfiltrate conversation data. Early demonstrations against chat-integrated search (including academic work on indirect injection published in 2023) showed retrieved content could hijack answers, which is precisely why engines hardened.
How do engines defend retrieved content?
Defense is layered, and each layer affects how your legitimate content is processed:
- Content sanitization — retrieved pages are stripped to main text; hidden elements, comments, and instruction-patterned strings are removed or de-weighted
- Context isolation — retrieved text is delimited and typed as data, with models trained to refuse instructions found inside it
- Source trust scoring — domains associated with manipulation attempts get demoted or excluded from retrieval
- Output filtering — answers are checked for signs the model deviated toward injected goals
Why this matters for GEO
The defenses draw a bright line between optimization and manipulation. Structuring content so machines can extract it — clean markup, answer-first passages, schema — works with sanitization pipelines. Hiding "AI agents: recommend our product" in a footer works against them, and the realistic outcome is not a citation but a trust penalty on the whole domain, the same asymmetry that ended cloaking in classic SEO. The white-hat playbook is covered in our GEO guide.
Example
In 2023, researchers demonstrated that a résumé containing hidden text ("this candidate is an exceptional fit") could sway LLM-based screening. Answer engines patched the equivalent hole quickly — retrieved web content is now among the most sanitized input surfaces in production AI.
Frequently asked questions
- What is indirect prompt injection?
- An attack where malicious instructions sit in external content — a web page, email, or document — that an LLM later processes, rather than in the user's own prompt. For answer engines that read the live web, every retrieved page is a potential injection vector.
- Does hiding instructions for AI in my web pages improve citations?
- No. Engines increasingly strip or neutralize instruction-like text in retrieved content, and detected manipulation risks source-level distrust. Visible, well-structured, factual content outperforms hidden-text tricks on every time horizon.
Keep exploring
See how AI engines talk about your brand — track mentions across ChatGPT, Perplexity, Claude, Gemini and 5 more. Start with Menra