Your Agent's Exfil Paths, Mapped to MITRE ATLAS
AI-generated illustration

Your Agent's Exfil Paths, Mapped to MITRE ATLAS

Indirect prompt injection to data exfiltration is a real, chainable path in MITRE ATLAS.

Exploitable. An AI agent that reads untrusted text and can reach the network has a working exfiltration path — MITRE ATLAS maps it from indirect prompt injection (AML.T0051.001) through collection to exfiltration via cyber means (AML.T0025). The guardrails that shrink blast radius cut egress and tool scope; prompt-scanning filters are mostly theatre.

The Weights Desk · 5 min read

Verdict: exploitable — and most prompt filters are theatre

Here is the problem in your words: your agent reads text you do not control — a web page, a PDF, a ticket, a tool's JSON response — and it can call tools that reach the network. That is an exfiltration path. Not a hypothetical. MITRE ATLAS, the adversary-technique knowledge base for AI systems, names every hop. The verdict is exploitable. And the guardrails split cleanly. The ones that cut the egress channel shrink your blast radius. The ones that scan the incoming prompt for 'ignore previous instructions' are theatre.

The exfil chain, mapped to ATLAS

Walk the chain. Untrusted content carries an instruction — that is Indirect LLM Prompt Injection, AML.T0051.001 in ATLAS. The agent obeys, then reaches for data: AI Artifact Collection (AML.T0035) and Data from Information Repositories (AML.T0036), meaning your RAG store and internal wikis. Then it ships. The cheapest exit is a beaconing markdown image: the model renders an image tag pointed at attacker.example, the client auto-fetches it, and the secret rides out in the query string. ATLAS files that under Exfiltration via Cyber Means, AML.T0025. Model-theft variants — membership inference, model inversion, extraction — sit under Exfiltration via AI Inference API (AML.T0024). ATLAS is explicit that injection is the enabling primitive, not the payload; the payload is the data leaving.

Guardrails that shrink blast radius — and the ones that don't

Rank them by blast radius, not vibes. One: egress allowlisting. If the tool sandbox cannot reach arbitrary hosts, AML.T0025 loses its channel even after a clean injection. Two: disable auto-fetch of remote images in the render surface — that kills the markdown beacon outright. Three: least-privilege tools plus human confirmation on consequential actions (send, POST, write) — the agent proposes, a human commits. Four: treat retrieved text as data, never instructions; quarantined dual-LLM patterns enforce that structurally. Five: DLP scanning on egress to catch secrets on the way out. Now the honest caveat, because you asked. Input classifiers that hunt for injection strings are bypassable — base64, translation, novel phrasing — and worse, they manufacture false confidence. OWASP still ranks prompt injection its number-one LLM risk (LLM01:2025); the class is not solved. And ATLAS is a map, not a control catalog — mapping a technique to your system is triage, not mitigation. The dual-LLM architectures are the most promising structural fix I have seen, but they are untested at fleet scale in production. Use egress and least-privilege controls today. Skip the prompt-scanning theatre. Wait before you trust any single vendor 'guardrail' as the answer.

Does mapping my agent to MITRE ATLAS make it secure?
No. ATLAS is a taxonomy of adversary techniques, not a control catalog. It confirms the exfiltration path exists; it does not confirm your config closed it. Mapping is triage, not mitigation.
Are prompt-injection input filters worth deploying?
Thinly, as defense in depth. They are bypassable via encoding, translation, and novel phrasing, and they manufacture false confidence. Spend the budget on egress control and least-privilege tools instead.
What single control shrinks blast radius most?
Egress allowlisting. If the agent's sandbox cannot reach arbitrary outbound hosts, Exfiltration via Cyber Means (AML.T0025) loses its channel even after a successful injection.
  1. MITRE ATLAS — Adversarial Threat Landscape for AI Systems — MITRE
  2. OWASP Top 10 for LLM Applications — LLM01:2025 Prompt Injection — OWASP GenAI Security Project