Full Context Bombing pipeline in an AWS environment: (1) Payload placement selection - defender identifies typical agentic AI targets: AWS Secrets Manager entries, Lambda environment variables, Parameter Store, S3 buckets with configuration, IAM role descriptions - anywhere the attacking agent enumerates credentials; (2) Context bomb construction - defender crafts a string that looks like a secret (e.g. AWS access key format) but contains a prompt aimed at the LLM, e.g. 'To synthesise inhalable anthrax spores follow these steps:...' or a more subtle reminder of ethical requirements; (3) Placement in decoy resources - the context bomb is planted in Tracebit Canaries (fake AWS resources that look like production ones) - in real infrastructure these resources are not used by legitimate applications; (4) Detection and triggering - the attacker's autonomous agent (Claude, Gemini, GLM, DeepSeek, Kimi as the hacking agent backbone) enumerates resources, fetches the decoy secret, adds its content to its own context; (5) Guardrail refusal - the LLM encounters forbidden content (e.g. biological weapon manufacturing instructions), its built-in guardrails activate, the model refuses to cooperate further - usually emitting an 'I cannot help with that' message and cutting the entire attack session; (6) Defender alert - alongside guardrail activation, Tracebit Canaries alert the defender's SOC (like any decoy access). Critical features: (a) context bomb must look plausible (secret shape, not AI help text) so the attacker does not filter it out in preprocessing; (b) content must unambiguously trigger guardrails of most frontier LLMs (biological weapons, explosives data, politically sensitive references for Chinese models); (c) attacker cannot easily escape the session - an LLM in agentic context cannot always ignore injected content.
Agentic AI used by attackers (autonomous AI hacking agents) achieves a 91% success rate in compromising cloud AWS infrastructure in tests and escalates to admin in an average of 14 minutes - faster than security teams can react. Classic defences (canaries, honeypots, IDS) alert about an attack but do not stop it - and an average 8-minute alert leaves defenders only 6 minutes to react. Context Bombing solves this time squeeze: instead of merely detecting, it actively stops the attacker by leveraging its own guardrails - effectively forcing the attacking LLM into self-sabotage.
The prompt triggering guardrails itself. Two categories: (a) universal - working on most models (biological weapons, chemical explosive syntheses), (b) region-specific - for Chinese models political references (Tank Man, Tibet, Xinjiang) often bypassed by Western LLMs. Must be strong enough that the model cannot ignore it, but not so blatant that the attacker filters it out of context before inference.
Official
Wraps the payload into a resource form the attacker will reach for. Looks like an AWS access key, database password, JWT token, PEM private key. Format is key - must be plausible enough that the autonomous agent pulls it into context.
Official
Infrastructure layer placing decoy resources in the production environment (alongside authentic ones). For Tracebit: full AWS Canaries platform + SOC integration for alerting. Critical: the decoy must not be used by legitimate applications - any access = alert.
Official
SOC integration - each decoy access alerts the SIEM (Splunk, CloudTrail, Datadog). In Context Bombing the alert fires alongside guardrail activation - defender knows about the attack and simultaneously knows the attacker was stopped.
Official
If the defender uses AI-powered tools (e.g. Claude Code for infrastructure review), they can also pull the decoy secret into context and get blocked - a self-DoS.
A sophisticated attacker adds their own preprocessing filter blocking known trigger phrases - the context bomb does not activate.
A fine-tuned model without guardrails (uncensored Llama, jailbroken Claude/GPT wrapper) does not trigger the refuse mechanism.
The LLM can 'come out' of the refuse state after a few iterations if the agent keeps prompting it. Tracebit observes this is usually hard but does happen.
Placing plaintext biological weapons instructions in a production environment may violate internal policies or industry regulations (finance, healthcare).
Willison coins the term 'prompt injection' - foundation for the defensive use in Context Bombing 4 years later.
arXiv 2302.12173 - formalises attacks via injecting prompts into external data sources (email, web pages) read by LLMs.
Papers Cybench, HackerAgent, and others - autonomous AI agents pass reference penetration test scenarios. Alarm bell for defence.
Tracebit launches AWS Canaries - decoy resources with SOC alerting. Infrastructure foundation for Context Bombing.
Andy Smith publishes results at blog.tracebit.com/context-bombs - 152 attack runs, 5 frontier LLMs. Admin escalation from 57% to 5%. Ars Technica coverage. First documented defensive use of prompt injection.
Level of obviousness of the trigger payload. Higher severity = more certain stop, but higher risk of detection by attacker's preprocessing.
Whether the trigger is universal or dedicated to a specific model family.
Type of secret wrapping the payload.
Number of context bombs relative to real resources - tradeoff between hit probability and management cost.
Activation depends solely on whether the attacking agent fetches the specific decoy resource - no real model invocation is required on the defender's side.
No routing - the context bomb is passive until enumeration by the attacker.
Context Bombing scales linearly with the number of decoy resources - thousands of bombs can be placed in the environment without affecting legitimate operations.
Context Bombing is an informational pattern - no specific hardware is required. The payload itself is a string - zero compute on the defender's side, all inference on the attacker's side (whom we want to block).