Across a meta-analysis of 78 studies, prompt injection lands 50-84% of the time on common LLMs, climbs past 85% with adaptive attacks, and reaches 97.6% with composite multi-strategy chains. Naive deployments fail above 90%. The best published layered defense cuts attack success from 73.2% to 8.7% while keeping 94.3% of task performance, but input preprocessing alone only catches 60-80% and architectural defenses leave big gaps on novel vectors. On the agent surface, roughly 40% of protocols are exploitable and 60% of browser-agent scenarios are vulnerable. Treat injection as a residual-risk number you measure, not a checkbox you tick.
Ship a prompt injection defense, run a quick test, watch it block the obvious attacks, and you have just bought yourself a false sense of security. The benchmarks are blunt about what actually happens next: across a 2026 meta-analysis of 78 studies, prompt injection still lands 50 to 84 percent of the time against common LLMs, and adaptive attacks that iterate against your specific model push past 85 percent. Composite, multi-strategy chains reach 97.6 percent. Those are not numbers against toy models. They are the success rates against frontier models running standard system-prompt defenses.
The gap between "we deployed a guardrail" and "we reduced our risk" is where most teams are quietly exposed. A defense that catches the screenshot-worthy attacks in a demo can still let four out of five real attempts through, and on the agent surface, where the model does not just talk but acts, the consequences scale from embarrassing text to data exfiltration and unauthorized tool calls. Roughly 40 percent of agent protocols are exploitable via injection, and browser agents fail in about 60 percent of tested scenarios.
This is a data analysis, not a sales pitch for a silver bullet, because there isn't one. I'll walk through the attack-success numbers, what defenses actually buy you, why input filtering alone is a trap, where the agent surface breaks, and how to measure residual risk instead of treating injection as a solved checkbox. The thesis is simple: defense-in-depth with quantified expectations beats any single control, and the only honest output of a prompt injection program is a residual-risk percentage, not a green check.
The False Sense of Security: Shipping a Defense Isn't Closing the Problem
The most dangerous moment in a prompt injection program is the week after you ship your first defense. You ran the OWASP-flavored test prompts, the model refused the obvious "ignore your instructions" attacks, and the dashboard turned green. The problem is that the test set you used is the test set the defense was implicitly tuned against. Real attackers do not send the payloads in your test suite.
Across systems we've reviewed, the recurring pattern is binary thinking: injection is treated as a vulnerability you either have or you don't, the way you'd think about a missing auth check. But injection is not a bug with a patch. It is a structural property of how LLMs work. The model reads instructions and data through the same channel, and there is no parameterized-query equivalent that cleanly separates them. That means every defense is probabilistic, and the right question is never "are we protected" but "what fraction of attacks still get through, and what do those attacks cost us."
The numbers force the issue. Naive deployments, meaning a model with a system prompt and nothing else, fail above 90 percent. Add standard guardrails and you are still in the 50 to 84 percent band against non-adaptive attacks. The defense moved the number. It did not close the gap. Anyone reporting prompt injection as "handled" without a residual-success percentage is reporting a feeling, not a measurement. Our deeper guide on how to protect your AI system from prompt injection attacks covers the control set; this post is about being honest with the scoreboard.
Attack Success Rates: 50-84% Baseline, >85% Adaptive, Up to 97.6% Composite
Start with the headline distribution. The 2026 meta-analysis spanning 78 studies from 2021 through 2026 (arXiv 2511.15759) gives the cleanest aggregate picture published so far. Here is how attack success rate moves as the attacker invests more effort and the defense gets weaker.
Three things matter in that table. First, the baseline band is wide (50 to 84 percent) because model and defense quality vary, but even the floor of that band means half of unsophisticated attacks succeed. Second, adaptivity is the multiplier that matters. The jump from baseline to >85 percent is not about a smarter model on the attacker's side; it is about iteration. An attacker who can observe your model's responses and refine payloads will beat a static defense almost every time. Third, composite attacks at 97.6 percent show the ceiling: when an attacker combines obfuscation, indirect delivery, and persona manipulation, defenses tuned against any single vector fold.
The AttackEval work (arXiv 2604.03598) reinforces the adaptivity point by scoring attack effectiveness as a graded metric rather than a binary, which is the right framing. Injection is not "blocked" or "succeeded" at the population level. It is a distribution, and the tail that gets through is the part that hurts. A defense that drops mean success from 80 percent to 30 percent has done real work, and is still leaving roughly one in three attacks live.
Why Adaptive Attacks Break Static Defenses
Static defenses, including most off-the-shelf detectors, recognize patterns they have seen. Adaptive attacks exist specifically to avoid those patterns. The attacker changes encoding (base64, homoglyphs, zero-width characters), reframes the instruction as a hypothetical or a translation task, or splits the payload across multiple messages or documents. Each variation is cheap to generate, and the model only has to be fooled once. This asymmetry, unbounded attack space versus finite defense patterns, is why the adaptive number sits above 85 percent and why no input-only approach reaches it.
| Scenario | Attack success rate | What it means |
|---|---|---|
| Naive deployment (no guardrails) | >90% | System prompt only, no detection or isolation |
| Baseline attack vs common LLMs | 50-84% | Standard defenses, non-adaptive payloads |
| Adaptive attack (tuned to the target) | >85% | Attacker iterates against the specific model + defenses |
| Composite multi-strategy chains | up to 97.6% | Stacked techniques: encoding + role-play + indirect |
Defense Effectiveness: A Layered Framework Cuts 73.2% to 8.7%
The pessimism above is not the whole story. Layered defense works, and there is benchmark evidence to prove it. The strongest published layered framework cuts attack success from 73.2 percent down to 8.7 percent while retaining 94.3 percent of baseline task performance. That last clause is the one most teams miss: a defense that blocks everything by mangling legitimate inputs is not a defense, it is an outage. Holding 94.3 percent task performance while taking attack success below 9 percent is the bar to beat.
Read that table as a progression, not a menu. Input preprocessing alone catches 60 to 80 percent, which sounds decent until you remember it means 20 to 40 percent of attacks still land. Architectural defenses (isolating untrusted content, separating the planning model from the tool-executing context, dual-LLM patterns where one model never sees raw untrusted input) reach up to 95 percent on known patterns but collapse on vectors they were never designed for. Only when you stack detection, architecture, and output validation does the residual drop to single digits.
The mechanism is independence. Each layer catches a different slice of the attack distribution, and the slices it misses are partly covered by the next layer. If input filtering misses an encoded payload, architectural isolation may prevent it from reaching a tool. If both miss, output validation may catch the exfiltration attempt before it leaves. The 8.7 percent residual is what survives all three. That is the number to put on your dashboard, and the number to drive down with the next layer. This is the same defense-in-depth logic that underpins our MCP server security hardening checklist: no single control is trusted, and authorization sits at the action boundary.
| Defense approach | Attack success after | Task performance retained | Failure mode |
|---|---|---|---|
| None (naive) | >90% | 100% | Everything gets through |
| Input preprocessing only | 60-80% caught (20-40% still land) | high | Misses novel and encoded vectors |
| Architectural defenses | up to 95% caught on known patterns | varies | Big gaps on novel vectors |
| Layered framework (stacked) | 8.7% success | 94.3% | Residual tail of adaptive attacks |
Input Preprocessing vs Architectural Defenses: Where Each One Fails
These two categories get conflated constantly, and they fail in different ways, so it is worth pulling them apart.
Input Preprocessing and Detection
Input preprocessing means inspecting content before it reaches the model: classifier-based injection detectors, regex and heuristic scanners, perplexity checks, delimiter sanitization, and instruction-stripping. Benchmarks put detection in the 60 to 80 percent range. The strength is cost and speed; a scanner runs in milliseconds and stops the long tail of low-effort attacks. The weakness is that it is a pattern matcher against an unbounded input space. Encoding, paraphrase, and indirect delivery defeat it, and adaptive attackers treat the detector as a target to evade. Use it as the cheap first layer, never as the last word.
Architectural Defenses
Architectural defenses change the structure so that untrusted content cannot directly instruct the privileged path. Patterns include the dual-LLM design (a quarantined model processes untrusted data and returns structured results, while the privileged model never sees raw input), capability separation (the model can request actions but a deterministic layer authorizes them), and context isolation (untrusted retrieved content is fenced and labeled so the model treats it as data). These reach up to 95 percent on known patterns because they remove the direct instruction channel. They fail on novel vectors that exploit the structure itself, for example an injection that manipulates the quarantined model's structured output to smuggle an instruction downstream. Architecture is more robust than filtering but is not a ceiling either, which is exactly why the layered stack outperforms any single category. The practical rule: input preprocessing reduces volume, architecture reduces blast radius, and output validation reduces leakage. You need all three because each one fails on inputs the others catch.
The Agent Surface: ~40% of Protocols Exploitable, ~60% of Browser Agents Vulnerable
Everything above gets worse when the model stops talking and starts acting. Agent benchmarks (drawing on arXiv 2601.17548 and related agent-security work) report that roughly 40 percent of agent protocols are exploitable via injection, and browser agents are vulnerable in about 60 percent of tested scenarios. The reason is mechanical: agents ingest untrusted content (a web page, a PDF, an email, a tool result) and then take actions based on it. The injection payload arrives inside the data the agent was asked to process, which is precisely the content the model is supposed to act on.
A chatbot that gets injected produces bad text, which is bad but bounded. An agent that gets injected can call tools, send messages, write to a database, or exfiltrate data through a tool that has network access. The same 85-percent-plus adaptive success rate now maps onto real-world consequences instead of just unwanted output. Browser agents are the worst case because the entire web is the input surface, and an attacker only needs to control one page the agent visits.
This is why agent security cannot rely on input filtering. The defining control is privilege separation: the agent proposes actions, and a deterministic authorization layer decides whether each tool call is allowed, scoped, and within policy, regardless of what the model "decided." High-impact actions (sending money, deleting data, emailing externally) get an explicit gate, human or policy-driven. We unpack the action-boundary controls in depth in our analysis of healthcare AI attack vectors that HIPAA doesn't cover, where an injected agent acting on patient data is not a hypothetical risk but a compliance and safety failure.
Indirect Injection Is the Agent-Native Threat
Direct injection (the user types a malicious prompt) is the easy case. The agent-native threat is indirect injection: the payload lives in third-party content the agent retrieves, and the legitimate user never sees it. A poisoned search result, a comment on a web page, a hidden instruction in a document, all of these become attack vectors the moment an agent reads them and acts. Indirect injection is why the agent numbers are so much worse than the chatbot numbers, and why "we sanitize user input" is not a meaningful defense for an agent. The dangerous input is not coming from the user.
Measuring Residual Risk Instead of Treating Injection as a Solved Checkbox
The throughline of every number above is that injection is a residual-risk problem. So measure the residual. Here is the practitioner methodology that follows directly from the data.
Build a red-team eval set, run it against your full deployed stack, and report attack success rate as a percentage. Not pass/fail, a percentage, because that is the unit injection actually lives in. The set should include direct injections, indirect injections embedded in retrieved or browsed content, encoded and obfuscated variants, and at least one adaptive round where you tune payloads against your specific defenses rather than using static templates. Track success rate alongside task performance, because the 94.3 percent figure exists to remind you that over-filtering destroys utility.
A defensible target, anchored to the best published layered framework, is single-digit residual success (aim for under 9 percent, matching the 8.7 percent benchmark) with task performance above 90 percent. If your residual is sitting at 30 or 40 percent, you have one layer, not a stack, and you know exactly where to invest. If your residual is near zero but task performance has cratered, your filter is too aggressive and users will route around it.
Re-run the eval on every change that shifts the surface: a model swap, a system-prompt edit, a new tool added to an agent, a new data source it retrieves from. Each one moves the number. Treating the eval as a one-time gate is how teams ship a defense in Q1 and quietly regress by Q2 without noticing. This is the same evals-as-a-living-asset discipline we apply across our AI security work; the difference for injection is that the metric is adversarial, so your eval set has to grow as attack techniques do. For broader guidance on protecting the data an injected system could leak, see how to secure AI systems handling sensitive data.
What a Residual-Risk Dashboard Looks Like
The output of a mature injection program is a small set of tracked numbers, reviewed on every release: If you cannot fill in those four numbers, you do not have a measured defense. You have a checkbox.
- Residual attack success rate on the red-team eval, broken out by direct vs indirect vs adaptive.
- Task performance retention versus an undefended baseline, so you can see the utility cost of each layer.
- High-impact action coverage: the percentage of dangerous tool calls that pass through an explicit authorization gate (target 100 percent).
- Eval freshness: when the payload set was last expanded with new techniques.
Practitioner Takeaway: Defense-in-Depth With Quantified Expectations
The data lands on one recommendation: layer your defenses and quantify what each layer buys you. No single control gets you safe. Input preprocessing catches 60 to 80 percent and misses everything novel. Architectural isolation reaches 95 percent on known patterns and fails on the unknown. Only the stack, detection plus architecture plus output validation plus action-level authorization, takes residual success to single digits while keeping task performance above 90 percent.
Set expectations honestly with whoever owns the risk. Adaptive attacks still win past 85 percent against defended models, composite chains hit 97.6 percent, and 40 percent of agent protocols are exploitable. Those are not numbers to hide in an appendix; they are the reason your defense exists and the baseline you are improving against. The win condition is not zero. It is a measured, single-digit residual with the high-impact actions gated.
For agent systems specifically, prioritize privilege separation over input cleverness. The model will be injected eventually; the question is whether an injected model can do anything that matters. If every high-impact tool call passes through a deterministic authorization layer, an injection that gets past your filters still cannot move money or exfiltrate data without tripping a gate. That structural control is worth more than any detector.
At Particula Tech, when we assess an agent stack for injection exposure, the deliverable is a residual-risk number and a prioritized layer plan, not a "you're protected" sign-off, because the benchmarks make that sign-off impossible to write honestly. Prompt injection is a managed risk in 2026, the way SQL injection was before parameterized queries, except injection against LLMs has no parameterized-query equivalent yet, because instructions and data still share one channel. Until that changes, the right posture is defense-in-depth, quantified expectations, and a residual percentage you watch like an SLO. If you treat it as solved, the benchmarks have already told you how that ends: at least 85 percent of the time, the attacker wins.
Frequently Asked Questions
Quick answers to common questions about this topic
Across a 2026 meta-analysis of 78 studies, baseline prompt injection succeeds 50-84% of the time on common LLMs with no special tuning. Adaptive attacks, where the attacker iterates against the specific model and its defenses, push success past 85%. Naive deployments with no guardrails fail above 90%, and composite multi-strategy chains reach 97.6%. These are not edge cases against weak models. They are the headline numbers against frontier models with standard system-prompt defenses. The practical takeaway is that no single defense gets you to zero, so you should design assuming some injections will land and measure your residual exposure directly.
