Independent reference. We are independent of every vendor listed. No affiliate links. No sponsored placements.
Threat model

Indirect Prompt Injection: Payloads From Documents, URLs and Tool Output

The variant that travels inside content the LLM reads rather than what the user types. Documented as a serious risk class since the Greshake et al. 2023 paper.

LLM01
OWASP class
RAG
Primary attack surface
Tools
Secondary attack surface
7
Vendors with named coverage
LLM-integrated applications blur the line between data and instructions, allowing adversaries to remotely affect other users' systems.
Greshake et al., More than you've asked for, ACM AISec 2023

Where the payload lives

RAG corpus

Any source the retriever can index: PDFs, public webpages, ticketing-system attachments, wiki pages. Hidden text and zero-width characters travel through cleanly.

Tool output

Anything an agent reads: search results, email bodies, code-search returns, CRM record notes. Attackers control these surfaces when the agent reaches outside the firewall.

Vendor coverage on indirect

VendorLLM01LLM02LLM03LLM04LLM05LLM06LLM07LLM08LLM09LLM10
Bedrock Guardrails
Model Armor
Azure Prompt Shields
Lakera
Prisma AIRS
CalypsoAI
Pillar

Coverage shown is for LLM01 prompt injection (which subsumes indirect) and adjacent vectors. Indirect-specific filters are an emerging category, not all vendors break it out.

Defensive controls

  • Sanitise content before it enters the model context (strip zero-width chars, normalise unicode).
  • Run a runtime guardrail on retrieved content, not just user input.
  • Limit tool authority: read-only by default, write actions behind a human-in-the-loop.
  • Add provenance metadata to every retrieved chunk for downstream attribution.

See /agentic-ai-security for the agent / tool-call variant in depth, and /prompt-injection-examples for concrete indirect payloads.

Last verified June 2026Source: vendor pricing pages. See /methodology.