Posts

TL;DR (Executive Summary) The Core Flaw: AI systems cannot distinguish between developer instructions and untrusted data - a “trust boundary violation” that makes prompt injection possible. The Norwegian Context: As Norway’s tech sector rapidly adopts AI, we must move beyond traditional security to address “logic hacking” and probabilistic risks. Key Attacks: Spanning Direct Prompt Injection, Jailbreaking & Jailbreak templates (like DAN/AIM), Context Window Overloading and the multi-turn Crescendo attack, as well as stealthy Indirect Prompt Injection & Markdown Exfiltration. The Solution: A Defence-in-Depth approach featuring Spotlighting, Input/Output filtering, and Automated Scoring A Note on Perspective In 2025 I relocated to Norway to lead the offensive security testing function at Miles. My background is rooted in 13+ years of professional penetration testing and red teaming within the UK finance sector - one of the most heavily regulated and mature security environments in the world. ...

Note: I originally wrote this post back in 2017 during my time at Context Information Security. It gained a second life in 2021 when Mubix (Rob Fuller) featured it in a Hak5 video, which prompted me to update the content. Now that the original site is archived, I have migrated the post here - with some minor formatting cleanups - to consolidate my work in one place. You can view the original archive here. ...