Researchers from Tracebit said on Monday they discovered a defensive technique called context bombing, which plants prompt injections—forbidden commands that trigger AI safety guardrails—alongside secrets stored on AWS to block attacks from AI agents. When the attacking model encounters these prompts, it stops following its original instructions and refuses to continue.
Tracebit tested context bombing across five leading models (Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6) in a simulated AWS environment using 152 attack runs. Results showed that placing a context bomb in a decoy secret cut the rate at which agents seized full admin access from 57% to 5%, and complete compromise from 36% to 1%. Opus 4.8, the most capable agent tested, achieved admin access in 93% of runs without the defense but failed in every attempt when confronted with a context bomb.