Tries jailbreak prompts found online to see what happens. Not always malicious — but their testing reveals what's exploitable. Lakera's public Gandalf demo has logged millions of adversarial attempts, building a real training dataset of what people actually try.

Wants PII, customer records, internal documents, credentials. Uses indirect injection — hides instructions in content the AI will read. This is exactly what EchoLeak did: a crafted email caused Copilot to silently exfiltrate the victim's entire M365 environment.

Wants to extract your system prompt, reverse-engineer your AI behavior, or poison your RAG knowledge base to degrade your product. In January 2025, researchers demonstrated injecting a document in an enterprise RAG system to leak proprietary data and disable safety filters.

Targets AI coding assistants. CVE-2025-53773: attacker plants invisible Unicode instructions in a GitHub repo's README or source files. Developer's Copilot reads the file, follows the hidden instructions, achieves RCE on the developer's machine. Wormable through shared Git repos.

Targets AI systems that control money. Freysa AI (November 2024): p0pular.eth used prompt injection to redefine the AI agent's own function meanings at runtime — causing an AI explicitly programmed to never transfer funds to transfer $47,000 in cryptocurrency.