惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fox-IT International blog
Recent Announcements
Recent Announcements
D
Docker
IT之家
IT之家
B
Blog
Jina AI
Jina AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
量子位
C
Check Point Blog
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 司徒正美
李成银的技术随笔
美团技术团队
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
T
The Blog of Author Tim Ferriss
酷 壳 – CoolShell
酷 壳 – CoolShell
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
L
LangChain Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
大猫的无限游戏
大猫的无限游戏
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
T
Tailwind CSS Blog
H
Help Net Security
Engineering at Meta
Engineering at Meta
小众软件
小众软件
B
Blog RSS Feed
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
M
Microsoft Research Blog - Microsoft Research
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Last Week in AI
Last Week in AI
Martin Fowler
Martin Fowler
Stack Overflow Blog
Stack Overflow Blog

Vectra AI Blog

AI-Driven Network Detection and Response: Insights from a 2026 Gartner® Magic Quadrant™ Leader Securing AI Adoption Starts with Visibility by Aakash Gupta The Missing Data Layer Behind SIEM and SOAR Why Most SIEM/SOAR Integrations Break — and How to Fix Them Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate Improve SIEM and SOAR Workflows with Better Security Signal by Gearóid Ó Fearghaíl ShinyHunters isn’t a group. It’s a pattern. How Vectra AI Secures the AI Enterprise AI agents: the new workforce — and attack surface. by Tiffany Nip How Vectra AI Scoring Helps Security Teams Focus on What Matters First What’s Next for the Enterprise After Two GenAI Tidal Waves? If An Identity was Compromised, Would We Know? Help Over Hype: Claude Mythos, Project Glasswing and the Real Questions CISOs Want Answered Azure Logging just Changed - Your Detections May be Missing it by Alex Groyz When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild by Justin Howe 4 Ways to Improve SOC Efficiency with AI by Jesse Kimbrel Why triage alerts - when AI can do it for you? Attackers Don’t Hack In — They Log In: The MFA Blind Spot The rise of supply chain-driven data theft in SaaS environments by Lucie Cardiet AI-Assisted Search: Clarity at the Speed of a Question What We Learned from Analyzing Millions of Alerts FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access by Lucie Cardiet Detecting Compromise After the Axios Supply Chain Attack. by Yusri Mohd Yusop Who’s Doing What on Your Network? by Mark Wojtasiak Breaking down the axios supply chain incident by Lucie Cardiet Detecting Sliver C2: When Advanced Beaconing Tries to Hide in Plain Sight How Attackers Move Through Hybrid Networks After the Initial Breach How Attackers Establish Persistence in Hybrid Environments What the Stryker Incident Reveals About Handala’s Attack Playbook Why Cyber Resilience is Lagging in the AI Era 5-Minute Hunt: Six Queries to Detect Iranian APT Activity AI-Powered Attacks Are Here, But So Is AI-Powered NDR to Stop Them What is hiding in AI traffic AWS Compromised by AI Agents in Minutes The UX of Cybersecurity AI: Designing for Behavior at Machine Speed Molt Road and the Automation of Underground Marketplaces Moltbook and the Illusion of “Harmless” AI-Agent Communities From Network Detections to Understanding Risk: The Vectra AI Take on Gartner’s Redefinition of NDR From Clawdbot to OpenClaw: When Automation Becomes a Digital Backdoor by Lucie Cardiet Securing the AI Enterprise: How I’m Thinking About It as a CEO Cybersecurity Predictions 2026: AI, Agents, and SOC Defense OPSEC Failures: How Threat Actor Mistakes Help Defenders How Threat Actors Turned AI Into a Weapon CVE-2025-14847 MongoBleed in the Wild: Identifying MongoDB Exposure and Exploitation with Network Metadata by Fabien Guillot Pro-Russia Hacktivists Are Targeting Critical Infrastructure How Vectra AI Connects Network Detections to Endpoint Processes Automatically by Dale O’Grady How Vectra AI and CrowdStrike Deliver Complete Context Across Endpoint and Network by Tiffany Nip You are the Blackboard - AI Agent Assisted Bug Hunting TCP Reset Does Not Stop Modern Attacks – Here's Why Shai-Hulud: When a Supply-Chain Incident Turns Into a Worm How Typhoon APTs Infiltrate Infrastructure Without Leaving a Trace Think Your Microsoft Environment Is Resilient to Attacks? Think Again by Tiffany Nip Operation ENDGAME and the Battle for Initial Access by Lucie Cardiet What 400+ NDR Power Users Taught Us About Network Visibility How Attackers Gain Initial Access in Hybrid Environments Can Your SOC's AI Actually Think? Evaluating LLMs with the Vectra AI MCP Server How Vectra AI Hybrid NDR Enables Proactive Threat Hunting and Outcome-Driven Defense by Tiffany Nip Introducing the Vectra AI MCP Server for On-Premises (QUX) by Fabien Guillot From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand by Lucie Cardiet How the F5 Breach Exposed Critical Edge Security Gaps Qilin’s 2025 Playbook, and the Security Gap it Exposes by Lucie Cardiet Vectra Fusion: Extending the Vectra AI Platform to Build Resilience Both Pre and Post Compromise Seeing Beneath the Surface: What Crimson Collective Reveals About Cloud Detection Depth Cl0p Is Back, Exploiting Supply Chains Again. How to Choose the Best NDR for Hybrid Environments Red Hat GitLab Breach Shows Why Consulting Data is a Goldmine for Attackers When GoAnywhere Lets Attackers Go Everywhere by Lucie Cardiet Vectra AI with Netography Redefining the SOC Platform around Modern Attack Resilience Beyond Endpoints: How BRICKSTORM Exposed Security Blind Spots by Lucie Cardiet EDR Isn’t Enough: Why Forward-Thinking CISOs Are Turning to Network + Identity by Mark Wojtasiak What Modern SOCs Should Know About NDR Alternatives Scattered Lapsus$ Hunters Announce They Are Going Dark but the Threat Remains LockBit is Back: What’s New in Version 5.0 The Npm Exploit Is The Entry Point, What Follows Is Just As Critical. How AI is Fueling Cybercrime and Why Security Gaps Are Growing by Lucie Cardiet 5-Minute Hunt: Detecting Risky Multi-Tenant Apps in Microsoft 365 GLOBAL RaaS: Dissecting a Modern Ransomware Franchise What the CISA Advisory Reveals About Nation-State Attacks New Technologies bring new risks: MCP-Powered Swarm C2 4 Real-World Attacks That Show Why SOCs Need NDR Why insider threats go undetected by security tools Black Hat USA 2025: What Security Teams Asked Us in Las Vegas Vectra AI and Google Security Operations: Breaking Down Security Silos by Zoey Chu Black Hat Takeaway: Everyone Talks Prevention, But Who Detects Compromise? Black Hat USA 2025: What It Told Me About Protecting the Modern Network from Modern Attacks Introducing the Vectra AI MCP Server Cloud Security Grey Zone: Who Owns the Risk of Managed Identities? CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint 5 Ways Security Teams Can Start Driving Outcomes with Agentic AI Behind the Hunt: Real-World Threat Hunting Practices and How Vectra AI Makes the Difference Vectra AI named in Gartner hype cycle for security operations 2025 Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Gartner Security and Risk Conference – Chaos meets Opportunity Are Iranian APTs Already inside Your Hybrid Network? You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) The Two Control Points That Will Define the Future of Cybersecurity – Network and Identity Challenges in Microsoft Log Monitoring: Insights for Your SOC Sanofi Uses Vectra to Stop Cyberattack in Real Time The Cutting Edge: AI’s Inevitable Rise in Offensive Security
Prompt Control: How Context Becomes the Command-and-Control Layer for AI Agents
2026-03-19 · via Vectra AI Blog

Update May 12, 2026: GTIG's May 2026 AI threat tracker documents PROMPTSPY, an Android backdoor that operationalizes prompt-based command and control in the wild. Its GeminiAutomationAgent module serializes the device's UI hierarchy, sends it to the Gemini API alongside an attacker-supplied objective, and parses the model's response into executable gestures on the device. The prompt is the instruction set. The model is the interpreter. The C2 channel runs through the reasoning loop, exactly the pattern described below.

---

Traditional command-and-control is explicit. An infected system reaches out, receives instructions, executes them, and reports back. Even when encrypted, the structure remains. Something external is directing behavior.

Autonomous agents change that model.

They do not wait for instructions in the same way. They continuously ingest input, interpret it, and act. Emails, chats, APIs, documents… everything becomes context, and everything can influence behavior.

This creates a different control surface.

An attacker no longer needs a persistent channel if they can shape what the agent sees, remembers, and prioritizes.

Control becomes indirect, continuous, embedded in normal operation.

This is the basis of prompt control.

Recent research has already demonstrated prompt-based command-and-control frameworks where compromised agents receive tasks, execute them, and return results using only prompts and context, without traditional C2 infrastructure.

From Prompt Injection to Prompt Control

In these samples, agents trust external content. They execute tasks with real privileges. They coordinate across systems.

Each of these expands the attack surface.

Early security discussions focused heavily on prompt injection. A malicious instruction embedded in content triggers an unintended action.

That explains entry but it doesn’t explain persistence.

In recent demonstrations, a single prompt injection delivered through email or web content was enough to compromise an agent and modify its working context. From that point forward, the agent continued to retrieve attacker-controlled instructions from its own environment, effectively maintaining control without requiring re-exploitation.

A recent OpenClaw investigation showed how a single indirect prompt injection embedded in a webpage could do more than trigger one action. It invoked an execution tool, then planted instructions into the agent’s future context, allowing the attacker to continue issuing commands over time without re-accessing the system.

Screenshot of the researchers prompt that instructs OpenClaw to retrieve and execute a malicious bash script

The initial injection disappears but the influence remains.

Prompt control shapes how the system continues to behave after the initial interaction.

Prompt Control as Behavioral Influence

Prompt control steers behavior without issuing direct commands.

Instead of sending instructions, the attacker shapes what the agent treats as relevant and how it builds context. The agent then acts using its existing capabilities and permissions.

This follows the same principle as social engineering: influence the decision-maker, and the decision-maker executes the action.

The difference is scale and persistence. Agents operate continuously and rely on whatever context is available, even when that context has been shaped adversarially.

Prompt-Based Command and Control in Practice

Prompt control is not just influence, it can be operationalized.

Recent research shows how compromised agents can be enrolled into a centralized control system where tasks are issued as prompts and results are returned through normal agent workflows.

Once an agent is compromised, it does not need to be re-accessed. Instructions are persisted in the same places the agent already uses to operate: files, memory, and retrieved context. Execution loops become control loops.

Attackers issue tasks as prompts. The agent executes them using its existing permissions and returns results through normal workflows.

In one example, agents were configured to read a “heartbeat” file at regular intervals. By inserting malicious instructions into that file, attackers created a recurring execution point. Each time the agent processed the file, it retrieved new instructions and continued operating under attacker influence.

This mirrors traditional C2 behavior. The difference is that the communication channel is not traditional network beaconing. It is embedded in the agent’s own reasoning loop and execution paths.

Control shifts into what can be described as a cognitive control plane, where influence operates through:

  • Files the agent periodically reads
  • Memory stores used for retrieval
  • External content sources the agent trusts
  • Tool outputs feeding back into reasoning

Prompt Control as a Form of Persistence

In agent systems, persistence is not an implant. It is context that continues to be reloaded: memory entries, configuration files, or external sources the agent repeatedly consults. As long as that context remains, the control remains.

In practice, persistence is a context engineering problem. The challenge is not writing one malicious prompt, but getting the right instructions into the right context layer, in the right format, with enough precedence that they are repeatedly loaded and acted on. Modern agent frameworks already manage this holistic state through memory files, rules, agent configuration files, and scheduled or background re-entry points.

OpenClaw highlights how this plays out in practice. Agent memory stores often treat all inputs the same, regardless of source. Once malicious context is introduced, it can persist and continue influencing decisions with no distinction in trust.

Removing the attacker’s access does not remove the effect. If the agent continues to read attacker-influenced context, control persists.

In observed cases, this persistence survived restarts and continued until the underlying context was explicitly cleaned.

MITRE ATLAS and Continuous Influence

One important nuance is that prompt control is not deterministic. Agent behavior depends on probabilistic reasoning, context selection, and retrieval quality. The same prompt may produce different outcomes across runs, and attacks may partially succeed, fail, or require repetition.

From an attacker’s perspective, this introduces variability rather than preventing exploitation. Control becomes probabilistic: repeated influence, reinforcement, and multiple execution paths increase the likelihood of success over time.

Agents may also surface signs of compromise. In some observed cases, agents identified suspicious instructions or anomalous behavior during self-analysis or logging. These can act as early indicators of compromise. However, most agents are not yet trained or configured to treat these signals as security events or trigger defensive actions.

This is likely to evolve. As detection logic becomes embedded into agents themselves, these weak signals could become meaningful controls. For now, they remain inconsistent and rarely enforced.

MITRE ATLAS  describes several relevant techniques:

  • Data poisoning influences inputs
  • Prompt injection overrides behavior
  • Model manipulation steers outputs

What changes in agent systems is not the techniques themselves, but how they combine. Prompt injection becomes the entry point, memory or context manipulation provides persistence, and tool use enables execution. Together, they function as a continuous control loop rather than isolated steps.

MITRE ATLAS' OpenClaw attack graph shows how these techniques combine in practice. Rather than a linear sequence, influence, execution, and persistence are interconnected and can reinforce each other across the agent lifecycle.

When Control Blends into Normal Activity

From a detection perspective, this doesn’t behave like traditional compromise.

Most SOC pipelines focus on execution artifacts such as network anomalies, process behavior, credential misuse, or lateral movement. Prompt control often doesn’t trigger these signals early.

Agents operate with valid access, call approved APIs, and follow expected workflows. From a technical standpoint, activity appears normal.

The difference is in how behavior evolves. The agent is not executing attacker commands, it is making decisions that happen to align with attacker objectives.

In one demonstration, an agent was asked to summarize a document containing an indirect prompt injection. The user received a normal response in Slack, with no indication anything was wrong. At the same time, the compromised agent began sending sensitive data to an attacker-controlled Telegram bot.

To the user, the system behaves correctly. To the attacker, it is already controlled.

The same access can be used for impact. Agents can retrieve data, modify it, or delete it using the permissions they were given to be useful.

Individual actions make sense. The overall pattern drifts.

There’s no single alert that explains the behavior. The signal emerges over time.

Detection needs to focus less on isolated events and more on how activity connects across identity, network, cloud, and SaaS environments.

This is the core challenge. When control is embedded in context, there is no single point to block. The only reliable signal is how behavior changes over time.

The Vectra AI Platform correlates behavior across these domains to identify coordination, misuse, and subtle deviations that don’t appear in individual alerts, providing visibility into how activity develops rather than relying on a single point of failure.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。