The Arcanum Prompt Injection Taxonomy 1.6.1

The AI Attacker's Atlas

Hey everyone!

Quick refresher for anyone new: the Prompt Injection Taxonomy (PITAX) is our open, interactive map of prompt injection and LLM attacks. I built it for auditors and pentesters, so it's organized the way you actually attack: by what the attacker wants (Intents), how they manipulate the model (Techniques), how they sneak payloads past filters (Evasions), and where the payload enters the system (Inputs).

The TL;DR

  • PITAX v1.6.1 dropped and grew the taxonomy from 107 to 172 nodes

  • 41 new Techniques covering the stuff that works in 2026: multi-turn, agentic, and reasoning-model attacks

  • Every node now has a citable code (like PIT-T-29) plus "Also Known As" mappings to OWASP, MITRE ATLAS, and NIST

  • It's free, and open to contributions

/ The interactive version is now the source of truth

We used to ship this as a pile of per-node Markdown files and an XMind mind map. That's done. The interactive HTML is a far better way to use this thing: click a node, read the card, see the examples, follow the cross-references.

For the builders: we also added taxonomy.json. Every node, every code, every mapping, in one machine-readable file. If you want to wire PITAX into your own reporting pipeline, your scanner, or an internal training app, go for it.

The $50K per hour network downtime dilemma

Networking and network security stakes are high. Like really high. Infrastructure downtime costs teams at minimum $50,000 per hour.

On July 15th, join Netskope and Tines for a live session to learn how you can go from reactive networking and network security operations to proactive response.

You'll learn:

  • The hidden costs of manual operations

  • What “great” actually looks like in secure network operations

  • A 5-step roadmap to build your strategy

/ The new techniques (this is the fun part)

Single-shot "ignore your previous instructions" jailbreaks are no longer where the action is. The 41 new Techniques reflect how these attacks land today. A few of my favorites:

Multi-turn attacks. The big shift. Instead of one malicious prompt, you walk the model there over the course of a conversation.

  • Crescendo starts benign and escalates one reasonable step at a time until it hands you something it never should have.

  • Echo Chamber plants ideas across turns and then gets the model to cite its own earlier output as justification.

  • Many-Shot Jailbreaking floods the context with fake example exchanges until the model just plays along.

  • History Fabrication forges prior turns so the model thinks it already agreed to help.

Agentic attacks. Everybody is shipping agents with tool access, so this is the frontier I'm watching closest.

  • Tool-Definition Injection hides instructions inside the tool and function descriptions themselves.

  • Tool Rug Pull is the supply-chain nightmare: a tool behaves one day and turns malicious the next.

  • Confused Deputy abuses the agent's own privileges to reach what you're not authorized to.

Reasoning-model attacks. As reasoning models took over, a whole new class opened up.

  • Reasoning Dilution and Thinking-Mode Manipulation mess with the model's chain of thought.

  • Chain-of-Thought Spoofing feeds it fake reasoning to steer the conclusion.

On the Evasions side, we added 12 new ones, including Adversarial Poetry (yes, wrapping the payload in verse genuinely slips past filters), Bidirectional Text Override (Trojan Source, now pointed at LLMs), and Symbolic Math Encoding.

We also added 9 new Intents so the attacker-goal side keeps up: Denial of Wallet (torch the victim's entire token budget), Cross-Tenant Data Leakage, Sensitive Data Exfiltration, and more.

/ Citable codes and framework mappings (the part your reports needed)

This is the upgrade I'm most proud of for working testers. Every node now has a reference code: PIT-I-NN for Intents, PIT-T-NN for Techniques, PIT-E-NN for Evasions, PIT-N-NN for Inputs. The codes are stable IDs, so you can drop "PIT-T-29 Crescendo" into a finding and your client can look up exactly what you mean.

On top of that, most nodes include an "Also Known As" list that maps our names to the names other frameworks use, so PITAX lines up with OWASP, MITRE ATLAS, and NIST rather than fighting them. Nodes are tagged as direct/indirect/both for delivery, and white-box attacks that require model weights or internals are flagged LOCAL so you know what's in scope for a black-box engagement. As of v1.6.1, cards are also sorted alphabetically, with the reference code as the stable ID, making it easier to browse without breaking anything you've already cited.

/ The community showed up

v1.6.1 also shipped our first community-contributed technique: PIT-T-70 Function-Call Parameter Smuggling (abusing the structured arguments the model fills into a tool or function call), contributed by redbankdev.

/ Go play with it

The whole thing is free.

This is a living map of a fast-moving field, and it gets better every time a practitioner feeds a real attack back in. So if you've got a technique we're missing, open an issue or a PR.

Happy hacking

-Jason