What is the fundamental difference between direct prompt injection and indirect prompt injection?

Why are delimiter-based defenses (e.g., wrapping user input in XML tags or triple backticks) insufficient on their own?

What is a 'crescendo attack' and why is it effective against safety-trained models?

How does 'many-shot jailbreaking' exploit large context windows?

What is a 'payload splitting' attack and how does it bypass input filters?

Why are role-play based jailbreaks (e.g., 'DAN', 'Developer Mode') effective, and what makes them difficult to fully mitigate?

What is 'indirect prompt injection via retrieved context' and why is it particularly dangerous in enterprise RAG systems?

How do encoding-based injection attacks work, and what types of encoding are commonly used?

What is a 'virtual prompt injection' and how does it differ from traditional prompt injection?

Why is multi-language prompt injection an effective evasion technique?

What is 'prompt leaking' and why is it a security concern?

How do 'token smuggling' attacks exploit differences between the tokenizer and input validation?

What is the 'sandwich defense' pattern and what are its limitations?

What is a 'universal adversarial suffix' and how is it generated?

Why is output-side detection (classifying model responses) an important complement to input-side filtering?