AI Agent Threat Matrix
Matrix/Reconnaissance/T-1003
T-1003validatedactive1 evidence record

System Prompt Extraction

Extract the agent's system prompt to understand its instructions, constraints, and behavioral boundaries

Tactic

Reconnaissance (Stage 1)

Map the target agent's attack surface, capabilities, and behavioral boundaries

Attack Class

SOUL-INJECT

Directly manipulating or overriding the agent's system-level instructions and behavioral boundaries

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

L1-01

Honeypot Coverage (AgentPwn)

Livedata-exfiltrationagentpwn.com/attacks/data-exfiltration

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Evidence Source Breakdown

Shodan
1 record

Evidence Timeline

Shodan

7 CLAUDE.md system prompt files confirmed leaked via publicly accessible web servers

Mar 20, 2026View source

Detection (HackMyAgent)

Live1 live · 0 queued
WEBEXPOSE-001
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live4 live · 0 queued
OASB 1.1OASB 1.2OASB 1.3OASB 1.4
Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-1003 (System Prompt Extraction). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-1003
← Back to Matrix