AI Agent Threat Matrix
Matrix/Initial Access/T-2002
T-2002observedactive1 evidence record

Indirect Prompt Injection

Embed malicious instructions in external data sources consumed by the agent via RAG or tool responses

Tactic

Initial Access (Stage 2)

Gain control over agent behavior through prompt manipulation or input exploitation

Attack Class

RAG-POISON

Injecting malicious content into retrieval-augmented generation data sources

Evidence

observed

Confirmed in real-world production systems or internet-wide exposure assessments.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

RAGBot

Honeypot Coverage (AgentPwn)

Liveprompt-injectionagentpwn.com/attacks/prompt-injection

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Evidence Source Breakdown

HMA
1 record

Evidence Timeline

HMA

HMA check RAG-002 failed on damn-vulnerable-ai-agent

Apr 22, 2026

Detection (HackMyAgent)

Live5 live · 0 queued
PROMPT-001RAG-001RAG-002RAG-003RAG-004
npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued
OASB 3.1OASB 3.2OASB 3.3OASB 3.4OASB 3.5
Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-2002 (Indirect Prompt Injection). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-2002
← Back to Matrix