Context Window Exploitation

Overflow or saturate the context window to displace safety instructions with attacker-controlled content

Tactic

Initial Access (Stage 2)

Gain control over agent behavior through prompt manipulation or input exploitation

Attack Class

SOUL-DRIFT

Gradually displacing safety instructions from the active context through conversation manipulation

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

L2-06

Honeypot Coverage (AgentPwn)

Livecontext-windowagentpwn.com/attacks/context-window

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Detection (HackMyAgent)

Live2 live · 0 queued

PROMPT-001PROMPT-002

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued

OASB 3.1 OASB 3.2 OASB 3.3 OASB 3.4 OASB 3.5

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-2004 (Context Window Exploitation). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-2004

← Back to Matrix