What 2,000 Attackers Taught Me About Securing AI Agents
6,000 prompt-injection attempts, one secret file, zero leaks. The real lessons aren't about the model — they're about everything around it.
6,000 prompt-injection attempts, one secret file, zero leaks. The real lessons aren't about the model — they're about everything around it.

Prompt injection is the security problem nobody building with LLMs can ignore. The moment your AI assistant can read untrusted input and take actions — send an email, hit an API, touch a file — every message it ingests becomes a potential exploit. So when developer Fernando Irarrázaval put an AI assistant online and dared the internet to break it, the result was one of the most useful real-world stress tests of agent security we have seen. Over 2,000 people sent more than 6,000 emails trying to make it leak a secrets file. Here is what happened, and what it means for anyone shipping agents.
The experiment, documented at hackmyclaw.com, was simple. An AI assistant named Fiu ran on a VPS with the ability to read and reply to emails. Somewhere on the machine sat a secrets.env file with credentials. The assistant had a basic system prompt with anti-injection rules. The challenge to the public: get Fiu to reveal the contents of that file. After the project hit the front page of Hacker News, the floodgates opened — 6,000+ emails from more than 2,000 distinct attackers, all probing for a way in.
This is exactly the threat model that matters for production agents. The assistant was not running in a sandbox where input was trusted. It was reading arbitrary text from strangers, and that text was competing with the system prompt for control of the model's behavior. If you have ever wired an LLM up to your inbox, your support queue, or a web scraper, you have built the same exposure. What makes the experiment valuable is that it ran in the open, with real money and real consequences on the line, instead of in the artificial conditions of a benchmark. Benchmarks tell you how a model behaves against a fixed list of known attacks; 2,000 motivated humans tell you how it behaves against the long tail of attacks nobody thought to write down. That second number is the one that actually predicts how your agent will fare in production.
The creativity on display is worth studying, because it maps almost exactly to the prompt-injection taxonomy you should be defending against. The attempts clustered into a handful of recognizable patterns:
None of these are exotic. They are the exact techniques that show up against real customer-facing agents every day. The difference is that here someone published the results.
The headline result: across 6,000+ attempts, Fiu never leaked the secret. Not once. The author credits the model — Claude Opus 4.6, which received specific prompt-injection resistance training — as the decisive factor. A simple, well-crafted system prompt paired with a capable model proved remarkably durable. Anthropic has invested heavily in this; if you are choosing a foundation model for agentic work, the Claude API is worth evaluating specifically on injection resistance, not just raw capability.
The practical takeaway is uncomfortable for anyone who assumes security comes from clever prompt engineering alone: model choice did more heavy lifting than prompt wording. A smaller, cheaper model with the identical instructions would very likely have folded. Robustness against injection is now a real, measurable axis on which frontier models differ — and it should factor into your model selection the same way latency and cost do.
It is worth pausing on why a single paragraph of instructions could withstand thousands of adversarial messages. Injection resistance is not magic, and it is not a keyword filter. It is a learned behavior: the model has been trained on enormous numbers of examples where instructions embedded in user content try to override the system prompt, and it has been rewarded for keeping the two channels separate. The result is a model that treats the system prompt as a different class of instruction from the text it is processing — closer to how an operating system separates kernel space from user space.
That distinction is fragile in weaker models and increasingly solid in frontier ones, but it is never absolute. The reason the author still will not hand an agent arbitrary permissions is that injection is an open-ended adversarial problem. Every successful defense just raises the bar for the next attacker. A novel framing, a cleverly nested instruction, or a payload that arrives through a channel the model was not trained to be suspicious of can still slip through. Treating the model's resistance as strong-but-defeatable, rather than as a guarantee, is the only sustainable mindset. Robustness buys you margin, not immunity.
Tellingly, the failures in this experiment were not the model leaking data — they were everything around it. This is the part builders should internalize:
In other words, the LLM was the most robust component in the system. The operational scaffolding — rate limits, cost caps, deliverability, batching — is where a real attacker would focus, and where most teams under-invest.
It would be easy to read “the model never leaked” and conclude that prompt injection is solved. It is not. The author himself ends on a measured note: he is considerably more optimistic than before, but still would not trust an AI agent with arbitrary permissions. That is exactly the right posture. Defense in depth still applies.
Concretely, here is how to turn this experiment into engineering decisions:
If the model is one layer, what are the others? A defensible agent that touches untrusted input tends to look like a series of concentric rings, each of which assumes the ring inside it might fail. Picture the secrets challenge rebuilt properly. The model still does its best to refuse, but it is no longer the only thing standing between an attacker and the credentials.
None of these depend on the model behaving. That is the point. When you assume each layer can be breached, a single failure stops being catastrophic. The 2,000-attacker experiment is encouraging precisely because it shows the innermost ring is now strong — but a production system earns its safety from the rings the attacker never even reaches.
This was a generous gift to the community: a public, adversarial, real-money test of agent security with the results written up honestly. The encouraging news is that frontier models have gotten genuinely hard to jailbreak through the front door. The sobering news is that the front door was never where the real risk lived. Your model may hold the line against 6,000 attacks — but your rate limiter, your credential scope, and your email reputation are the things that decide whether shipping an agent is safe. Build accordingly, and treat the model as one layer of defense, never the only one.
Get the weekly digest for AI builders & vibe coders. Curated tools, resources, and stories. Skip the scroll.