Secure Your Agents
from Prompt Injection

Traditional prompt injection defenses rely on classifiers, keyword filters, or LLM-as-judge approaches that attempt to identify malicious patterns in inputs. These methods suffer from high false positive rates, are easily bypassed by novel attack variations, and add latency to every request. CodeIntegrity takes a fundamentally different approach through our Dual LLM Architecture. Instead of trying to detect attacks, we architecturally separate data from instruction. MCP tools execute in a secured sandbox environment with limited network and file access, so even if malicious instructions slip through, they cannot exfiltrate data or compromise your systems. This architectural approach eliminates entire classes of attacks rather than playing whack-a-mole with detection.

The Dual LLM Architecture enables clear separation of data from instruction by using two distinct processing paths. Your agent's reasoning LLM processes user requests and makes decisions, while a separate execution layer handles tool calls in a secured sandbox environment. This architectural separation means untrusted data never mixes with trusted instructions at the execution layer. MCP tools operate with limited network and file access, preventing data exfiltration even if an attacker successfully injects malicious instructions. The architecture was influenced by Google DeepMind's CaMeL framework and represents the current best practice for defending agentic systems against prompt injection.

Data provenance refers to the documented history of data including its origin, transformations, and which systems have accessed it. In May 2025, a coalition including the NSA's AI Security Center, CISA, and FBI released guidance stating that data security is of paramount importance for AI systems, recommending end-to-end protections including provenance tracking throughout the entire AI lifecycle. CodeIntegrity logs every tool call with full context including what was requested, what was analyzed, and what policy decision was made, creating a complete chain of custody for all agent actions.

Data exfiltration attacks against AI agents include leakage of personally identifiable information, proprietary data, or credentials through model responses. Attackers hide malicious instructions in documents, emails, or databases that hijack agent behavior to extract and transmit sensitive data. In real-world incidents, attackers have embedded SQL instructions in support tickets to exfiltrate integration tokens and used seemingly harmless files to trigger agents to harvest secrets without user interaction. CodeIntegrity's sandbox environment operates with limited network and file access, blocking exfiltration attempts at the architectural level regardless of what instructions reach your agent.

MCP has significant prompt injection security challenges. Tool Poisoning occurs when attackers embed malicious instructions within MCP tool descriptions, manipulating models into executing unintended tool calls. The Rug Pull attack exploits the fact that MCP tools can mutate their definitions after installation, so a safe-looking tool on day one may quietly reroute API keys to an attacker by day seven. Over 13,000 MCP servers launched on GitHub in 2025 alone, and developers are integrating them faster than security teams can catalog them.

The lethal trifecta, coined by Simon Willison, describes the dangerous combination when an AI agent has access to private data, exposure to untrusted content, and the ability to communicate externally. When all three are present, attackers can inject malicious instructions, access sensitive data, and exfiltrate it. Meta's Rule of Two states that agents should have no more than two of these three capabilities in a single session. If all three are required, the agent should not operate autonomously and requires human-in-the-loop supervision.

AI risks now top the priority lists of security challenges for CISOs, outpacing vulnerability management, data loss prevention, and third-party risk. Seventy-nine percent of enterprises operate with blindspots where agents invoke tools, touch data, or trigger actions that security teams cannot fully observe. More than 95 percent of enterprises deploying autonomous agents are doing so without leveraging existing cybersecurity mechanisms like PKI to track, identify, and control their agents. Security leaders should treat agent permissions as privileged access with the same rigor applied to human users.

Rather than trying to detect malicious instructions hidden in documents, emails, or databases, CodeIntegrity's Dual LLM Architecture prevents them from causing harm. By separating data from instruction at the architectural level, untrusted content is processed in isolation from execution logic. Our Tool Call Firewall identifies toxic flows in real time and prevents control flow hijack. Even if malicious instructions reach your agent, the sandbox execution environment blocks data exfiltration and unauthorized actions. According to OWASP's 2025 Top 10 for LLM Applications, prompt injection ranks as the number one critical vulnerability, appearing in over 73 percent of production AI deployments assessed during security audits.

AI agent security must address GDPR, HIPAA, SOC 2, and other regulatory frameworks. SOC 2 compliance has become the baseline expectation for enterprise AI adoption with 82 percent of organizations requiring it from their AI vendors. HIPAA compliance requires maintaining confidentiality, integrity, and availability of Protected Health Information through technical safeguards, administrative controls, and comprehensive audit logging. CodeIntegrity is currently in the SOC 2 Type II observation period with Vanta and our platform is designed to support compliance with HIPAA, GDPR, and other frameworks out of the box.

When CodeIntegrity's Tool Call Firewall identifies a toxic flow or policy violation, it blocks the action before execution and logs the incident with full context. You can configure alert workflows through Slack, email, or PagerDuty, as well as automatic incident tickets and custom response actions. The blocked request never reaches the target system. Our audit logs contain metadata like timestamps, policy decisions, and threat classifications, creating an immutable record for compliance and incident investigation.

We process requests in real time and do not store prompt contents or agent outputs by default. Audit logs can be configured to exclude sensitive content while maintaining the provenance trail needed for security and regulatory requirements. We offer on-premise deployment for organizations with strict data residency requirements. Unlike traditional methods that rely on static permissions, our Context-Based Access Control evaluates the context of both requests and responses to enable dynamic access enforcement.

Most teams are up and running within a day. Our SDK requires less than 10 lines of code to integrate, and we provide sandbox environments for testing before production deployment. CodeIntegrity works with all major agent frameworks including LangChain, CrewAI, AutoGPT, Microsoft AutoGen, and any MCP-compatible system. Our team can help with onboarding and policy configuration tailored to your specific security requirements.