Antijection

A structured, evidence based map of how real AI systems get attacked, and what actually happens when they do.

Antijection documents and classifies real-world attacks on deployed AI systems, organized by where they happen, what enables them, and what they actually change.

90 documented real-world incidents Classified across deployment context, external connection, attack type, and observable outcome

What makes this different

Most frameworks classify attacks by attacker behaviour or generic risk category. None tell a team which attacks are actually possible in their specific deployment. Antijection links attack types to the specific external connections that enable them, so the threat profile follows the deployment.

The field measures attacks by success rate in lab benchmarks. That does not capture what changed in the real system. Antijection tracks observable outcomes: the system-state changes a security team would actually see in their logs.

Most documented attacks come from controlled research. Antijection documents what has genuinely happened in production, and how that diverges from theory.

Built as a living, structured, navigable knowledge base that grows as new incidents are documented and classified.

The map

incidents linked to the deployment it ran in, the connection it flowed through, the technique it used, and the outcome it produced. Switch between flow, matrix, timeline, and 3D scatter views below.

Types:
Evidence:
Vector:
DEPLOYMENTCONNECTIONATTACKRESULT1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident1 incident2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents2 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents3 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents4 incidents5 incidents5 incidents5 incidents5 incidents5 incidents5 incidents5 incidents5 incidents6 incidents6 incidents6 incidents7 incidents7 incidents7 incidents8 incidents8 incidents8 incidents9 incidents9 incidents9 incidents9 incidents9 incidents9 incidents9 incidents10 incidents10 incidents10 incidents10 incidents10 incidents10 incidents10 incidents11 incidents11 incidents11 incidents12 incidents12 incidents12 incidents12 incidents12 incidents13 incidents13 incidents13 incidents14 incidents14 incidents15 incidents15 incidents15 incidents15 incidents16 incidents16 incidents16 incidents17 incidents17 incidents26 incidents32 incidents43 incidents1.5 General Purpose A…352.1 Autonomous Coding…263.7 Personal AI Agent93.6 Enterprise Produc…42.5 CI CD and DevOps …3.1 Email Processing …3.9 Workflow Automati…2.3 Code Review Agent2.4 Text-to-SQL and N…3.10 AI Content Moder…3.4 HR and Recruitmen…1.1 Customer Support …2.6 NL-to-Graph Query…3.5 CRM and Sales Ope…3.8 Browser extensionOutbound HTTP Request36Shell and Terminal20LLM Chat Interface19Git Repository16Local File System16Email API12Browser Full10Long-Term Agent Memory10Web Search API9RAG Pipeline8Cloud File Storage APICI-CD PipelineCalendar and Scheduli…Code Execution RuntimeMassege APIAgent Skill RegistryBrowser TabCRM SystemCustom HTTPHRMS HCM SystemMonitoring and Observ…Project Management Sa…SQL DatabaseIndirect retrieval in…70Plain text injection36Invisible text inject…21Outbound tool exfiltr…19Markup and structure …16Memory poisoning9Encoded payloadAgent delegation abuseDelayed trigger plant…Self-replicationContext window manipu…Emotional compliance …Data exfiltrated49False output accepted32Arbitrary code execut…22Credentials stolen19Persistent foothold e…15Unauthorized write ac…14Cross-boundary access…7Configuration alteredPayload propagated to…Malicious code commit…Resources wasted or D…System prompt disclos…Financial commitment …
Showing 165 of 165 entities · 771 of 771 edges Deployments Connections Attacks Results

Want the full-screen view? /graph

Maintained by Aiteera LLC, an AI integration and development company.

© 2026 Aiteera LLC · Research licensed CC BY 4.0