Data-Structure Injection (DSI) in LLM Agents
Structured prompts (YML, XML, JSON) collapse next-token predictions, giving attackers control over tool calls, arguments, and agentic workflows.
Bridging adversarial ML, detection engineering, and mechanistic interpretability to secure AI systems. Currently at Zenity, building real-time defense for AI agents.
Exploring the boundaries of LLM security through novel attack classes, geometric analysis, and defense mechanisms.
Structured prompts (YML, XML, JSON) collapse next-token predictions, giving attackers control over tool calls, arguments, and agentic workflows.
LLMs can predict their own outputs before generating them, including when they will comply with exploits — revealing introspective awareness.
Adding an explicitly safe tool option dramatically lowers DSI success rates, achieving 0% false positives under certain configurations.
Safety training operates on semantic directions in activation space. Structured inputs travel different geometric paths, bypassing safety entirely.
Delta-sim training widens the classifier's malicious route in activation space, recovering 99.2% of missed attacks — with calibration trade-offs.
Meta's Prompt Guard 2 fails when the same injection is simply repeated twice — a consequence of energy-based training overfitting negative examples.
Structured prompts (YML, XML, JSON) collapse next-token predictions, giving attackers control over tool calls, arguments, and agentic workflows.
LLMs can predict their own outputs before generating them, including when they will comply with exploits — revealing introspective awareness.
Adding an explicitly safe tool option dramatically lowers DSI success rates, achieving 0% false positives under certain configurations.
Safety training operates on semantic directions in activation space. Structured inputs travel different geometric paths, bypassing safety entirely.
Delta-sim training widens the classifier's malicious route in activation space, recovering 99.2% of missed attacks — with calibration trade-offs.
Meta's Prompt Guard 2 fails when the same injection is simply repeated twice — a consequence of energy-based training overfitting negative examples.
Two LLM agents — a Builder and a Hacker — compete in an adversarial loop. The Hacker stores structured reflections in episodic memory, demonstrating measurable transfer learning across offensive security tasks.
Open source security tools built to defend AI agents against real-world attacks.
A lightweight defense against Data Structure Injection attacks. Injects a safe tool into LLM tool calls so the model can abort malicious requests. Supports OpenAI, Anthropic, and Gemini.
Bring-your-own-security infrastructure for OpenClaw AI agents. Plug in regex, Sigma, CEL, SQL, ML, or LLM-as-judge evaluators to detect and block threats in real time.
From military intelligence to cloud security to AI — building defenses at every layer.
AI Security Researcher
Security Researcher
Security Engineer
Cyber Threat Hunter Team Leader
Contributing to the frameworks that define how the industry understands AI threats.
Recognized contributor to the Adversarial Threat Landscape for Artificial-Intelligence Systems framework.
Editor at OWASP best practices for MCP (Model Context Protocol) development.
Disclosed vulnerability in Prompt Guard 2 classifier to Meta, classified as informative.
Interested in AI security research, collaboration, or speaking opportunities? I'd love to hear from you.