A structured, practitioner-built reference covering 253 prompt injection techniques across 17 attack categories, 4 injection classes, and the full OWASP LLM Top 10 threat surface.
Built for AI red teamers, security engineers, and LLM application developers who need a systematic way to understand, test, and defend against prompt injection in real deployments.
Most prompt injection resources are either too shallow (a list of jailbreak one-liners) or too academic (threat model papers without actionable technique detail). This taxonomy sits in between: every entry has a named technique, a delivery vector, an attack category, a technique type, an evasion method, a potential impact, an OWASP LLM Top 10 mapping, and a concrete example prompt.
The goal is to give a red teamer a complete map of the attack surface, and give a defender a structured view of what they are actually protecting against.
| Dimension | Count |
|---|---|
| Total techniques | 253 |
| Attack categories | 17 |
| Injection classes | 4 |
| Technique types | 30 |
| Evasion / obfuscation methods | 20 |
| Potential impact types | 18 |
| OWASP LLM Top 10 entries mapped | 7 |
| Attack Category | Techniques |
|---|---|
| Cognitive Control Bypass | 64 |
| Instruction Reformulation | 38 |
| Overt Instruction | 20 |
| Context / Attention Attack | 14 |
| Model-Specific Exploit | 14 |
| Integrative Instruction Prompting | 13 |
| Multimodal Prompting Attacks | 13 |
| Defense Evasion | 11 |
| Integration Surface Attack | 11 |
| Agentic / Tool-Use Attack | 11 |
| Covert Channel / Side-Channel | 10 |
| Linguistic / Semantic Attack | 10 |
| RAG-Specific Attack | 9 |
| Social / Systemic Attack | 5 |
| Output-Targeting Attack | 4 |
| Prompt Boundary Manipulation | 3 |
| Safety System Attack | 3 |
| Injection Class | Techniques |
|---|---|
| Direct Prompt Injection | 214 |
| Indirect — Context-Data | 27 |
| Agentic / Pipeline | 8 |
| Indirect — User-Delivered | 4 |
prompt-injection-taxonomy/
│
├── README.md
├── CHANGELOG.md
├── LICENSE
│
├── checklist/
│ └── Prompt_Injection_Master_Checklist.xlsx
│
├── docs/
│ ├── injection-classes.md
│ ├── taxonomy-overview.md
│ ├── technique-types.md
│ ├── evasion-methods.md
│ └── owasp-mapping.md
│
└── contributing/
└── CONTRIBUTING.md
The Excel file has two sheets.
PI Checklist contains all 253 entries. Each row is one technique with the following columns:
- ID — unique identifier (PI-001 through PI-253)
- Injection Class — how the injection reaches the model
- Delivery Vector — the specific mechanism of delivery
- Attack Category — the strategic attack family
- Technique Name — the named technique
- Sub-Technique / Variant — specific variant or sub-method
- Technique Type — the operational approach
- Evasion / Obfuscation Method — how detection is bypassed
- Potential Impact — what a successful attack achieves
- OWASP LLM Top 10 — mapped risk classification
- Example Prompt — a concrete demonstration prompt
Taxonomy Reference is a companion sheet explaining every category, type, evasion method, and impact in plain language. The color coding in the checklist matches the taxonomy — any color in column B (Injection Class) or column D (Attack Category) maps directly to the same color in the taxonomy sheet.
For red teamers: Start with a reconnaissance pass (PI-141, PI-142, PI-167, PI-184, PI-204), then work through the attack categories most relevant to your target deployment. Agentic deployments should prioritize PI-145 to PI-150, PI-218, PI-220, PI-232, PI-246, and PI-252. RAG systems should prioritize PI-151 to PI-155, PI-221, PI-222, PI-239, and PI-241.
For defenders: Use the OWASP mapping column to group findings by risk classification. Use the Attack Category column to understand which threat families your controls do and do not cover.
- Injection Classes — the four ways an injection reaches a model
- Taxonomy Overview — all 17 attack categories with descriptions and technique counts
- Technique Types — the 30 operational approaches used across techniques
- Evasion Methods — the 20 obfuscation methods and their detection difficulty
- OWASP LLM Top 10 Mapping — how every technique maps to the OWASP LLM risk framework
If you have a technique that is not covered, a correction to an existing entry, or an improvement to the taxonomy structure, see CONTRIBUTING.md.
This is a living reference. The threat landscape for LLM applications moves quickly and the taxonomy should move with it.
See CHANGELOG.md for the full version history and change rationale.
Current version: v1
Creative Commons Zero v1.0 Universal (CC0)
You are free to use, share, adapt, and build on this work in any form, including commercially, without asking permission or giving credit. No attribution required.
This taxonomy maps to the OWASP LLM Top 10 risk classification. Entries are tagged with the most relevant LLM risk category. LLM01 (Prompt Injection) covers the largest share of the taxonomy by design; LLM02, LLM04, LLM06, LLM07, LLM09, and LLM10 are also represented.
