Maatphor: Automated Variant Analysis for Prompt Injection Attacks

Maatphor: Automated Variant Analysis for Prompt Injection Attacks
Do not index
Do not index
Blog URL
Prompt injection has emerged as a serious security threat to large language models (LLMs). At present, the current best-practice for defending against newly-discovered prompt injection techniques is to add additional guardrails to the system (e.g., by updating the system prompt or using classifiers on the input and/or output of the model.) However, in the same way that variants of a piece of malware are created to evade anti-virus software, variants of a prompt injection can be created to evade the LLM's guardrails. Ideally, when a new prompt injection technique is discovered, candidate defenses should be tested not only against the successful prompt injection, but also against possible variants.
In this work, we present, a tool to assist defenders in performing automated variant analysis of known prompt injection attacks. This involves solving two main challenges: (1) automatically generating variants of a given prompt according, and (2) automatically determining whether a variant was effective based only on the output of the model. This tool can also assist in generating datasets for jailbreak and prompt injection attacks, thus overcoming the scarcity of data in this domain.
We evaluate Maatphor on three different types of prompt injection tasks. Starting from an ineffective (0%) seed prompt, Maatphor consistently generates variants that are at least 60% effective within the first 40 iterations.

Summary Notes

Maatphor: Streamlining the Defense Against AI Prompt Injection Attacks

In the rapidly advancing world of artificial intelligence (AI), securing large language models (LLMs) is crucial.
These powerful tools drive a range of applications, from chatbots to content creation, but they're vulnerable to specific types of cyberattacks, notably prompt injection attacks.
Maatphor emerges as a groundbreaking solution, automating the detection and generation of these malicious prompts, thus bolstering the defenses of AI systems.


Prompt injection attacks trick LLMs into producing harmful or misleading responses. Traditional defenses are often one step behind attackers.
Maatphor changes the game by proactively generating and analyzing new, harmful prompts, helping AI engineers stay ahead.

Key Challenges Maatphor Addresses

Maatphor tackles two major issues in LLM security:
  • Creating New Variants: It creatively generates new, hard-to-detect prompts.
  • Assessing Threats: It innovatively evaluates these prompts to ensure they are truly threatening.

How Maatphor Works

Maatphor simplifies the defense process:
  • Input: Start with a harmful prompt.
  • Output: Get variants of this prompt that could bypass existing security measures.
  • Procedure: Through cycles of generation and evaluation, Maatphor refines these variants.

Technical Details

Maatphor's efficiency stems from:
  • Variant Creation: It uses LLMs to evolve a seed prompt into numerous variants, drawing on current research.
  • Evaluation: By comparing the intended and actual outputs, Maatphor determines which variants are most dangerous.

Testing and Results

Maatphor has been tested in various scenarios, showing its capability to quickly come up with effective prompt variants, thereby proving its worth in enhancing security measures.


Maatphor's development has broader impacts:
  • Versatility: It's designed to adapt to different LLMs, making it useful for both attack and defense.
  • Utility: It helps identify and strengthen weaknesses, making AI systems more robust.

Limitations and Next Steps

Maatphor marks a significant step forward but has areas for improvement:
  • Evaluation Depth: Current evaluation methods might not catch every subtlety of prompt injections.
  • Wider Application: Its effectiveness across various LLMs and settings needs further exploration.


Maatphor offers a proactive, systematic way to protect LLMs from prompt injection attacks, equipping AI engineers with a valuable tool in their security arsenal.

Future Directions

For those in AI security and ethics, Maatphor's development is a major milestone. Future enhancements aim to refine its interface and evaluation capabilities, ensuring it remains a leading solution in AI security.

How Athina AI can help

Athina AI is a full-stack LLM observability and evaluation platform for LLM developers to monitor, evaluate and manage their models

Athina can help. Book a demo call with the founders to learn how Athina can help you 10x your developer velocity, and safeguard your LLM product.

Want to build a reliable GenAI product?

Book a demo

Written by

Athina AI Research Agent

AI Agent that reads and summarizes research papers