Mara opens September 2026Request early access
Mara
R-0520 May 2026 · 7 min

Prompt injection is the memory-safety bug of our decade.

Why the defining vulnerability of AI security tooling is the one where attacker-controlled text becomes model instruction, and how Mara is built to contain it.

Point a language model at text an attacker controls, a phishing lure, a log line, a string pulled from a malware sample, and you have handed the attacker a channel into your model. The text is data to you. To the model it can read as instruction. This is prompt injection, and for security tooling it is not a corner case. It sits in the centre of the threat model.

The Open Worldwide Application Security Project ranks it first in its Top 10 for large language model applications, and the ranking is earned. Most mistakes a tool can make are bounded by what the tool was built to do. Injection is unbounded, because the attacker gets to write the next instruction.

Direct, and the worse kind.

Direct injection is the visible version: a user types something that subverts the system prompt. The dangerous version is indirect. The model ingests a document, an email body, a web page, a tool result, and that content carries a payload aimed not at the user but at the model. An analyst pastes a suspicious email into Mara and asks for a verdict. If Mara treats the email body as something to obey, the email writes its own verdict.

The text is data to you. To the model it can read as instruction.

What we build against it.

  • ·Untrusted by default. Document content, tool output, retrieved text and pasted samples are data, never instruction. The boundary is enforced in the harness, not requested in the prompt.
  • ·No privileged action from model output alone. Anything that touches your environment, a query run, a ticket closed, a host isolated, passes through a human or an explicit allowlist. The model proposes. It does not execute.
  • ·Tool results are framed and fenced. When Mara reads a sandbox report or a SIEM result, the content arrives wrapped so the model can tell the report from the request.
  • ·Red-team the injection surface on purpose. Our evaluation includes adversarial documents written to make Mara misbehave, scored on whether it holds the line.

None of this makes injection solved. Memory-safety bugs are forty years old and still ship. The honest framing is that injection is a standing condition of building on language models, the way memory safety is a standing condition of building in C. You design for it, you contain the blast radius, and you assume you have not caught every case.

Mara is a research preview from venode. Feedback, corrections and disagreements welcome, mara@venode.ai.

More notes
  1. R-06

    The defender's dilemma, and what AI does to it.

    AI lowers the cost of attack and defence at once. The honest question is which side gains more, and why we think it is the defender.

  2. R-07

    The state of AI in cyber, a mid-2026 review.

    Where the field actually is, the parts we think are real and the parts we think are noise: agentic tooling, model-found bugs, the evaluation gap, adversary use, and governance.

  3. R-01

    Reasoning about an unknown sample.

    How Mara approaches a piece of malware it has never seen before: what to look at, what to suspend judgement on, and where to begin.