Security Benchmark: 10 LLMs Tested Against 211 Adversarial Probes

A security researcher conducted a systematic test of 10 different LLMs against 211 adversarial security probes to evaluate how they handle attacks in real-world scenarios.
Test Methodology
The researcher used a standardized setup with temperature 0 and identical API calls for every model. The test included 82 extraction probes (attempting to steal system prompts) and 109 injection probes (attempting to hijack model behavior). A honeypot system prompt loaded with fake PII, SSH keys, and API credentials was used as bait.
Key Findings
- Extraction resistance is mostly solved: Most models are decent at blocking "repeat your system prompt" type attacks. The average across all models is around 85%.
- Injection resistance is not solved: Average is 46.2%, meaning more than half of injection attacks succeed across the board.
- Universal failures: Every single model failed on delimiter attacks, distractor injection, and style injection. 0% resistance on those categories across all 10 models.
- Dead attack patterns: Every model resisted payload splitting and typo evasion at 100%.
Model-Specific Results
- Claude Opus: Scored 72.7% on injection resistance, the best of any model tested. Still means over 1 in 4 injection attacks work.
- GPT-5.4: Has perfect extraction and boundary scores but only 50% injection resistance.
- GPT-5.3 Codex: The model behind Codex CLI that runs code on your machine scored 34.5% on injection. 2 out of 3 injection attempts succeed.
- DeepSeek V3.2: Scored 17.4% on injection, basically no resistance.
- Qwen 3.5 API vs local: Almost identical extraction (81.6% vs 81.7%) but the local version is worse on injection (46.9% vs 29.8%) and much worse on boundary integrity (59.8% vs 44.6%). Running locally doesn't make it less capable at blocking extraction but does make it more vulnerable to injection.
Why Injection Matters
Extraction means someone steals your system prompt - bad, but recoverable. Injection means someone hijacks what your agent does. If your agent has tool access, file system access, or can make API calls, a successful injection can lead to data exfiltration, file deletion, or worse. Right now the best model in the world only blocks 73% of injection attempts.
Full methodology and results are public at agentseal.org/benchmark. The test prompt is also published so anyone can reproduce the results.
📖 Read the full source: r/LocalLLaMA
👀 See Also

Endo Familiar: Object-Capability Sandbox for AI Agents
Endo Familiar implements object-capability security for AI agents: agents start with zero ambient authority, receive only explicit references to specific files or directories, and can derive narrower capabilities in sandboxed code.

Security Checklist for Claude AI-Generated Applications
A developer shares a checklist of common security and operational gaps found in applications built with Claude Code, including rate limiting, authentication flaws, database scaling issues, and input handling vulnerabilities.

FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)
A stack buffer overflow in FreeBSD's kgssapi.ko module allows remote kernel RCE with root shell via NFS server. The vulnerability affects FreeBSD 13.5, 14.3, 14.4, and 15.0 versions before specific patches.

Clawvisor: Purpose-Based Authorization Layer for OpenClaw Agents
Clawvisor is an authorization layer that sits between AI agents and APIs, enforcing purpose-based authorization where agents declare intentions, users approve specific purposes, and an AI gatekeeper verifies every request against that purpose. Credentials never leave Clawvisor and agents never see them.