The same month another autonomous AI agent demo goes viral, a quieter number is climbing in the background: how many people are searching for how to break one. Searches in the United States for “prompt injection”, the attack that tricks a language model into ignoring its instructions, have more than doubled over the past year to roughly 4,000 a month. The attack that security researchers worry about most is now the one the public is Googling hardest.
That figure comes from a new analysis of search-demand data by Cyber Insider, a cybersecurity news and research publication, which tracked public interest in the main techniques used to attack large language models. Across the three most-searched methods, prompt injection, model jailbreaking and data poisoning, combined monthly searches climbed about 63% in a year, from roughly 46,000 to about 75,000. Prompt injection did almost all of the lifting. Searches for “data poisoning” roughly doubled from a 2024 baseline near 500 a month to more than 1,000, while interest in jailbreaking, the older and more familiar idea, stayed broadly flat.
Why agent builders should care more than chatbot builders
For anyone wiring up autonomous agents, this trend is worth sitting up for. A chatbot that can be talked into saying something off-script is embarrassing. An agent that can read email, browse the web, run code and call tools is a different proposition, because a successful prompt injection does not just change what the model says, it can change what the model does. The same autonomy that makes an agent useful is the thing an injected instruction gets to borrow.
The security community reached this conclusion a while ago. The OWASP Foundation’s Top 10 for LLM Applications, the most widely used reference for AI security risk, lists prompt injection as its number one entry for the second edition running, and ranks data and model poisoning fourth. The two categories whose search demand is rising fastest are, almost exactly, the two the experts rank most critical. The one that has plateaued, jailbreaking, is the one that has been around longest.
“Prompt injection has quietly become the SQL injection of the AI era,” said Alex Lekander, a security commentator at Cyber Insider. “For a long time it lived in red-team write-ups and conference talks. Mainstream search volume usually means a problem has crossed over from the lab into the day job of every developer connecting a model to a real system, and the agent boom is pouring fuel on that.”
The part you cannot patch
What makes prompt injection so awkward is that it is not really a bug. A language model takes in instructions and data through the same channel and has no reliable way to tell one from the other. Tell a customer-service bot to ignore its previous instructions and it may simply comply. OWASP is blunt that there is no fool-proof prevention, because the weakness is baked into how the models work rather than sitting in a single line of code someone can fix.
The harder version is indirect injection, and it is tailor-made to bite agents. Instead of typing a malicious instruction into a chat box, an attacker hides it in something the agent will read on its own: a web page it summarizes, a document it ingests, a support ticket it triages, a calendar invite it parses. The user never sees the instruction. The agent does, treats it as a command, and acts. An assistant asked to summarize a booby-trapped page can be steered into leaking the rest of the conversation or quietly calling a tool it should never have touched.
What good practice looks like
The takeaway is not to stop building agents. It is to build them as though the model will be fooled, because at some point it will be. That means least privilege, so an agent can only reach the data and tools a given task genuinely needs. It means a human in the loop for anything irreversible or sensitive, rather than letting the model fire off the action on its own. It means treating everything a model emits as untrusted input to the next step, not as a trusted command. And it means red-teaming the agent against injection before shipping, not after an incident.
The search data is, in its own way, a leading indicator. Rising public interest in prompt injection is not a sign that attacks have only just started; it is a sign that awareness has finally caught up with a risk that has been sitting at the top of the experts’ list all along. For builders, the sensible response to that curve is to assume the people probing their agents are climbing it too.
Search figures are from Cyber Insider’s analysis of monthly United States search-volume data through May 2026 for the terms “prompt injection”, “jailbreak chatgpt” and “data poisoning”, comparing the most recent 12 months with the previous 12. Risk rankings are from the OWASP Top 10 for Large Language Model Applications (2025).

