How do you write a prompt-injection incident-response runbook?
A 2026 prompt-injection incident-response runbook follows the standard NIST IR lifecycle (Prepare / Detect / Contain / Eradicate / Recover / Lessons-Learned) adapted for OWASP LLM01.
Prepare. Inventory every LLM surface (chat, agent, RAG, MCP), every tool the model can call, every data store the model reads. Document expected injection-rate baseline per surface. Pre-establish kill-switches (per-tool, per-surface, per-API-key). Pre-write user-facing communication templates. Confirm InjectShield (or equivalent) verdicts stream to SIEM with alerting on rate spikes and high-confidence categories.
Detect. Triggers: classifier verdict-rate spike, anomalous tool-call patterns, customer-reported weird behavior, security-researcher disclosure. SLA: high-confidence injection alert → triaged within 15 min, contained within 1 hour.
Contain. Pull the kill-switch on the affected surface (disable the tool, route traffic to a fallback model, raise classifier threshold to maximum, or pause the agent entirely). Preserve forensic logs — full request payloads, classifier verdicts, tool-call chains, model outputs, document-provenance trail. Notify legal/comms if PII/secrets may have leaked (LLM06).
Eradicate. Identify root cause: novel attack pattern (update heuristics + retrain semantic classifier), poisoned stored content (purge from RAG/memory, batch re-scan corpus), misconfigured tool (tighten allowlist), missing context separation (update system prompt). For stored injection, audit every document touched since the suspected poisoning date.
Recover. Re-enable surface with elevated monitoring for 30 days. Re-baseline metrics. Customer notification if required by SOC 2 / GDPR / state breach laws.
Lessons-Learned. Post-mortem within 5 business days. Add the attack pattern to red-team test corpus. Update detection rules. Share lessons internally and (where appropriate) with the security community.
InjectShield ships a runbook template at injectshield.dev/docs/incident-response.