What is stored prompt injection and how is it different from a normal injection?

Stored prompt injection is the LLM analogue of stored XSS: the payload is written once to a persistent store and fires every time a model reads it. Unlike direct injection (one-shot, attacker-and-victim are the same session) or in-flight indirect injection (a payload in an email or webpage processed at request time), stored injections sit in databases, RAG corpora, conversation memory, user profiles, or vector stores and re-trigger across sessions and users.

Examples: an attacker creates a public knowledge-base article with embedded "ignore prior instructions" payloads — any user who later asks a question that retrieves that article gets compromised. An attacker poisons their own user profile or conversation memory so future agent runs on their account misbehave. An attacker contributes to a shared corpus (Wiki, Confluence, Notion) used as RAG context.

Detection differs from in-flight injection in two ways. Frequency — stored payloads need to be caught at write time (ingest scanning) or they will re-fire indefinitely. Provenance — you need audit logs that tie each model response to the documents that fed it, so you can find and purge the poisoned record. InjectShield exposes a dedicated stored-injection detector and a batch-scan endpoint for retroactively auditing existing corpora.