Catching an AI Red Teamer in the Wild: Using Reverse Prompt Injection as a Honeypot Detection Mechanism

Security researchers have successfully detected and analyzed an autonomous AI red teaming agent in the wild by flipping the script on prompt injection attacks. Using the open-source Beelzebub honeypot framework, the team embedded two layers of traps specifically designed to detect LLM-based agents: fake credentials hidden in HTML comments (only useful to natural language processors) and actual prompt injection payloads targeting any AI that processes the page. Within hours, they captured an agent making 58 requests from a single Tor exit node over 19 minutes, displaying behavior clearly distinct from both human operators and traditional scanners.

The agent exhibited multiple behavioral indicators of AI operation, including extracting and using fake credentials from HTML comments, firing credential login + SQLi + XSS payloads in the same second, switching tools mid-session (Chrome UA → curl → Python script), and generating semantically named parameters like ?xss= and ?sqli=. Most telling was the "sawtooth" timing pattern: long pauses consistent with LLM reasoning followed by rapid execution bursts. When SQL injection attempts failed, the agent demonstrated contextual escalation from OR 1=1 → UNION SELECT → blind SLEEP(5) rather than cycling through a wordlist. The researchers are calling these patterns "Behavioral IoCs" (Indicators of Compromise) for AI agents and suggest prompt injection can serve as a zero-false-positive detection mechanism when reversed.