Indirect prompt injection hides attacker instructions in web pages to hijack autonomous AI agents. Zscaler's new benchmark explains why any single test is stale by the time it reaches the press cycle.
The most counterintuitive result in Zscaler's new indirect prompt injection benchmark, with pricier Gemini-2.5-pro failing while cheaper Gemini-3.1-flash-lite passed, is not the story. The story is that any reader who turns that result into a buying signal has already lost the plot, because the test itself is a snapshot of behavior that does not stay put.
Indirect prompt injection, or IPI, is the technique Zscaler's ThreatLabz researchers set out to measure. Attackers plant hidden instructions inside ordinary web content such as pages, comments, product listings, or captchas, and any autonomous AI agent that browses, summarizes, or acts on that content reads the planted instructions as if they came from its own operator. The agent then executes actions a human reader would refuse: transferring cryptocurrency, surrendering credentials, or routing a transaction to the attacker's address.
Zscaler's primary write-up reports testing 26 LLMs in a controlled validation and classifying four as "vulnerable": Llama3-3-70b-instruct, Llama3-2-90b-instruct, Gemini-3-flash, and Gemini-2.5-pro. Three models passed: Llama4-maverick, Gemini-3.1-pro, and Gemini-3.1-flash-lite. Gemini-3.1-flash-lite is the cheapest model in that safe cohort, and the contrast with the failed Gemini-2.5-pro is exactly the line that will travel through the wire.
The vendor framing is the first thing to flag. Zscaler ThreatLabz publishes research that doubles as marketing for a security product category it sells into. Treating its findings as evidence rather than endorsement means reading the original post alongside the enterprise press synthesis and asking which claims originate with the researcher and which belong to the company's go-to-market framing. The "vulnerable / safe" binary in particular reads more as a press artifact than a research artifact.
The second thing to flag is the caveat that should travel with every press cycle of this story, and that is the one InfoWorld quotes from independent consultant Noah Kenney of Digital 520. Model behavior is non-stationary: agents ingest new data continuously, retune their reasoning, and produce different outputs over time. The same agent that fails an IPI test at 10:00 can pass the identical test at 11:00. Kenney puts it plainly: "The risk of an agent is constantly changing and that can cause vastly different results. You can't assume the results are generalizable. The test result is only at one point in time." He also calls the binary safe and vulnerable classification too simplistic to inform a CISO, which is the right audience for a benchmark like this.
That instability has a practical consequence for any team that wires an agent to a payment rail. Crypto Briefing's read of the same ThreatLabz write-up highlights agents authorized to move cryptocurrency as the live target. A human can usually notice a scam page, but an agent with a private key and a payment permission will execute the hidden instruction and broadcast the transfer. Independent technical commentary from Hendry Adrian reaches the same conclusion through a different door: the attack surface is the web itself, and any model the agent uses to read it inherits whatever an attacker wants to put in front of it.
The reader takeaway is not which model to buy. It is a checklist for the next agent-security benchmark that lands in the news cycle. Ask three questions. First, who paid for the test, and what product do they sell into the result. Second, is the result a snapshot or a continuous measurement, and if a snapshot, when was it taken and against which build. Third, does the agent under review have a permission that turns a prompt failure into a fund movement. If the answer to the third question is yes, the only acceptable benchmark is one tied to that specific deployment, not to the model card.
The next IPI benchmark to reach the news cycle will offer the same binary and the same caveats. Read it against the model build your agent is actually running, and against the permission your agent is actually carrying.