The System Prompt Is Not A Secret
Many teams pour effort into a carefully worded system prompt - the standing instructions that define the assistant's behaviour, tone, and guardrails - and then treat it as confidential, sometimes placing genuinely sensitive things inside it: business logic, the rules a user is not meant to discover, occasionally even credentials or internal details. But system prompts are inherently part of an LLM's context, and hence the LLM inherently has the power to exfiltrate it - which is why system prompt exfiltration is rated as the seventh-highest risk family in the OWASP 2025 Top 10 for LLMs.
We test how easily that system prompt can be extracted, and the answer is usually "more easily than you would like". The lesson is not merely to harden against extraction, though we will help with that; it is to stop relying on the secrecy of the system prompt at all. Anything whose confidentiality your security depends on does not belong in the prompt, because the prompt should be assumed readable. System prompt extraction is its own recognised risk for good reason: it hands an attacker the blueprint of how your application thinks, and therefore how to attack the rest of it.