The number that looks like a liability is the only solid ground

The highest prompt injection figure published by any frontier lab this spring belongs to Anthropic. In browser environments, an adaptive red-team attacker successfully hijacked Anthropic's Opus 4.8 model 31.5% of the time before safeguards engaged. That sounds alarming. In context, it is the most informative single data point in the disclosure landscape — because everyone else either tested less, measured differently, or published nothing comparable.

Prompt injection is an attack in which a malicious instruction is hidden inside content an AI agent reads — a webpage, a document, a tool result. One planted line can exfiltrate data or trigger unauthorized actions. For enterprise buyers deploying agents, vendor system cards are often the only first-party evidence available. This spring's disclosures reveal how inconsistently that evidence is produced.

What Anthropic actually published

The Opus 4.8 system card, released May 28, runs 244 pages and covers four agentic surfaces: tool use, coding, computer use, and browser. The browser evaluation tested 129 web environments held out from training, with attackers using Gray Swan's Shade tool — an adaptive attacker that rewrites its approach based on model responses — at 1, 10, and 100 attempts per environment.

The spread across surfaces is significant. In coding environments with thinking enabled, the per-attempt attack success rate was 7.03% without safeguards, falling to 2.09% with them. In browser environments, the raw rate was 31.5%, dropping to 0.5% with safeguards. Turn thinking off entirely, and the rate across all 129 browser environments fell to zero. Anthropic also ran a one-week live bug bounty with external red-teamers — and when coding results came back worse than the previous model generation, the card said so explicitly.

What the other labs published

**OpenAI** reported prompt injection in the GPT-5.5 system card as a robustness score — higher is better, the inverse of an attack success rate — of 0.963 on connectors, down from 0.998 for GPT-5.4-thinking. That is the entire disclosure: one surface, known attacks, one number. No adaptive attacker, no multi-surface breakdown, no live bounty.

**Google** addressed prompt injection in Gemini 3 launch materials by describing stronger resistance, without attaching a rate. Its Frontier Safety Framework runs red-teaming across capability domains, but prompt injection is not among them. No per-surface figure exists for a buyer to use.

**Meta** ships open weights with no closed-model card. Its published injection figures — attack success falling from 17.6% to 1.75% with combined defenses — come from the AgentDojo public benchmark and grade the LlamaFirewall guardrail stack, not the underlying model on a deployment surface security teams would recognize.

Why these numbers cannot be compared

The four disclosures differ on every methodological dimension that matters: which surfaces were tested, whether the attacker was adaptive or used known payloads, whether multi-attempt escalation was measured, and whether the figures cover the model or the guardrail layer. Placing Anthropic's 31.5% next to OpenAI's 0.963 on a spreadsheet produces a false comparison. They were never on the same scale.

CrowdStrike's 2026 Financial Services Threat Landscape Report, released in May, noted that adversaries are using AI to compress the time from initial access to impact — faster than legacy defenses can respond. Attackers are not submitting known payloads.

What security teams should do now

No standard exists yet. Until one does, buyers need to build their own comparisons:

- **Tag every deployed or scoped agent by surface** — browser, code, connectors, desktop. A blended vendor number covers none of them. - **Demand per-surface rates, raw and safeguarded**, with attacker methodology named. Treat any surface the vendor did not test as untested. - **Confirm which number applies to your integration.** Anthropic's 0.5% figure applies to Claude in Chrome and Cowork with the full safeguard stack. API deployments may not include those safeguards by default. - **Require adaptive attacker methodology and external red-teaming** in any RFP. Known-payload tests do not reflect real adversary behavior. - **Run your own injection test before any agent ships.** Vendor numbers come from vendor environments. Your stack has its own prompts, permissions, and data access.