Back to Intelligence

Falcon AIDR: Detecting Prompt Injection Threats in Kubernetes AI Applications

SA
Security Arsenal Team
May 14, 2026
7 min read

Introduction

The integration of Large Language Models (LLMs) into Kubernetes environments has accelerated, but security controls have lagged. Defenders are now facing a critical gap: traditional workload protection does not understand the "prompt layer"—the interface where users interact with AI models. CrowdStrike's recent release of Falcon AIDR (AI Detection and Response) highlights an urgent reality: adversaries are actively targeting AI applications in K8s via prompt injection, jailbreaking, and data exfiltration. Security teams must immediately extend their visibility to the application and prompt layer to prevent model poisoning and sensitive data leakage.

Technical Analysis

Affected Platforms:

  • Kubernetes Clusters: Any cluster running AI/ML workloads, specifically those utilizing inference servers, LLM gateways, or orchestration frameworks like KubeRay.

Threat Vectors: The announcement addresses the rise of adversarial attacks on the LLM supply chain within K8s. The primary risks include:

  1. Prompt Injection (LLM01): Attackers manipulate input to bypass guardrails, forcing the model to execute unauthorized actions or reveal system prompts.
  2. Model Denial of Service (LLM04): Resource exhaustion attacks targeting the GPU/CPU compute layers of the K8s cluster via malicious prompt complexity.
  3. Model Theft: Exfiltration of proprietary model weights or training data via vulnerabilities in the exposed API endpoints.

Attack Mechanics: In a Kubernetes environment, an AI application typically exposes a REST or gRPC API (Prompt Layer) frontended by a Service and Ingress. Adversaries probe these endpoints.

  • The Attack Chain: An attacker sends a malformed prompt → The inference server (running in a Pod) processes the input → The prompt includes instructions to output internal data (e.g., "Repeat the text above") or execute a command (if tool-use is enabled).
  • Lateral Movement: Successful prompt injection can lead to Server-Side Request Forgery (SSRF) within the pod, allowing the attacker to reach the Kubelet API or cloud metadata services (IMDS), moving from the AI app to the cluster control plane.

Exploitation Status: While specific CVEs for the "prompt layer" are often logical vulnerabilities rather than software bugs, proof-of-concept exploits for LLM jailbreaking are widely available on platforms like GitHub. Active exploitation of AI-enabled endpoints in enterprise environments is being tracked by threat intelligence groups as a high-growth attack surface.

Detection & Response

The following detection logic focuses on identifying the exploitation of AI workloads within Kubernetes. Since prompt injection is often "logic" based, we detect the side effects and access patterns associated with successful attacks on the K8s control plane and AI data extraction.

SIGMA Rules

YAML
---
title: Potential Kubernetes AI Model Exfiltration via kubectl cp
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential exfiltration of model artifacts from AI pods using kubectl cp. Adversaries may attempt to steal weights or data.
references:
  - https://attack.mitre.org/techniques/T1040/
author: Security Arsenal
date: 2025/05/01
tags:
  - attack.exfiltration
  - attack.t1040
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/kubectl'
    CommandLine|contains: 'cp'
    CommandLine|contains:
      - '/var/lib/kubelet/pods'
      - 'model-'
      - '/tmp/ray'
  condition: selection
falsepositives:
  - Legitimate backup operations by data scientists
level: high
---
title: Suspicious Interactive Shell Access to AI Workloads
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects interactive shell access (kubectl exec) to pods typically associated with AI/ML workloads (e.g., Ray, Jupyter, Triton).
references:
  - https://attack.mitre.org/techniques/T1211/
author: Security Arsenal
date: 2025/05/01
tags:
  - attack.execution
  - attack.t1211
logsource:
  product: kubernetes
  service: audit
detection:
  selection:
    verb: 'create'
    objectRef:
      resource: 'pods'
    subresource: 'exec'
    requestObject:
      command:
        - '/bin/sh'
        - '/bin/bash'
  filter_allowed_ns:
    namespace|endswith:
      - '-monitoring'
      - '-logging'
  filter_ai_labels:
    objectRef:
      name|contains:
        - 'jupyter'
        - 'ray'
        - 'triton'
        - 'llm'
  condition: selection and not filter_allowed_ns and filter_ai_labels
falsepositives:
  - Administrators debugging production models
level: medium
---
title: Linux Process Accessing GPU Device Files from Non-Standard Parent
id: c3d4e5f6-a7b8-6c7d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects processes attempting to access GPU device files (/dev/nvidia*) outside of known AI runtimes. May indicate malicious crypto-mining or model hijacking.
references:
  - https://attack.mitre.org/techniques/T1496/
author: Security Arsenal
date: 2025/05/01
tags:
  - attack.resource-hijacking
  - attack.t1496
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    CommandLine|contains: '/dev/nvidia'
  filter_legit:
    ParentImage|endswith:
      - '/python'
      - '/python3'
      - '/containerd'
      - 'nvidia-smi'
  condition: selection and not filter_legit
falsepositives:
  - Custom CUDA drivers or debugging tools
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious HTTP patterns indicative of Prompt Injection targeting known AI endpoints
// Note: Requires ContainerLog or Syslog ingestion from Ingress Controllers (e.g., Nginx, Istio)
let AIEndpoints = dynamic(["/v1/completions", "/v1/chat", "/predict", "/inference"]);
let InjectionKeywords = dynamic(["ignore instructions", "system prompt", "override previous", "jailbreak", "print database"]);
Syslog
| where ProcessName contains "nginx" or ProcessName contains "envoy"
| where SyslogMessage has_any (AIEndpoints)
| extend RequestBody = extract(@'POST.*\n\n(.*)', 1, SyslogMessage)
| where RequestBody has_any (InjectionKeywords)
| project TimeGenerated, Computer, ProcessName, RequestBody, SourceIP
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes accessing model directories or GPU devices in K8s nodes
SELECT Pid, Name, CommandLine, Exe, Username, Cwd
FROM pslist()
WHERE (Name IN ('curl', 'wget', 'python', 'python3') AND CommandLine =~ '/models/')
   OR Exe =~ '/dev/nvidia'
   OR (CommandLine =~ 'kubectl' AND CommandLine =~ 'cp')

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation: Harden Kubernetes AI Workloads
# This script checks for common misconfigurations in AI/ML namespaces and applies restrictive NetworkPolicies

set -e

echo "[*] Checking for pods with GPU access in default namespaces..."
kubectl get pods --all-namespaces -o  | jq -r '.items[] | select(.spec.containers[].resources.limits."nvidia.com/gpu") | "\(.metadata.namespace) \(.metadata.name)"' | while read namespace pod; do
  if [[ "$namespace" == "default" ]]; then
    echo "[!] ALERT: GPU Pod found in default namespace: $pod"
  fi
done

echo "[*] Auditing KubeRay or Jupyter services for LoadBalancer type (Public Exposure)..."
kubectl get svc --all-namespaces -o  | jq -r '.items[] | select(.metadata.name | test("jupyter|ray-head"; "i")) | select(.spec.type == "LoadBalancer") | "\(.metadata.namespace) \(.metadata.name)"' | while read namespace svc; do
  echo "[!] WARNING: Exposed AI Service found: $svc in $namespace"
done

echo "[*] Applying default-deny NetworkPolicy to AI-labeled namespaces..."
# This is a safety measure; AI pods should only talk to specific upstreams
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: kube-ai  # Replace with your AI namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
EOF

echo "[+] Hardening complete. Please review specific alerts above."

Remediation

To effectively defend against threats at the prompt layer in Kubernetes, organizations must take a defense-in-depth approach:

  1. Network Segmentation: Implement strict Kubernetes NetworkPolicies. AI inference pods should not have unrestricted internet access or access to the Kubelet API.隔离 AI 推理 Pod,限制其对互联网和 Kubelet API 的非授权访问。

  2. RBAC & Kubeconfig Hygiene: Ensure that the service accounts used by AI applications have the absolute minimum permissions (Least Privilege). Avoid using cluster-admin roles for inference servers.

  3. Input Validation & Guardrails: Deploy a dedicated AI Gateway (e.g., NVIDIA NeMo Guardrails, open-source proxy) in front of your K8s inference service. This gateway handles input sanitization to catch prompt injections before they reach the model.

  4. Vendor Advisory & Tooling: Leverage CrowdStrike Falcon AIDR for runtime protection. It provides telemetry specifically for the prompt layer, detecting anomaly patterns in user inputs that traditional WAFs might miss. For non-Falcon environments, enable audit logging on the K8s API server and monitor exec and portforward requests aggressively.

  5. Patch Management: Regularly update the underlying AI frameworks (e.g., Hugging Face Transformers, PyTorch) and the K8s version to mitigate known container escape vulnerabilities.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectioncrowdstrikekubernetesai-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action