Prompt injection has been the headline security problem for the last year, but have we been guarding the wrong layer? In this episode of Pop Goes the Stack, #F5's Lori MacVittie is joined by cohost Joel Moses and architect Elijah Zupancic to break down why many “prompt filters” miss the real execution surface: models don’t process words, they process tokens, and attackers are increasingly targeting the tokenizer to bypass defenses. Using the research behind Adversarial Tokenization and TokenBreak, they explain how the same text can be segmented into different token paths, changing what the model actually “sees” and how it behaves. That creates a split-brain security challenge across text, tokens, and state, where protecting only the natural-language layer leaves multiple routes around your guardrails. TokenBreak, in particular, highlights how attackers can brute-force and classify responses to infer tokenization behavior, turning the model into its own oracle. So how can you protect models? Hear why a layered security is the only viable approach: narrowing accepted input surfaces, adding language detection to reduce the search space, limiting automation and abuse patterns, and moving toward token-aware inspection and policy enforcement at the tokenizer boundary. But their are tradeoffs when guardrails sit outside the model. Tune in to make sure you’re not already downstream of the attack and what you can do about it if you are. Chapters: 00:00 Welcome to Pop Goes the Stack 00:20 Prompt injection isn’t the real battle—tokens are 01:01 Adversarial Tokenization & TokenBreak: Beat the tokenizer 02:22 The prompt/token relationship: One word, multiple token paths 03:31 The attack: Same text, different tokenization → different behavior 04:44 The “three brains” problem: Text, tokens, and state 06:16 Defense-in-depth: Reduce inputs + exclude raw tokens 08:04 Token-aware guardrails: Validate token streams + cryptographic signing 10:33 TokenBreak vs Adversarial Tokenization (different prerequisites) 13:16 Language and behavioral detection: Prompt-stuffing like credential stuffing 15:01 The only defense is a layered defense for security, latency, and cost 17:53 AI security challenge: Supporting streaming 19:16 Key takeaways: Token-aware security + sanitize in, validate out Read Adversarial Tokenization: https://go.f5.net/x0imwn3k Read TokenBreak → Bypassing Text Classification Models Through Token Manipulation: https://go.f5.net/4fxw6whr Learn how you can stay ahead of the curve and keep your stack whole with additional insights on app security, multicloud, AI, and emerging tech: https://go.f5.net/imdjo2b5 More about F5: https://go.f5.net/gcmsxzit Read our blog: https://go.f5.net/m8xz1zqm Follow us on LinkedIn: https://go.f5.net/rk56xwel

 70      3