Inferensys

Glossary

Delimiter-Based Defense

A prompt injection mitigation technique that uses special character sequences to clearly separate untrusted user input from trusted system instructions, preventing malicious override of model behavior.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
PROMPT INJECTION DEFENSE

What is Delimiter-Based Defense?

A mitigation technique that uses special character sequences to clearly separate untrusted user input from trusted system instructions, preventing prompt injection.

Delimiter-Based Defense is a security technique that uses special character sequences (e.g., ---, ###, or XML tags) to create explicit boundaries between untrusted user input and trusted system instructions within a language model's prompt. By clearly marking where user data begins and ends, the model is instructed to treat the delimited content strictly as data, not as executable commands, neutralizing injection attempts that try to override the system prompt.

This defense relies on the model's ability to respect instructional hierarchy through formatting. Common delimiters include triple backticks, XML tags like <user_input>, or random nonce strings. While effective against direct injection, it is not foolproof; sophisticated attacks may attempt to include the closing delimiter within the user input to break out of the data context. Therefore, it is often combined with input sanitization and structured output enforcement for a layered defense.

INPUT SEGREGATION MECHANICS

Key Characteristics of Delimiter-Based Defense

A structural mitigation that uses special character sequences to create an unambiguous boundary between trusted system instructions and untrusted user data, preventing the model from interpreting user input as executable commands.

01

Syntactic Boundary Enforcement

Uses special character sequences (e.g., ---, ###, XML tags like <user_input>) to create an unambiguous separation between system and user content. The model is explicitly instructed to treat everything within the delimited block as inert data rather than executable instructions. This prevents the model from interpreting user-supplied text as a continuation of the system prompt.

  • Common delimiters: triple backticks, XML tags, hash sequences
  • Works by exploiting the model's ability to follow formatting conventions
  • Most effective when combined with explicit instructions to ignore delimited content
02

Instructional Hierarchy Preservation

Maintains the privilege separation between system-level directives and user-level data. By physically isolating user input within delimiters, the defense ensures that system instructions retain their highest-priority position in the model's attention mechanism. This prevents lower-privilege user content from overriding core safety directives.

  • System prompt remains outside and above the delimited zone
  • User content is explicitly labeled as lower-trust
  • Prevents privilege escalation through prompt crafting
03

Encoding and Obfuscation Resistance

Delimiter-based defenses can be bypassed if attackers use encoding tricks to hide malicious delimiters within user input. Robust implementations must include canonicalization steps that normalize input before delimiter parsing. This includes handling Unicode homoglyphs, escape sequences, and nested delimiter injection attempts.

  • Must handle Unicode normalization (NFC/NFD forms)
  • Defend against delimiter injection within delimited blocks
  • Combine with input sanitization for layered defense
04

Multi-Modal Delimiter Application

Extends the delimiter concept beyond text to multi-modal inputs such as images, audio, and video. In these contexts, delimiters may take the form of metadata tags, base64 encoding wrappers, or temporal markers that separate trusted media from untrusted uploads. This prevents injection attacks embedded in non-text modalities from contaminating the model's instruction context.

  • Image inputs wrapped in <image> XML tags
  • Audio segments marked with timestamp boundaries
  • Prevents cross-modal prompt leakage
05

Layered Defense Integration

Delimiter-based defense is not a standalone solution but a foundational layer within a broader security architecture. It works synergistically with guard models, input sanitization, and structured output enforcement to create defense-in-depth. If an attacker bypasses delimiters, secondary filters catch the injection before execution.

  • First line: delimiter segregation
  • Second line: perplexity-based injection detection
  • Third line: output content filtering
  • Follows the Prompt Injection Kill Chain model
06

Context Window Integrity

Protects against context window exhaustion attacks by ensuring that even when an attacker floods the input with filler content, the delimited structure preserves the system prompt's position. The model is trained to prioritize instructions outside the delimited zone, maintaining safety guardrails even under high-volume input conditions.

  • System instructions remain at fixed positions
  • Delimited user content can be truncated without losing safety
  • Prevents displacement of core directives
DELIMITER-BASED DEFENSE

Frequently Asked Questions

Explore the mechanics and limitations of using special character sequences to create a hard boundary between trusted system instructions and untrusted user input in LLM applications.

Delimiter-based defense is a prompt engineering security technique that uses special character sequences—such as ---, ###, or XML tags like <user_input>—to create an explicit syntactic boundary between trusted system instructions and untrusted user data. The core mechanism relies on instructing the model to treat everything outside the delimiters as immutable commands and everything inside as inert data to be processed, not executed. This approach attempts to neutralize prompt injection attacks by preventing user-supplied text from crossing the boundary and overriding system-level directives. For example, a prompt might be structured as: System: Translate the text inside <text></text> to French. <text>User input here</text>. The defense assumes the model will respect the explicit separation and refuse to interpret instructions embedded within the delimited block.

DEFENSE COMPARISON

Delimiter-Based Defense vs. Other Injection Mitigations

A technical comparison of delimiter-based defense against other common prompt injection mitigation strategies for LLM applications.

FeatureDelimiter-Based DefenseInput SanitizationGuard Model

Core Mechanism

Uses special character sequences to explicitly separate untrusted input from system instructions

Strips or neutralizes potentially malicious control sequences from user input before processing

Deploys a secondary classifier model to screen inputs and outputs for policy violations

Defense Layer

Prompt architecture level

Pre-processing pipeline

External screening layer

Resilience to Obfuscation

Moderate—attackers may attempt to inject delimiters within input

Low—vulnerable to encoding tricks, homoglyphs, and zero-width characters

High—trained to detect semantic intent regardless of encoding

Computational Overhead

Negligible—adds static tokens to prompt

Low—regex and normalization operations

High—requires separate model inference per request

Latency Impact

< 5 ms

< 10 ms

50-500 ms

Prevents Indirect Injection

Handles Multi-Modal Injection

Requires Model Retraining

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.