Delimiter-Based Defense is a security technique that uses special character sequences (e.g., ---, ###, or XML tags) to create explicit boundaries between untrusted user input and trusted system instructions within a language model's prompt. By clearly marking where user data begins and ends, the model is instructed to treat the delimited content strictly as data, not as executable commands, neutralizing injection attempts that try to override the system prompt.
Glossary
Delimiter-Based Defense

What is Delimiter-Based Defense?
A mitigation technique that uses special character sequences to clearly separate untrusted user input from trusted system instructions, preventing prompt injection.
This defense relies on the model's ability to respect instructional hierarchy through formatting. Common delimiters include triple backticks, XML tags like <user_input>, or random nonce strings. While effective against direct injection, it is not foolproof; sophisticated attacks may attempt to include the closing delimiter within the user input to break out of the data context. Therefore, it is often combined with input sanitization and structured output enforcement for a layered defense.
Key Characteristics of Delimiter-Based Defense
A structural mitigation that uses special character sequences to create an unambiguous boundary between trusted system instructions and untrusted user data, preventing the model from interpreting user input as executable commands.
Syntactic Boundary Enforcement
Uses special character sequences (e.g., ---, ###, XML tags like <user_input>) to create an unambiguous separation between system and user content. The model is explicitly instructed to treat everything within the delimited block as inert data rather than executable instructions. This prevents the model from interpreting user-supplied text as a continuation of the system prompt.
- Common delimiters: triple backticks, XML tags, hash sequences
- Works by exploiting the model's ability to follow formatting conventions
- Most effective when combined with explicit instructions to ignore delimited content
Instructional Hierarchy Preservation
Maintains the privilege separation between system-level directives and user-level data. By physically isolating user input within delimiters, the defense ensures that system instructions retain their highest-priority position in the model's attention mechanism. This prevents lower-privilege user content from overriding core safety directives.
- System prompt remains outside and above the delimited zone
- User content is explicitly labeled as lower-trust
- Prevents privilege escalation through prompt crafting
Encoding and Obfuscation Resistance
Delimiter-based defenses can be bypassed if attackers use encoding tricks to hide malicious delimiters within user input. Robust implementations must include canonicalization steps that normalize input before delimiter parsing. This includes handling Unicode homoglyphs, escape sequences, and nested delimiter injection attempts.
- Must handle Unicode normalization (NFC/NFD forms)
- Defend against delimiter injection within delimited blocks
- Combine with input sanitization for layered defense
Multi-Modal Delimiter Application
Extends the delimiter concept beyond text to multi-modal inputs such as images, audio, and video. In these contexts, delimiters may take the form of metadata tags, base64 encoding wrappers, or temporal markers that separate trusted media from untrusted uploads. This prevents injection attacks embedded in non-text modalities from contaminating the model's instruction context.
- Image inputs wrapped in
<image>XML tags - Audio segments marked with timestamp boundaries
- Prevents cross-modal prompt leakage
Layered Defense Integration
Delimiter-based defense is not a standalone solution but a foundational layer within a broader security architecture. It works synergistically with guard models, input sanitization, and structured output enforcement to create defense-in-depth. If an attacker bypasses delimiters, secondary filters catch the injection before execution.
- First line: delimiter segregation
- Second line: perplexity-based injection detection
- Third line: output content filtering
- Follows the Prompt Injection Kill Chain model
Context Window Integrity
Protects against context window exhaustion attacks by ensuring that even when an attacker floods the input with filler content, the delimited structure preserves the system prompt's position. The model is trained to prioritize instructions outside the delimited zone, maintaining safety guardrails even under high-volume input conditions.
- System instructions remain at fixed positions
- Delimited user content can be truncated without losing safety
- Prevents displacement of core directives
Frequently Asked Questions
Explore the mechanics and limitations of using special character sequences to create a hard boundary between trusted system instructions and untrusted user input in LLM applications.
Delimiter-based defense is a prompt engineering security technique that uses special character sequences—such as ---, ###, or XML tags like <user_input>—to create an explicit syntactic boundary between trusted system instructions and untrusted user data. The core mechanism relies on instructing the model to treat everything outside the delimiters as immutable commands and everything inside as inert data to be processed, not executed. This approach attempts to neutralize prompt injection attacks by preventing user-supplied text from crossing the boundary and overriding system-level directives. For example, a prompt might be structured as: System: Translate the text inside <text></text> to French. <text>User input here</text>. The defense assumes the model will respect the explicit separation and refuse to interpret instructions embedded within the delimited block.
Delimiter-Based Defense vs. Other Injection Mitigations
A technical comparison of delimiter-based defense against other common prompt injection mitigation strategies for LLM applications.
| Feature | Delimiter-Based Defense | Input Sanitization | Guard Model |
|---|---|---|---|
Core Mechanism | Uses special character sequences to explicitly separate untrusted input from system instructions | Strips or neutralizes potentially malicious control sequences from user input before processing | Deploys a secondary classifier model to screen inputs and outputs for policy violations |
Defense Layer | Prompt architecture level | Pre-processing pipeline | External screening layer |
Resilience to Obfuscation | Moderate—attackers may attempt to inject delimiters within input | Low—vulnerable to encoding tricks, homoglyphs, and zero-width characters | High—trained to detect semantic intent regardless of encoding |
Computational Overhead | Negligible—adds static tokens to prompt | Low—regex and normalization operations | High—requires separate model inference per request |
Latency Impact | < 5 ms | < 10 ms | 50-500 ms |
Prevents Indirect Injection | |||
Handles Multi-Modal Injection | |||
Requires Model Retraining |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Delimiter-based defense is a foundational mitigation, but a robust security posture requires a layered approach. Explore these related techniques that complement and reinforce input separation strategies.
System Prompt Hardening
The practice of designing robust system-level instructions that are resistant to override attempts. Delimiters are one tool within a broader hardening strategy.
- Uses explicit, unambiguous language about instruction priority
- Includes defensive repetition of core constraints
- Implements instructional hierarchy to prioritize system over user directives
- Warns the model about common injection patterns
Canonicalization
Converting input data into a single, standard, unambiguous representation before parsing. This prevents attackers from bypassing delimiter-based filters using encoding tricks.
- Decodes URL-encoded characters before analysis
- Normalizes Unicode (NFC/NFD forms)
- Resolves homoglyphs to a canonical character set
- Prevents double-encoding bypass attacks
Context Boundary Enforcement
A defensive technique that strictly segregates different information sources within a prompt to prevent cross-contamination and privilege escalation.
- Uses delimiters as explicit trust boundaries
- Assigns different privilege levels to each context block
- Prevents user content from being interpreted as instructions
- Implements XML-style tagging for structured separation
Structured Output Enforcement
Constraining a model to generate responses in a specific, machine-readable format like JSON. This prevents the execution of injected free-form instructions by limiting the model's output surface.
- Forces all outputs through a schema validator
- Rejects responses that deviate from expected structure
- Prevents the model from executing injected commands disguised as output
- Works synergistically with input delimiters for full-cycle protection
Guard Model
A secondary, often smaller, model that screens inputs and outputs of a primary model to detect and block policy violations or injection attacks.
- Acts as an independent security layer beyond delimiters
- Classifies prompts as safe or malicious before processing
- Operates with minimal latency overhead
- Can be fine-tuned on known injection patterns and adversarial examples

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us