Context-Window Saturation

Context-Window Saturation is an attack pattern where adversarial content with high relevance and high volume displaces legitimate instructions or system prompts from the agent's finite context window. The LLM's context has a fixed token budget; flooding it with attacker-controlled high-relevance content reduces the effective weight of the system prompt, the instruction hierarchy becomes harder for the model to maintain, and susceptibility to subsequent injection attempts increases. It is structurally a denial-of-attention attack on the agent's reasoning, distinct from but often combined with RAG poisoning and memory poisoning.

The attack works because the LLM treats all input within the context as available data, with weights influenced by recency, position, and relevance. Adversarial content that is voluminous, recent, and high-relevance to the current task crowds out older context — including the system prompt that was supposed to constrain behaviour. The model's effective behaviour shifts from "follow the system prompt" toward "follow whatever the bulk of the recent context says," which is exactly the attacker's tool.

Why This Matters in Agentic Systems

Modern agents process much larger and more diverse context than chatbots. Each tool invocation can return thousands of tokens. Each retrieval-augmented step pulls in additional documents. Each multi-turn task accumulates history. The total context for a sophisticated agent task can approach or exceed the model's context window, forcing the runtime to truncate or summarise — and the truncation choices favour recent content over older content. An attacker who can flood any input channel (a search tool returning crafted results, a document the agent reads, a tool output) can bias which content survives the truncation.

Defensive Patterns

The structurally sound defences are runtime-side. Strict templating that forces the system prompt into a privileged slot the runtime preserves regardless of context pressure. Length limits per input source so a single document or tool output cannot dominate the context. Instruction-hierarchy enforcement that re-injects key system-prompt directives at every reasoning step rather than relying on context retention. Adversarial-content scanning at every input boundary to detect and filter suspicious-volume content before it reaches the context.

For deeper guidance on context management in MCP-based deployments, see the OWASP ASI06 explainer and the MCP Security Audit service description.