lateral movement

Gold definitionUpdated Apr 2, 2026

Lateral movement, in the context of Large Language Model (LLM) security, describes the phase where an attacker, having gained initial access and potentially escalated privileges within an LLM-based system, extends their reach to other interconnected systems or user accounts. As defined by recent research, it involves 'cross-system and cross-user propagation' within a broader 'promptware' kill chain model. This mechanism works by leveraging the LLM's capabilities, such as executing code or interacting with APIs, to pivot to new targets, much like traditional malware campaigns expand their footprint. It matters because it transforms isolated LLM vulnerabilities into widespread security breaches, enabling attackers to achieve more significant objectives like data exfiltration or unauthorized transactions across an organization's infrastructure. Cybersecurity researchers, red teams, and security engineers developing and defending LLM-based applications are increasingly focused on understanding and mitigating lateral movement risks.

Understanding Lateral Movement in LLM Attacks

Definition and Role: Lateral movement in LLM-based systems is defined as 'cross-system and cross-user propagation' within a multi-step attack sequence. It is a distinct stage in the proposed 'promptware' kill chain, following persistence and preceding actions on objective. This highlights its role in expanding an attacker's control beyond the initial compromise point.
Analogy to Traditional Malware: Attacks targeting LLM-based applications increasingly involve multi-step sequences that mirror traditional malware campaigns. The concept of lateral movement in LLMs is analogous to how traditional malware propagates across networks after an initial breach, emphasizing systematic attack progression.

Mechanisms of Lateral Movement in LLM Contexts

Leveraging LLM Capabilities: LLM-based systems, especially autonomous agents capable of executing code and financial transactions, provide new avenues for lateral movement. An attacker can manipulate a compromised LLM to interact with external services or internal systems, facilitating propagation. This extends the attack surface beyond simple prompt manipulation.

At a glance

Executive summary

Lateral movement in LLM security describes when an attacker expands their reach from a compromised LLM application to other systems or users. It's a key stage in multi-step 'promptware' attacks, enabling attackers to leverage the LLM's capabilities to spread their influence across an organization's digital infrastructure.

TL;DR

In LLM security, lateral movement is when an attacker uses a compromised AI to spread their attack to other computer systems or user accounts.

Key points

Core mechanism: Propagation of an attack from a compromised LLM to other systems or users.
Problem solved: Enables attackers to expand the impact and reach of an initial LLM compromise.
Who uses it: Attackers exploiting LLM vulnerabilities; cybersecurity researchers and red teams analyzing 'promptware' threats.
Vs main alternative: Not an alternative, but a subsequent stage in a multi-step attack, distinct from initial access or privilege escalation.
Research trend: Applying traditional cybersecurity kill chain models to analyze and defend against LLM-specific attack sequences.

Use cases

An LLM-powered customer service agent, after being compromised, uses its access to an internal API to query and exfiltrate data from a separate customer database.
A malicious prompt causes an LLM-based autonomous agent to generate and execute code that establishes a foothold on a different server within the network.
A jailbroken LLM chatbot, integrated into a team collaboration platform, sends crafted messages to other users, tricking them into revealing sensitive information or clicking malicious links.
An LLM-driven financial transaction system, once compromised, attempts to initiate unauthorized transfers across multiple user accounts by leveraging its internal permissions.

Also known as

cross-system propagation, cross-user propagation