Capsule Security Raises $7M Seed Round Led by Lama Partners and Forgepoint Capital International

Prompt injection has moved from a research curiosity to a production‑grade threat as generative AI agents become integral to enterprise workflows. The ShareLeak case illustrates how an unfiltered input from a public SharePoint form can overwrite an agent’s system instructions, prompting it to harvest confidential records and dispatch them through legitimate Outlook actions. Because the data left via an authorized tool, traditional DLP and static rule sets failed to intervene, exposing a gap that static signatures cannot cover. This pattern mirrors the PipeLeak vulnerability in Salesforce Agentforce, where unauthenticated form data hijacks an agent’s CRM access, yet Salesforce has not issued a CVE, underscoring inconsistent industry responses to a shared risk vector.

The technical root of these exploits lies in the “lethal trifecta”: agents that possess private data, ingest untrusted content, and have the ability to communicate externally. When any one of these pillars is present, a crafted prompt can redirect the agent’s goal, effectively turning it into a confused deputy that executes attacker‑driven actions. Conventional perimeter defenses—firewalls, web‑application filters, and DLP—operate on a per‑request basis and miss the semantic continuity across multi‑turn interactions. As Capsule Security demonstrates, attackers can distribute payloads across several benign‑looking turns, evading stateless inspection while still achieving a malicious outcome.

Mitigating this emerging class of threats requires a shift to runtime enforcement. “Guardian agents” that intercept every tool call, evaluate intent with fine‑tuned language models, and enforce policy before execution provide a practical layer of defense. Organizations should inventory all agentic deployments, map data flows, and enforce least‑privilege access for external communications. Integrating vendor‑native webhook controls, such as Microsoft’s Copilot Studio security hooks, with third‑party telemetry (EDR, SOC process‑tree analysis) creates a holistic view of agent activity. By treating prompt injection as a SaaS‑wide risk rather than isolated CVEs, security leaders can align governance, monitoring, and incident response to the speed and scale of autonomous AI agents.