Mark Barrera

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

@JHTScherck @tryprofound I'll be there

Anyone I know going to the @tryprofound event in SF this April? Will need to make a call this week if I can go + book a hotel, and would love to see some friendly faces there and get some dinner plans on the books.

@iPullRank @Biograph What's the value you got from it? Anything big you learned or that they discovered about your health? How do you plan to use the data from all the analysis?

Just did @Biograph. AmA.

I've been having this convo with a lot of people lately. Some get it right away after using Claude for their first time. Others are still clueless about where we are and what things are to come.

@JHTScherck @ahrefs @thinking_slow Yep - Ahrefs/Semrush data vs reality feel VERY off. I blame their outdated methods for CTR estimates, but also search volume data has it's flaws. Both of which lead to bad traffic estimates.

Dear @ahrefs content team (cc @thinking_slow) one of the most valuable things you could do for the industry right now is compare the traffic delta for pages getting 10,000+ visits a month via organic search in site explorer vs what their web analytics report.

The final Google update for 2025 has started rolling out today.

What is "good" LLM visibility? This chart assumes the methodology for prompt measurement is looking at BOFU, non-branded terms that represent the core products the company creates and nothing else. I.E. - "what is the best content marketing software"

ChatGPT isn’t just streaming text, it's now streaming 𝐞𝐧𝐭𝐢𝐭𝐢𝐞𝐬. I have found traces of: 🔹 NER (people, orgs, events) 🔹 Moderation signals 🔹 A full product graph (title, price, rating, merchant…) It’s how AI “sees” your entities & catalog. 👉 wordlift.io/blog/en/openai…

Why Peer Review Sites Are Losing Clicks but Gaining Power in the AI Era linkedin.com/pulse/why-peer… Peer review sites have lost 70–80% of their organic traffic. But in the GenAI era, they matter more than ever. Reviews are no longer just proof, they fuel GEO strategies.

Kicked off my Lunch with Legends (a chance to sit down with leaders I admire and share what I’m learning along the way) with @peeplaja. We hit on consultancies, acquisitions, AI, events, and LinkedIn’s organic decline. Check out what he’s built at wynter.com

@brodieseo @MalteLandwehr But not just for tracking rankings, but to feed those rankings to ChatGPT and the like who have been known to buy and use this data. searchengineland.com/openai-chatgpt…

Some interesting points from @mark_barrera and @MalteLandwehr shared on my LI post. Is this actually a direct result of rank tracking tools being down? The difference in impressions could potentially be just the rank trackers hitting the site

Heads-up: if you've checked your Google Search Console data today and you're noticing some unusual trends, you're not alone. In particular, I'm seeing a noticeable decline in desktop impressions, resulting in a sharp increase in average position. This is across many accounts that I have access to and seems to have started around September 10th when the change first begun. After a quick inspection, the change doesn't appear to make a great deal of sense at the query level. Which either points to a data discrepancy or a change in how impressions are being recorded (considering clicks appear normal). And it isn't just GSC that is being unusual, with it looking like rank tracking tools are having some difficulty with Google dropping &num=100: seroundtable.com/google-search-… and some tools not recording a ranking at all in some instances. Either way, if you've just checked GSC and are noticing a significant drop to overall impressions in the past couple of days of data, you're not alone - we'll likely know more on this soon so stay tuned.

SEOs: be ready for Monday morning! GSC impressions will look broken. Avg position will spike. Rank trackers may miss data. This is not user behavior. It’s Google shutting down num=100 and cutting off machine-driven impressions from scrapers and AI tools. linkedin.com/posts/markbarr…

Everyone loves the headline: “Scaling to $10M ARR with 3 FTEs and AI” But look closer: Agencies running outbound & ads Contractors on SEO & ops Vendors filling the rest That’s not 3 people. That’s spin - and it erodes trust in the brand.

Great ideas rarely glide through unchallenged. They disrupt. They make people uncomfortable. And that resistance is the signal you’re onto something worth pursuing.

Claude can now create and edit real files: Word, Excel, PowerPoint, and PDFs. No more copy-paste. You ask, it delivers a ready-to-use file in one step. ChatGPT can generate files too, but Claude makes it faster, smoother, and more polished — especially for document-heavy work.

🔥 Inbound is dead. Long live the Loop? At #INBOUND25 HubSpot unveiled The Loop — Express, Tailor, Amplify, Evolve. But these frameworks aren’t magic. They’re mirrors of how buyer behavior has already shifted. Here’s what it means for marketers 👇 linkedin.com/pulse/from-inb…

Content in 2025 is about more than words. Strategy and experience design shape how content works for people. Teams that connect these roles make content clearer and more useful. Here's a simple look at what's changing: buff.ly/RVWKbAz

@nick_eubanks @lilyraynyc and I don't think the goal is to rank second. It's to rank as best as possible in AI but also in regular organic where position 1 is now in position 2. And do so knowing that wins in either won't yield as much traffic as it used to.

@nick_eubanks @lilyraynyc Would love to see others start to dig into their GSC CTR curves and isolate where AIOs show and learn what others are seeing.

Just saw a post where a recent research study shows that: If a link is shown in an AI Overview (position 1), 𝗶𝘁 𝗴𝗲𝘁𝘀 𝗹𝗲𝘀𝘀 𝘁𝗵𝗮𝗻 𝗵𝗮𝗹𝗳 𝗼𝗳 𝘁𝗵𝗲 𝗖𝗧𝗥 𝗼𝗳 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝗿𝗲𝗴𝘂𝗹𝗮𝗿 𝗼𝗿𝗴𝗮𝗻𝗶𝗰 𝗿𝗲𝘀𝘂𝗹𝘁 𝘁𝗵𝗮𝘁 𝗳𝗼𝗹𝗹𝗼𝘄𝘀. And position 1 last year saw up to 4x higher CTR when AIO wasn't present. If this is the case, this could mean it would actually be a better SEO strategy to rank #2 instead of #1. C/o @NewfoldDigital