โ† Back to blogยทTrendsยท7 min read

Attack Surface, Protocol, and Discovery: Three Shifts Reshaping Chatbots This Week

Prompt injection attacks are up 340% year-over-year and just compromised six agentic browsers at once, MCP is about to freeze a stateless enterprise-grade spec, and AI answer engines are quietly replacing search as the way users find your content. Here is what each means for what you ship next.

By Maya Brennan ยท Writer, Smillee AI
July 17, 2026

Three stories broke in the last few weeks that have nothing to do with a smarter model and everything to do with the chatbot stack growing teeth. Prompt injection became the fastest-growing attack category in security, full stop, not just in AI. The protocol your agent uses to reach tools is about to lock down its first enterprise-grade spec. And the way users find your product at all is quietly shifting from a search box to a chatbot's citation. Here's what changed and what to do about each one.

1. Prompt Injection Is Now the #1 AI Threat, and It's Cutting Both Ways

OWASP's 2026 LLM security report puts prompt injection attacks up 340% year-over-year, now the fastest-growing category of cyberattack industry-wide, not just within AI incidents. The technique also got a lot scarier in the last month: an indirect-injection technique researchers nicknamed "BioShocking" tricked six different agentic browsers and assistants at once โ€” including ChatGPT Atlas, Perplexity Comet, and Anthropic's Claude Chrome plugin โ€” into copying credentials from a signed-in session and pulling SSH keys out of a victim's GitHub account, all from content the agent merely read on a page. Separately, a financial services company spent three weeks with a customer-facing agent quietly leaking internal pricing data before anyone noticed a carefully worded question had talked it past its system prompt.

The pattern across every real incident is the same: the exploit doesn't come through the chat input box, it comes through content the model reads โ€” a web page, a PR description, an email, a tool result โ€” and treats as instructions instead of data. That's why input-side filtering on the user's message is close to useless against it.

  • Treat every piece of tool output, retrieved document, and browsed page as untrusted input, the same way you'd treat user-submitted HTML
  • Give agents the minimum permissions needed for the task, not the user's full session โ€” an agent that can read a page shouldn't inherit the ability to read your SSH keys
  • Log and diff what an agent actually does against what the user asked for; a support bot that suddenly calls a credentials API is a signal, not a footnote
// Don't let retrieved content dictate the tool-call plan โ€” separate what
// the model reads from what it's allowed to decide.
const page = await fetchUntrusted(url);
const plan = await agent.plan({
  instructions: userMessage,      // the only source of intent
  context: sanitize(page),        // data only, never treated as instructions
});

Suggested visual: a flow diagram of the BioShocking-style attack path โ€” attacker-controlled page โ†’ agent reads it โ†’ agent inherits session credentials โ†’ exfiltration โ€” with the trust boundary marked where it should have been enforced.

2. MCP Is About to Freeze a Stateless, Enterprise-Grade Spec

The Model Context Protocol's 2026-07-28 release candidate marks its shift from "convenient default" to formal, enterprise-grade infrastructure. The headline change is a move to a stateless architecture: a remote MCP server that used to need sticky sessions, a shared session store, and deep packet inspection at the gateway can now sit behind a plain round-robin load balancer, route on a standardized Mcp-Method header, and let clients cache tools/list responses for as long as the server's TTL allows. OAuth also becomes a first-class citizen rather than something every server bolted on differently. MCP is now governed by the Linux Foundation's Agentic AI Foundation, with over 18,000 community-indexed servers and tens of millions of monthly SDK downloads โ€” alongside Google's Agent-to-Agent protocol and IBM/AGNTCY's ACP, the three protocols now dominating serious production conversations about how agents reach tools and each other.

For teams already running MCP servers, the practical work is migration planning: the spec ships with a formal 12-month deprecation window for legacy session-based functionality, which is generous but not indefinite. For teams still hand-rolling tool-calling glue, this is the point where "wait for the standard to stabilize" stops being a reasonable excuse โ€” it just did.

Suggested visual: a before/after architecture diagram โ€” sticky-session MCP gateway with shared state, versus the stateless 2026-07-28 model behind a stock load balancer.

3. Your Users Are Finding You Through a Chatbot's Answer, Not a Search Result

Generative engine optimization (GEO) โ€” getting cited, quoted, or named inside an AI-generated answer โ€” is no longer a niche concern. More than 80% of the pages AI engines cite in 2026 don't rank in Google's top 10 at all, which means the content that wins in ChatGPT, Perplexity, or Google's AI Overviews is being selected by a different signal than classic SEO ever measured. Google AI Overviews now appear in roughly 55% of all Google searches, and Gartner's prediction that traditional search volume would drop meaningfully by 2026 as chatbots absorb query volume is playing out in the traffic numbers teams are seeing directly.

If your chatbot product also runs a marketing site, docs, or blog, the audience finding it is increasingly an AI system paraphrasing your content to a user who never clicks through. That changes what "good content" means: structured, directly quotable answers to specific questions now compete with โ€” and often beat โ€” content optimized purely for keyword ranking.

Suggested visual: a stacked bar comparing the overlap between a domain's Google top-10 rankings and its AI-engine citations, visualizing the 80%+ non-overlap.

Conclusion

None of these three shifts is about model quality. Prompt injection is a trust-boundary problem that gets worse as agents get more capable, not better. MCP going stateless is an operations problem โ€” the protocol layer catching up to what production actually needs. And GEO is a distribution problem โ€” the channel your users arrive through changing under you without an obvious dashboard alert. The common thread is the same one running through every trend this quarter: chatbots stopped being demos and started being systems with attack surfaces, protocols, and distribution channels that need to be engineered on purpose.

Engineering checklist:

  1. Audit every place an agent reads untrusted content and confirm it can't silently become an instruction
  2. Plan your MCP server migration against the 2026-07-28 stateless spec and its 12-month deprecation window
  3. Check whether your own content gets cited in AI answers, not just where it ranks in Google

Sources:

โ€” Maya

Frequently asked questions

What is prompt injection and why is it growing so fast in 2026?

Prompt injection is an attack where content an AI system reads โ€” a web page, document, or tool result โ€” contains hidden instructions that override its intended behavior. OWASP's 2026 LLM security report puts it up 340% year-over-year, the fastest-growing cyberattack category industry-wide, driven largely by the rise of agentic browsers and assistants that read and act on untrusted content automatically.

What's changing in the MCP 2026-07-28 specification?

The Model Context Protocol's 2026-07-28 release candidate moves it to a stateless, enterprise-grade architecture: servers no longer need sticky sessions or a shared session store, requests route via a standardized Mcp-Method header, and OAuth becomes a first-class part of the spec. It ships with a 12-month deprecation window for legacy session-based functionality.

What is generative engine optimization (GEO)?

GEO is the practice of structuring content so AI systems like ChatGPT, Google AI Overviews, and Perplexity cite or quote it directly in generated answers, rather than optimizing purely for search-engine ranking. It matters because in 2026 more than 80% of pages AI engines cite don't rank in Google's top 10, meaning AI citation and search ranking are increasingly separate outcomes that need separate strategies.

Maya Brennan
Writer, Smillee AI

I'm Maya โ€” I write most of what you'll read here. I spent years as a copywriter before I got a little obsessed with what these AI tools can actually do, so now I spend my days poking at chatbots, breaking them, and writing up what's worth your time. Everything here is something I've actually tried. If a prompt didn't work for me, it doesn't make the cut.

Want to try any of this?

Smillee's free and there's no signup โ€” open it and paste in whatever you're working on.

Start chatting โ†’

More from the blog