Papers
Topics
Authors
Recent
Search
2000 character limit reached

CMPE: Progressive Contextual Misdirection

Updated 6 July 2026
  • CMPE is a mechanism where early contextual manipulations incrementally shape later interpretations and decision dynamics across various systems.
  • Its formal models, from mathematical cyber-deception formulas to dynamic epistemic logic sequences, capture progressive context shaping in distinct settings.
  • Applications span cyber-deception, LLM prompting, and agentic systems, enabling both offensive misdirection and defensive control against contextual attacks.

Contextual Misdirection via Progressive Engagement (CMPE) denotes a family of mechanisms in which context is shaped incrementally so that later interpretations, decisions, or actions are steered away from an intended, authentic, or safe trajectory. Across recent work, the label is applied to several related but non-identical constructs: a descriptive model of attacker engagement in cyber-deception, a staged prompting discipline for reducing attention misdirection in LLM use, a failure mode in multi-step agentic systems and Model Context Protocol (MCP) pipelines, a pattern of context deception against vision-language computer agents, and a deliberate defensive misdirection strategy against automated jailbreak attacks (Turner et al., 3 Dec 2025, Ioste, 2024, Vishnyakova, 10 Mar 2026, Yang et al., 12 Mar 2025, Soosahabi et al., 18 Jun 2026). Taken together, the literature converges on a common structural idea: early contextual commitments alter later choice dynamics, and those alterations may be exploited offensively or engineered defensively.

1. Conceptual scope

The literature uses CMPE in at least five distinct research settings. In cyber-deception, it is a descriptive account of whether an attacker continues engagement at all. In prompt-based LLM workflows, it is a staged mitigation strategy for attention misdirection. In agentic AI, it is a failure mode produced by context drift under weak isolation and provenance. In computer-use agents, it names context deception attacks that hijack stepwise perception and action. In automated jailbreak defense, it is a detect-and-misdirect method that replaces predictable refusals with safe but strategically misleading responses.

Setting CMPE formulation Representative mechanisms
Cyber-deception Pre-engagement decision model B,S,D,R,EB,S,D,R,E; L=(BS)+R(DE)L=(B-S)+R(D-E) (Turner et al., 3 Dec 2025)
LLM business use Structured mitigation of attention misdirection Persona, Grouping, Intelligence (Ioste, 2024)
Agentic systems Failure mode from context drift relevance, sufficiency, isolation, economy, provenance (Vishnyakova, 10 Mar 2026)
Computer-use agents Context deception attack and defense pop-ups, EIA, EDA; defense-first exemplars (Yang et al., 12 Mar 2025)
Automated jailbreak defense Detect-and-misdirect strategy positive-intent preamble, safe context expansion, follow-up question (Soosahabi et al., 18 Jun 2026)

This plurality is not merely terminological. Some papers place CMPE on the attacker side, where progressive cues induce commitment, concealment, or drift. Others place it on the defender side, where staged clarification, gating, or misdirection is used to suppress exploitation. A plausible implication is that CMPE is best understood not as a single method but as a general interaction pattern defined by trajectory dependence: later states are not independent of earlier contextual manipulations.

2. Formal models of progressive context shaping

One explicit mathematical formulation appears in cyber-deception research. There, attacker engagement is modeled through belief BB, skepticism SS, deception fidelity DD, reconnaissance RR, and experience EE, with the core linear score

L=(BS)+R(DE).L = (B - S) + R(D - E).

Belief versus skepticism sets the base inclination, while reconnaissance scales whether deception fidelity outweighs experience. A proposed normalization is

Pengage=σ(λL+b),P_{engage} = \sigma(\lambda L + b),

with a threshold rule that engages if L>τL > \tau and abstains if L=(BS)+R(DE)L=(B-S)+R(D-E)0 (Turner et al., 3 Dec 2025).

A different formalization comes from dynamic epistemic logic. There, progressive engagement is a sequence of verbal or visual informational actions represented by nested updates,

L=(BS)+R(DE)L=(B-S)+R(D-E)1

over a language containing propositional atoms, observation atoms, belief modalities L=(BS)+R(DE)L=(B-S)+R(D-E)2, and dynamic modalities L=(BS)+R(DE)L=(B-S)+R(D-E)3. Success conditions distinguish belief-based misrepresentation, such as L=(BS)+R(DE)L=(B-S)+R(D-E)4, from observation-based misrepresentation, such as L=(BS)+R(DE)L=(B-S)+R(D-E)5, after a sequence of updates. This provides a symbolic account of how priming, focus narrowing, salience shifts, and reveal stages can be composed into a single misdirection plan (Icard et al., 2024).

In agentic systems, CMPE is formalized as context drift under multi-step autonomy. The agent’s decision is modeled as

L=(BS)+R(DE)L=(B-S)+R(D-E)6

with planner/state update

L=(BS)+R(DE)L=(B-S)+R(D-E)7

and context compilation

L=(BS)+R(DE)L=(B-S)+R(D-E)8

Admission control for new material L=(BS)+R(DE)L=(B-S)+R(D-E)9 requires provenance, relevance, sufficiency, and economy thresholds:

BB0

Progressive misdirection is then modeled as cumulative deviation over a horizon BB1, with contamination amplified when isolation and provenance are weak (Vishnyakova, 10 Mar 2026).

These formalisms differ in ontology—psychological variables, epistemic updates, or systems-state transitions—but they all encode the same invariant: context enters sequentially, affects state, and changes subsequent admissibility, interpretation, or action.

3. Attack and failure modalities

In LLM prompting, a central distinction is between hallucination and attention misdirection. Hallucinations are defined as outputs that diverge from factual reality or exhibit logical inconsistencies, whereas attention misdirection occurs when the output remains factually and logically acceptable but fails to align with instructor intent because of ambiguous wording, poor structuring, or unfocused tasks. The diagnostic rubric formalizes hallucination by failures of factuality BB2 or logical consistency BB3, and attention misdirection by high BB4 and BB5 but low expectation alignment BB6 (Ioste, 2024). A recurrent practical consequence is that many failures labeled “hallucinations” are, under this definition, actually prompt-context misdirection.

A second failure mode is positional. The CoPE framework measures contextual knowledge (CK) and context recall (CR) across input segments and identifies a “lost-in-the-later” effect: the first quartile has the highest recall and the last quartile the lowest. In contradiction experiments, early truthful content dominates later correction. For English Llama 3.2 90B, true-first (TF) CK is 74.44 while false-first (FF) CK is 64.40; for GPT-4o, TF is 71.22 and FF is 68.51 (Tao et al., 7 Jul 2025). This creates a direct route for progressive contextual misdirection: misleading early content can overshadow later corrective evidence even in contexts far below long-context limits.

In computer-use agents, CMPE appears as context deception attacks on multi-step observe-decide-act loops. Pop-up window attacks place counterfeit overlays that instruct the next click. Environmental Injection Attacks (EIA) in SeeAct insert deceptive elements at position BB7 under EI(text), EI(aria), and MI settings. Environmental Distraction Attacks (EDA) introduce ads, such as AD1–AD3, that compete for the next action. The progressive feature is temporal: if the agent engages first and only then reasons, subsequent reasoning rationalizes the wrong path rather than correcting it (Yang et al., 12 Mar 2025).

In MCP-based systems, non-isolated execution context permits tool poisoning, indirect prompt injection, external knowledge manipulation, and data exfiltration. Tool metadata, server outputs, and retrieved documents occupy the same effective context, so small adversarial contributions can be admitted repeatedly and drive “conversation drift” over turns. In a related context-engineering account, these dynamics are also described through relevance deficits, sufficiency gaps, weak isolation, poor provenance, and the context-rot categories poisoning, distraction, confusion, and clash (Shi et al., 8 Aug 2025, Vishnyakova, 10 Mar 2026).

Embodied agents introduce an additional execution layer. By poisoning a few contextual demonstrations, attackers can cause a black-box LLM to generate programs with hidden, context-dependent defects that activate only when textual and visual triggers align. The textual triggers include words such as “put”, “give”, “set”, “yellow”, “red”, “orange”, “slowly”, “gradually”, and “carefully”, while visual triggers include objects such as “blue cellphone”, “helmet dog”, “kite”, and “balloon”. The five defect modes are malicious behaviors, agent availability degradation, privacy extraction, shutdown control, and biased content (Liu et al., 2024).

4. Defensive strategies and control architectures

Some of the most explicit defensive formulations of CMPE are staged. In cyber-deception design, the sequence is Phase 1: Initial lure, Phase 2: Credibility reinforcement, Phase 3: Goal-oriented escalation, and Phase 4: Deep entanglement. Tailored banners, plausible default configs, consistent service responses, believable noise, staged breadcrumbs, and selective decreases in deception fidelity off-path are used to raise belief, manage skepticism, and gate deeper content by reconnaissance thresholds (Turner et al., 3 Dec 2025). Here progressive engagement is not an incidental property; it is the defensive control surface.

In business-oriented LLM use, CMPE is operationalized through the PGI framework: Persona, Grouping, and Intelligence. The stages are Orient and disambiguate, Scaffold and group, Intelligence alignment, Verification and critique, and Sign-off. Persona anchors role, language, and semantic defaults; Grouping decomposes tasks into linear steps to suppress topic scatter; Intelligence injects business constraints, glossaries, and evaluation rubrics (Ioste, 2024). The key claim is not that the model should always reason more, but that it should reason inside a better-specified attentional and semantic frame.

At the systems level, context engineering proposes five quality criteria—relevance, sufficiency, isolation, economy, and provenance—and extends them with Intent Engineering (IE) and Specification Engineering (SE). The resulting control architecture uses role-based context compartments, Delegation Capability Tokens, protocol-level separation such as A2A and MCP, signed artifacts, transitive attestation, policy-aligned RAG gating, memory hygiene, and escalation on deviation (Vishnyakova, 10 Mar 2026). This reframes CMPE defense from prompt craft to state-governance infrastructure.

For vision-language computer agents, the proposed defense is “in-context defense”: append a small set of exemplars so that the model first performs “Risk/Distraction Analysis” and only then plans the next action. The prescribed output schema is BB8, with defensive exemplars flagging deceptive elements to ignore and benign exemplars stating “Nothing atypical identified” (Yang et al., 12 Mar 2025). The ordering is essential because planning-first invites post hoc rationalization of a risky click.

For long-term human-LLM dialogue, the Context Alignment Pre-processor (C.A.P.) moves intervention to pre-generation. It expands the instruction into BB9, retrieves recent history with temporal weighting, computes an alignment score

SS0

and branches to a structured clarification protocol when SS1. The clarification sequence offers three choices: proceed with the new request, correct the system’s understanding as a continuation, or provide a clearer new request (Wei, 17 Mar 2026). This is CMPE as conversational repair.

A qualitatively different defense appears in automated jailbreak settings. There, CMPE is a detect-and-misdirect method activated only on detected harmful outputs. The response is constructed as a positive-intent preamble, safe context expansion produced by token stripping, glue-word injection, shuffling, and bounded expansion, and a follow-up question. The aim is to generate safe but semantically plausible text that an attacker’s automated judge misclassifies as promising, thereby degrading the judge’s positive predictive value without enabling harmful execution (Soosahabi et al., 18 Jun 2026).

5. Measurement, evaluation, and empirical findings

The empirical status of CMPE varies sharply by domain. In cyber-deception, the planned Capture the Flag experiments have not yet been conducted, and no findings are presented. The proposed instrumentation combines behavioral observations with biometric indicators such as heart rate variability, eye tracking/pupil dilation, and galvanic skin response, with latent-state inference via Hidden Markov Model or particle filter and evaluation metrics including engagement rate, time-to-withdraw, depth-of-engagement, path adherence, deception believability index, and attacker effort (Turner et al., 3 Dec 2025).

In business prompting, the PGI method is reported to achieve a 3.15% error rate across 4,000 responses, associated with “analysis of 400 social contracts over 4,000 interactions with a LLM.” With SS2, the number of errors is approximately SS3, and the 95% Wilson interval is approximately SS4. The same report also notes that granular task taxonomies, inter-rater reliability, and full confusion matrices are not provided (Ioste, 2024).

For computer-use agents, in-context defense produces strong quantitative gains. Attack success rate (ASR) is reduced by 91.2% on pop-up window attacks, by 74.6% on average on Environmental Injection Attacks, and by 100% against distracting advertisements, while benign success rate is largely preserved with a drop of at most 3.3% and sometimes improves by 13.8% on pop-up tasks. Ordering matters: defense-first reduces ASR by 99.5% versus 90.3% when planning-first. Minimal exemplar counts are also effective: one defensive exemplar yields a 96.2% ASR reduction, two yield 92.0%, and three yield 99.5%. Out-of-distribution exemplars still deliver an 89.0% ASR reduction, compared with 99.5% for in-distribution exemplars, and the method retains around 90%+ ASR reduction on GPT‑4o, Gemini 1.5 Pro, and Claude 3.5 Sonnet, specifically 91.2%, 91.5%, and 88.5% (Yang et al., 12 Mar 2025).

The CoPE framework provides quantitative evidence on contextual grounding. At 50-sentence context, CK Prompt improves CK over the Original prompt for LLaMA 3.2 90B in English from 70.45 to 78.72, in Spanish from 70.22 to 78.95, and in Danish from 69.33 to 77.50. Reasoning models such as GPT-o3 and Qwen 3 235B often remain around 55 CK despite additional context. In summarization, CK Prompt improves NLI alignment on QMSum from 23.29 to 27.69 and on DivSum from 33.77 to 44.38, while CK score rises from 83.22 to 90.51 on QMSum and from 77.41 to 83.08 on DivSum (Tao et al., 7 Jul 2025).

For MCP drift detection, SecMCP reports AUROC scores exceeding 0.915 across Llama3-8B, Mistral-7B, and Vicuna-7B on FinQA, HotpotQA, and MS MARCO. Representative values include 0.992 for Llama3-8B on MS MARCO exfiltration, 0.997 for Vicuna-7B on FinQA misleading, and 0.999 for Mistral-7B on FinQA hijacking, with mean performance approximately 0.98. Under a synonym-replacement adaptive attack on HotpotQA with SS5 word swaps per prompt, exfiltration AUROC drops to approximately 0.86, while misleading and hijacking change little (Shi et al., 8 Aug 2025).

Embodied-agent attacks show that contextual poisoning can survive into execution with high attack success and low false activation. On ProgPrompt, ASR is 82.5% with False-ASR 7.5%. On VoxPoser, ASR is 83.3% with False-ASR 6.7% and clean accuracy 63.3%. On VisProg, ASR reaches 90.5% for NLVR, 86.6% for GQA, 87.0% for Image Editing, and 92.5% for Knowtag, with False-ASR between 7.1% and 10.9%. In real-world driving, Jetbot trials under visual triggers achieve ASR of 100% for lane keeping, 90% for obstacle avoidance, and 95% for parking, while a Hooke-based vehicle collides in 80% of triggered trials and 0% of untriggered trials. The availability attack increases FLOPs from 998.75 G to 23032.85 G and time from 3.08 s to 12.32 s, privacy extraction reaches 90% ASR, and biased content reaches 80% ASR across 10 samples (Liu et al., 2024).

In automated jailbreak defense, detect-and-misdirect CMPE reduces estimated ASR upper bounds by one to two orders of magnitude relative to detect-and-block. Examples include a reduction from 0.997 to 0.075 for defender Llama-Guard-3-8B versus attacker SR-Scout-30B, from 0.994 to 0.077 for defender HB-FT-LLaMA2-13B versus attacker SR-OSS-120B, and from 0.974 to 0.049 for defender SR-Scout-30B versus attacker PAIR-OSS-120B. In end-to-end runs, GPTFuzz verified ASR falls from 0.20 to 0.00 on Vicuna and to 0.02 on NeuralDaredevil-8B-abliterated, while PAIR falls from 0.10 to 0.00 on both victims. These reductions are associated with high misdirection-induced false positives rather than true harmful success (Soosahabi et al., 18 Jun 2026).

6. Limitations, controversies, and open directions

The first limitation is conceptual heterogeneity. The same label denotes an engagement model, a prompting workflow, a systems failure mode, an adversarial attack pattern, a pre-generation dialogue control layer, and a defensive misdirection strategy. This suggests that CMPE is presently a cross-domain family resemblance term rather than a stabilized technical standard.

A second limitation is uneven empirical maturity. The cyber-deception model presents no experimental findings yet, and the C.A.P. framework outlines an evaluation plan but does not report empirical results. The PGI deployment reports an aggregate error rate but omits inter-rater reliability and full confusion matrices (Turner et al., 3 Dec 2025, Wei, 17 Mar 2026, Ioste, 2024). As a result, some strands of the literature are presently stronger on formalization and protocol design than on externally replicated measurement.

A recurrent misconception concerns chain-of-thought. The evidence is not uniformly favorable. CoPE reports that reasoning models and non-reasoning models prompted with chain-of-thought use context even less than non-reasoning models without CoT, that CoT does not mitigate lost-in-the-later, and that it often yields shorter outputs and lower recall. By contrast, the computer-agent defense study finds that explicit defensive reasoning is highly effective, but only when it precedes action planning; planning-first produces classic act-then-justify failures (Tao et al., 7 Jul 2025, Yang et al., 12 Mar 2025). The controversy is therefore not whether reasoning helps in the abstract, but where it is inserted and what it is conditioned on.

Adversarial adaptation remains unresolved. SecMCP assumes a benign polytope learned from prior conversations and notes that major domain shifts may increase false alarms; it also does not yet attribute drift to specific sources. Embodied attacks are evaluated primarily in visually grounded systems, leaving audio and haptics open. Detect-and-misdirect defenses may face attackers using stricter thresholds or judge ensembles, although the reported ensemble results still exhibit a trade-off between reducing misdirection-induced false positives and increasing rejection of genuinely harmful candidates (Shi et al., 8 Aug 2025, Liu et al., 2024, Soosahabi et al., 18 Jun 2026).

Ethical and governance constraints are explicit in several strands. Cyber-deception design recommendations include no entrapment, no data fabrication that violates law or policy, and clear research consent in CTFs. Dialogue-alignment work emphasizes transparency and user autonomy, while embodied-agent security work frames the threat as severe enough to warrant responsible disclosure and secure-by-design countermeasures (Turner et al., 3 Dec 2025, Wei, 17 Mar 2026, Liu et al., 2024). A plausible implication is that future CMPE research will need to treat safety, auditability, and human oversight as first-class design constraints rather than auxiliary concerns.

Across these lines of work, the major research trajectory is clear. CMPE becomes tractable when context is no longer treated as an inert prompt buffer but as a governed state: one that can be modeled, segmented, attested, aligned, clarified, filtered, and measured. Whether the goal is to lure an attacker into a deceptive funnel, prevent an agent from following a poisoned interface, maintain common ground in long dialogue, or corrupt the feedback loop of an automated jailbreak attacker, the decisive variable is the same: how progressive context updates alter the probability space of later decisions.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Contextual Misdirection via Progressive Engagement (CMPE).