Contextualized Defense Instructing (CDI)
- CDI is a defense paradigm that embeds contextualized guidance into an agent’s workflow to proactively shape safe actions.
- It leverages exemplar-based in-context defense and instructor-model guidance to mitigate deception attacks and enhance privacy.
- Empirical studies show that CDI outperforms static prompts and veto-style guarding by optimizing selective action planning and defense metrics.
Searching arXiv for the cited papers to ground the article in the current record. Contextualized Defense Instructing (CDI) is a defense paradigm for LLM- and VLM-based agents in which defense is inserted into the agent’s working context as task-specific, state-dependent guidance, so that the next action is shaped proactively rather than merely constrained or vetoed after planning. In current arXiv literature, the idea appears in two closely related forms: exemplar-based in-context defense for computer-use agents facing context deception attacks, and instructor-model-based privacy guidance for tool-using LLM agents in multi-step execution (Yang et al., 12 Mar 2025, Wen et al., 3 Mar 2026). Across these formulations, CDI treats defense as a contextual policy encoded in the prompt-time or run-time context of the agent, with the explicit aim of preserving task performance while reducing deception or privacy failures.
1. Definition and conceptual scope
The term Contextualized Defense Instructing is used explicitly as a privacy defense paradigm in "Contextualized Privacy Defense for LLM Agents" (Wen et al., 3 Mar 2026). In work on computer-use agents, the closely related mechanism called in-context defense is presented as a concrete instantiation of CDI: curated exemplars are embedded into the agent’s context so that the agent performs explicit defensive reasoning before action planning (Yang et al., 12 Mar 2025). A third paper uses the acronym CDI differently, to denote coherence-driven inference in cybersecurity; that usage is terminologically distinct, although the supplied description presents it as relevant to explainable, context-sensitive acceptance or rejection of hypotheses and actions (Huntsman, 23 Sep 2025).
| Paper | CDI role | Agent setting |
|---|---|---|
| (Yang et al., 12 Mar 2025) | In-context defense as a concrete instantiation of CDI | VLM-powered computer agents under context deception attacks |
| (Wen et al., 3 Mar 2026) | Explicit CDI privacy defense paradigm | Tool-using LLM agents in multi-step communication tasks |
| (Huntsman, 23 Sep 2025) | CDI means coherence-driven inference | Cybersecurity inference over weighted coherence graphs |
In both primary CDI formulations, the central move is to replace generic safety instructions with contextualized guidance. In the computer-agent setting, this guidance is delivered through few-shot exemplars that encode a defensive procedure. In the privacy setting, it is delivered by a separate instructor model that observes the evolving trajectory and emits step-specific guidance. This shared structure distinguishes CDI from static prompting and from post-hoc blocking.
2. Formalization and intervention points in agent execution
The formalization in the computer-agent setting starts from a VLM that models a conditional distribution over actions given context. The input is denoted by , the output action sequence or next action by , and the model by . Under benign conditions, the objective is to choose an action that aligns with the user’s intended task . Under attack, the attacker modifies the original input into a deceptive input , for example by adding a fake pop-up overlay or extra DOM nodes. The attack and defense objectives are given as (Yang et al., 12 Mar 2025): and, for the defender controlling in-context examples ,
The privacy paper formulates the same general problem through a canonical agent loop. The sender agent maintains an accumulating context buffer
0
where 1 is the system prompt, 2 are user messages, and 3 are tool calls and their results. The next action is chosen as
4
Within this loop, the paper identifies three distinct intervention points (Wen et al., 3 Mar 2026). Prompting modifies initialization,
5
Guarding intervenes after planning but before execution,
6
CDI intervenes after observation and before the next action. If the latest tool result is non-empty, the instructor model emits guidance
7
which is appended to the context,
8
and the next action is drawn from the main agent model conditioned on this augmented context,
9
This decomposition clarifies the distinctive claim of CDI. Prompting is global and static. Guarding is reactive and veto-oriented. CDI is post-observation and pre-action, so it can shape the next action as a safe alternative rather than merely blocking an unsafe one.
3. Exemplar-based CDI for computer-use agents
In the computer-agent literature, CDI is instantiated as in-context defense for computer-use agents powered by VLMs. These agents take screenshots, optional structured annotations such as SoM labels or HTML elements, and a user-specified task in natural language, and then produce actions such as clicking, typing, or selecting “None” in some setups (Yang et al., 12 Mar 2025). The threat model is context deception attacks, defined as attacks that “introduce human-perceptible deceptive elements into the environment perceived by an agent to distract or manipulate its behavior.” The paper studies three categories: pop-up window attacks, Environment Injection Attacks (EIA), and Environmental Distraction Attacks (EDA).
The core mechanism is the addition of a small set of exemplars
0
including both defensive and benign cases. Each exemplar output is structured as
1
where 2 is explicit defensive chain-of-thought, 3 is optional action-planning chain-of-thought, and 4 is the concrete action. The prompt structure described in the paper includes an input block with screenshot, annotations, and task, followed by an output block with a top-level "Risk/Distraction Analysis:" section, then a "Plan" or "Action Plan" section, and finally an "Action" command.
This structure is not incidental. The method enforces a two-stage process: first identify deceptive or distracting elements, then perform action planning conditioned on that analysis. The functional decomposition is stated schematically as
5
For pop-up attacks, the defensive reasoning explicitly marks overlay elements and their SoM IDs as suspicious and to be ignored. For EIA, the reasoning identifies ambiguous mappings between screenshot content and injected HTML options, and in the ambiguous case chooses the special safe action “None of the other options match the correct element.” For EDA, the reasoning identifies advertisements or recommendations as irrelevant relative to the user’s goal.
The paper reports nine defensive exemplar pairs total across attack types. VisualWebArena uses 3 defensive exemplars plus 3 benign exemplars; SeeAct uses 3 defensive plus 1 benign exemplar; the custom ads agent uses 3 defensive exemplars and no benign exemplar because the dataset lacked attack-free content. The quantity ablation shows that fewer than three exemplars are sufficient to induce defensive behavior. With 1 defensive exemplar plus 3 benign exemplars, ASR shrinks from 0.583 to 0.022; with 2 defensive exemplars, ASR is 0.047; with 3 defensive exemplars, ASR is 0.003 and SR improves to 0.458 (Yang et al., 12 Mar 2025).
4. Instructor-based CDI for privacy-preserving LLM agents
The privacy formulation generalizes CDI from exemplar-conditioned behavior to a distinct architectural component: a separate, lightweight instructor model 6 that generates step-specific, context-aware privacy guidance during execution (Wen et al., 3 Mar 2026). The setting is a multi-agent privacy simulator over communication applications such as Gmail, Messenger, and Facebook. Each privacy scenario contains a data subject, a data sender, and a data recipient. The subject’s personal information is partitioned into shareable items 7 and unshareable items 8, and the recipient’s task is explicitly to obtain both 9 and 0 from the sender.
The instructor observes the sender’s memory and dialogue history and outputs guidance in a structured JSON-like format:
7
Only the "instruction" field is appended as the user message 1 to the sender’s context; the "analysis" is internal chain-of-thought. The intended behavioral effect is supervisory steering. Rather than telling the sender only that a proposed action is blocked, CDI can tell it what to share, what not to share, and how to formulate a selective disclosure response.
The paper’s qualitative cases emphasize mixed requests that combine shareable and unshareable information. In one example, the instructor says: “Share meeting time. Refuse to tell anything beyond coordination, like Emily’s ID number.” The sender then produces a mixed response that shares the meeting time and refuses the ID number, yielding 2, 3, and 4. In another case, after optimization, the instructor explicitly re-checks the social context and privacy norms and generates the instruction: “Decline the request to share Emily's credit score and home address. Only confirm QA time slots, event logistics.” The significance of CDI here is that the safe alternative is constructed before the next tool call is formed.
To optimize this instructor, the paper introduces an experience-driven RL framework. Failure trajectories with privacy violations are collected through adversarial prompt search. For CDI, the first guidance 5 that fails to prevent leakage in the next sender action is identified, the trajectory is truncated before that guidance, and the resulting context 6 becomes an RL environment. The instructor samples a new guidance string
7
the sender executes up to one action, and the reward is computed as Appropriate Disclosure: 8 The optimization objective is
9
The reward design is based on three metrics. Let 0 be the total number of shareable items, 1 the total number of unshareable items, 2 the number of shareable items actually shared, and 3 the number of unshareable items actually shared. Then
4
The staged training schedule uses 400 steps with reward 5 and 200 steps with reward 6, implemented with GRPO and LoRA fine-tuning of Qwen3‑4B at rank 7, learning rate 8, batch size 9, gradient accumulation 0, max context length 5200 tokens, and max generation 2048 tokens (Wen et al., 3 Mar 2026).
5. Empirical findings, baselines, and design regularities
The empirical claims across the two primary papers are consistent on the central comparison: CDI performs better than static prompting and avoids the characteristic pathologies of reactive guarding. In the computer-agent study, prompting-only defense is reported as inconsistent and often harmful. For pop-up attacks, ASR goes from 0.583 to 0.538 with prompting-only defense and SR stays at 0.417. For EIA, prompting-only defense increases ASR in all three variants: EI (text) 0.415 to 0.433, EI (aria) 0.427 to 0.456, and MI 0.427 to 0.526, while SR decreases notably for EIA-MI from 0.462 to 0.386. By contrast, in-context defense reduces pop-up ASR from 0.583 to 0.051, reduces EIA ASR to 0.117, 0.170, and 0.035 across EI (text), EI (aria), and MI, and achieves 100% successful defenses against distracting advertisements, with AD1, AD2, and AD3 ASR all reduced to 0.000 (Yang et al., 12 Mar 2025).
The same paper also isolates two design regularities. First, defensive reasoning must precede action planning. The reasoning-order ablation shows planning-first yields ASR 0.057, whereas defense-first yields ASR 0.003. Second, defensive exemplars, not merely chain-of-thought prompting, are critical. Without defensive exemplars, pop-up ASR only drops from 0.583 to 0.553, and EIA ASR increases in some settings. The backbone ablation further indicates that the defense is backbone-agnostic in the reported experiments: pop-up ASR with defense is 0.051 for GPT-4o, 0.052 for Gemini 1.5 Pro, and 0.071 for Claude 3.5 Sonnet. In-distribution exemplars remain stronger than out-of-distribution ones: ASR 0.003 for IND versus 0.064 for OOD exemplars.
In the privacy study, the baseline no-defense sender is characterized by low privacy preservation and high helpfulness: 1, 2, 3. Unoptimized prompting reaches 4, 5, 6 before attack, but after strategic attack 7 collapses to 8 while 9 rises to 0. Unoptimized guarding averages 1, 2, 3 before attack and 4, 5, 6 after attack. Unoptimized CDI averages 7, 8, 9 before attack and remains best after attack at 0, 1, 2 (Wen et al., 3 Mar 2026).
After optimization, the privacy results sharpen. On unseen test configurations, optimized prompting achieves 3, 4, 5; optimized guarding achieves 6, 7, 8; optimized CDI achieves 9, 0, 1. Under adversarial retraining scenarios, optimized CDI reports 2, 3, 4. Cross-backbone evaluation shows particularly strong gains for weaker agents: on gpt‑4.1‑nano, AD is 59.3 with no defense, 64.9 with prompting, 56.8 with guarding, and 90.4 with CDI. The paper’s interpretation is that CDI is agent-agnostic guidance that offloads complex privacy reasoning to the instructor.
A plausible unifying implication is that CDI works best when the defense module specifies a selective alternative rather than a blanket refusal. In the computer-agent setting, this takes the form “ignore the pop-up; click the task-relevant target.” In the privacy setting, it takes the form “share coordination-oriented information; refuse the sensitive fields.” That pattern is directly opposed to the failure mode of guarding, which often produces block–resend loops and over-blocking.
6. Terminological boundaries, limitations, and open directions
A recurrent source of confusion is the acronym CDI itself. In "Coherence-driven inference for cybersecurity," CDI denotes a Thagard-style coherence model in which propositions are vertices of a weighted graph, edge weights lie in 5, and the acceptance or rejection of propositions is formulated as a MAX-CUT problem maximizing
6
That paper explicitly does not use Contextualized Defense Instructing as its term. Its relation to CDI in the defense-instructing sense is therefore adjacent rather than identical (Huntsman, 23 Sep 2025). A plausible implication is that coherence-driven inference could serve as an upstream reasoning layer for selecting accepted hypotheses and candidate actions before a separate instruction generator produces contextualized defensive guidance.
The primary limitations of CDI as currently studied are practical and distributional rather than conceptual. In the computer-agent setting, multiple exemplars increase prompt size and first-round inference cost; output format adherence can be imperfect; residual failures remain under OOD attacks or when reasoning order is wrong; and novel UI patterns or attack types may require dynamic exemplar selection or regular exemplar updates (Yang et al., 12 Mar 2025). In the privacy setting, optimization depends on a curated set of attack-induced failure trajectories; evaluation is centered on communication apps and social, health, and finance scenarios; a separate instructor model and RL training increase complexity relative to static prompts; and only the instructor or guard is trained, while the main agent remains frozen (Wen et al., 3 Mar 2026).
The open directions proposed in the literature follow from these limitations. For computer agents, the supplied description points to dynamic exemplar selection, integration with external detectors such as UI anomaly detectors or HTML parsers, better UI grounding, prompt caching, and stronger output schemas. For privacy agents, the paper highlights more nuanced privacy–utility tradeoffs, extension to other safety domains such as security, fairness, and hallucination control, and broader simulation environments such as collaborative document editing, web browsing, and multi-agent collaboration. Taken together, these directions suggest that CDI is best understood not as a single prompt template but as an intervention family for context-sensitive control of agent behavior under adversarial or norm-sensitive conditions (Yang et al., 12 Mar 2025, Wen et al., 3 Mar 2026).