Papers
Topics
Authors
Recent
Search
2000 character limit reached

Contextualized Defense Instructing (CDI)

Updated 4 July 2026
  • CDI is a defense paradigm that embeds contextualized guidance into an agent’s workflow to proactively shape safe actions.
  • It leverages exemplar-based in-context defense and instructor-model guidance to mitigate deception attacks and enhance privacy.
  • Empirical studies show that CDI outperforms static prompts and veto-style guarding by optimizing selective action planning and defense metrics.

Searching arXiv for the cited papers to ground the article in the current record. Contextualized Defense Instructing (CDI) is a defense paradigm for LLM- and VLM-based agents in which defense is inserted into the agent’s working context as task-specific, state-dependent guidance, so that the next action is shaped proactively rather than merely constrained or vetoed after planning. In current arXiv literature, the idea appears in two closely related forms: exemplar-based in-context defense for computer-use agents facing context deception attacks, and instructor-model-based privacy guidance for tool-using LLM agents in multi-step execution (Yang et al., 12 Mar 2025, Wen et al., 3 Mar 2026). Across these formulations, CDI treats defense as a contextual policy encoded in the prompt-time or run-time context of the agent, with the explicit aim of preserving task performance while reducing deception or privacy failures.

1. Definition and conceptual scope

The term Contextualized Defense Instructing is used explicitly as a privacy defense paradigm in "Contextualized Privacy Defense for LLM Agents" (Wen et al., 3 Mar 2026). In work on computer-use agents, the closely related mechanism called in-context defense is presented as a concrete instantiation of CDI: curated exemplars are embedded into the agent’s context so that the agent performs explicit defensive reasoning before action planning (Yang et al., 12 Mar 2025). A third paper uses the acronym CDI differently, to denote coherence-driven inference in cybersecurity; that usage is terminologically distinct, although the supplied description presents it as relevant to explainable, context-sensitive acceptance or rejection of hypotheses and actions (Huntsman, 23 Sep 2025).

Paper CDI role Agent setting
(Yang et al., 12 Mar 2025) In-context defense as a concrete instantiation of CDI VLM-powered computer agents under context deception attacks
(Wen et al., 3 Mar 2026) Explicit CDI privacy defense paradigm Tool-using LLM agents in multi-step communication tasks
(Huntsman, 23 Sep 2025) CDI means coherence-driven inference Cybersecurity inference over weighted coherence graphs

In both primary CDI formulations, the central move is to replace generic safety instructions with contextualized guidance. In the computer-agent setting, this guidance is delivered through few-shot exemplars that encode a defensive procedure. In the privacy setting, it is delivered by a separate instructor model that observes the evolving trajectory and emits step-specific guidance. This shared structure distinguishes CDI from static prompting and from post-hoc blocking.

2. Formalization and intervention points in agent execution

The formalization in the computer-agent setting starts from a VLM that models a conditional distribution over actions given context. The input is denoted by QQ, the output action sequence or next action by AA, and the model by Pr(AQ)\Pr(A \mid Q). Under benign conditions, the objective is to choose an action AA that aligns with the user’s intended task AgoldA_{\text{gold}}. Under attack, the attacker modifies the original input QQ into a deceptive input QmaliciousQ_{\text{malicious}}, for example by adding a fake pop-up overlay or extra DOM nodes. The attack and defense objectives are given as (Yang et al., 12 Mar 2025): Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned} and, for the defender controlling in-context examples HH,

Defending Both:maxHPr(AgoldQmalicious,H) Defending Targeted:minHPr(AwrongQmalicious,H).\begin{aligned} &\text{Defending Both:} &&\max_{H} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}, H) \ &\text{Defending Targeted:} &&\min_{H} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}, H). \end{aligned}

The privacy paper formulates the same general problem through a canonical agent loop. The sender agent maintains an accumulating context buffer

AA0

where AA1 is the system prompt, AA2 are user messages, and AA3 are tool calls and their results. The next action is chosen as

AA4

Within this loop, the paper identifies three distinct intervention points (Wen et al., 3 Mar 2026). Prompting modifies initialization,

AA5

Guarding intervenes after planning but before execution,

AA6

CDI intervenes after observation and before the next action. If the latest tool result is non-empty, the instructor model emits guidance

AA7

which is appended to the context,

AA8

and the next action is drawn from the main agent model conditioned on this augmented context,

AA9

This decomposition clarifies the distinctive claim of CDI. Prompting is global and static. Guarding is reactive and veto-oriented. CDI is post-observation and pre-action, so it can shape the next action as a safe alternative rather than merely blocking an unsafe one.

3. Exemplar-based CDI for computer-use agents

In the computer-agent literature, CDI is instantiated as in-context defense for computer-use agents powered by VLMs. These agents take screenshots, optional structured annotations such as SoM labels or HTML elements, and a user-specified task in natural language, and then produce actions such as clicking, typing, or selecting “None” in some setups (Yang et al., 12 Mar 2025). The threat model is context deception attacks, defined as attacks that “introduce human-perceptible deceptive elements into the environment perceived by an agent to distract or manipulate its behavior.” The paper studies three categories: pop-up window attacks, Environment Injection Attacks (EIA), and Environmental Distraction Attacks (EDA).

The core mechanism is the addition of a small set of exemplars

Pr(AQ)\Pr(A \mid Q)0

including both defensive and benign cases. Each exemplar output is structured as

Pr(AQ)\Pr(A \mid Q)1

where Pr(AQ)\Pr(A \mid Q)2 is explicit defensive chain-of-thought, Pr(AQ)\Pr(A \mid Q)3 is optional action-planning chain-of-thought, and Pr(AQ)\Pr(A \mid Q)4 is the concrete action. The prompt structure described in the paper includes an input block with screenshot, annotations, and task, followed by an output block with a top-level "Risk/Distraction Analysis:" section, then a "Plan" or "Action Plan" section, and finally an "Action" command.

This structure is not incidental. The method enforces a two-stage process: first identify deceptive or distracting elements, then perform action planning conditioned on that analysis. The functional decomposition is stated schematically as

Pr(AQ)\Pr(A \mid Q)5

For pop-up attacks, the defensive reasoning explicitly marks overlay elements and their SoM IDs as suspicious and to be ignored. For EIA, the reasoning identifies ambiguous mappings between screenshot content and injected HTML options, and in the ambiguous case chooses the special safe action “None of the other options match the correct element.” For EDA, the reasoning identifies advertisements or recommendations as irrelevant relative to the user’s goal.

The paper reports nine defensive exemplar pairs total across attack types. VisualWebArena uses 3 defensive exemplars plus 3 benign exemplars; SeeAct uses 3 defensive plus 1 benign exemplar; the custom ads agent uses 3 defensive exemplars and no benign exemplar because the dataset lacked attack-free content. The quantity ablation shows that fewer than three exemplars are sufficient to induce defensive behavior. With 1 defensive exemplar plus 3 benign exemplars, ASR shrinks from 0.583 to 0.022; with 2 defensive exemplars, ASR is 0.047; with 3 defensive exemplars, ASR is 0.003 and SR improves to 0.458 (Yang et al., 12 Mar 2025).

4. Instructor-based CDI for privacy-preserving LLM agents

The privacy formulation generalizes CDI from exemplar-conditioned behavior to a distinct architectural component: a separate, lightweight instructor model Pr(AQ)\Pr(A \mid Q)6 that generates step-specific, context-aware privacy guidance during execution (Wen et al., 3 Mar 2026). The setting is a multi-agent privacy simulator over communication applications such as Gmail, Messenger, and Facebook. Each privacy scenario contains a data subject, a data sender, and a data recipient. The subject’s personal information is partitioned into shareable items Pr(AQ)\Pr(A \mid Q)7 and unshareable items Pr(AQ)\Pr(A \mid Q)8, and the recipient’s task is explicitly to obtain both Pr(AQ)\Pr(A \mid Q)9 and AA0 from the sender.

The instructor observes the sender’s memory and dialogue history and outputs guidance in a structured JSON-like format: HH7 Only the "instruction" field is appended as the user message AA1 to the sender’s context; the "analysis" is internal chain-of-thought. The intended behavioral effect is supervisory steering. Rather than telling the sender only that a proposed action is blocked, CDI can tell it what to share, what not to share, and how to formulate a selective disclosure response.

The paper’s qualitative cases emphasize mixed requests that combine shareable and unshareable information. In one example, the instructor says: “Share meeting time. Refuse to tell anything beyond coordination, like Emily’s ID number.” The sender then produces a mixed response that shares the meeting time and refuses the ID number, yielding AA2, AA3, and AA4. In another case, after optimization, the instructor explicitly re-checks the social context and privacy norms and generates the instruction: “Decline the request to share Emily's credit score and home address. Only confirm QA time slots, event logistics.” The significance of CDI here is that the safe alternative is constructed before the next tool call is formed.

To optimize this instructor, the paper introduces an experience-driven RL framework. Failure trajectories with privacy violations are collected through adversarial prompt search. For CDI, the first guidance AA5 that fails to prevent leakage in the next sender action is identified, the trajectory is truncated before that guidance, and the resulting context AA6 becomes an RL environment. The instructor samples a new guidance string

AA7

the sender executes up to one action, and the reward is computed as Appropriate Disclosure: AA8 The optimization objective is

AA9

The reward design is based on three metrics. Let AgoldA_{\text{gold}}0 be the total number of shareable items, AgoldA_{\text{gold}}1 the total number of unshareable items, AgoldA_{\text{gold}}2 the number of shareable items actually shared, and AgoldA_{\text{gold}}3 the number of unshareable items actually shared. Then

AgoldA_{\text{gold}}4

The staged training schedule uses 400 steps with reward AgoldA_{\text{gold}}5 and 200 steps with reward AgoldA_{\text{gold}}6, implemented with GRPO and LoRA fine-tuning of Qwen3‑4B at rank AgoldA_{\text{gold}}7, learning rate AgoldA_{\text{gold}}8, batch size AgoldA_{\text{gold}}9, gradient accumulation QQ0, max context length 5200 tokens, and max generation 2048 tokens (Wen et al., 3 Mar 2026).

5. Empirical findings, baselines, and design regularities

The empirical claims across the two primary papers are consistent on the central comparison: CDI performs better than static prompting and avoids the characteristic pathologies of reactive guarding. In the computer-agent study, prompting-only defense is reported as inconsistent and often harmful. For pop-up attacks, ASR goes from 0.583 to 0.538 with prompting-only defense and SR stays at 0.417. For EIA, prompting-only defense increases ASR in all three variants: EI (text) 0.415 to 0.433, EI (aria) 0.427 to 0.456, and MI 0.427 to 0.526, while SR decreases notably for EIA-MI from 0.462 to 0.386. By contrast, in-context defense reduces pop-up ASR from 0.583 to 0.051, reduces EIA ASR to 0.117, 0.170, and 0.035 across EI (text), EI (aria), and MI, and achieves 100% successful defenses against distracting advertisements, with AD1, AD2, and AD3 ASR all reduced to 0.000 (Yang et al., 12 Mar 2025).

The same paper also isolates two design regularities. First, defensive reasoning must precede action planning. The reasoning-order ablation shows planning-first yields ASR 0.057, whereas defense-first yields ASR 0.003. Second, defensive exemplars, not merely chain-of-thought prompting, are critical. Without defensive exemplars, pop-up ASR only drops from 0.583 to 0.553, and EIA ASR increases in some settings. The backbone ablation further indicates that the defense is backbone-agnostic in the reported experiments: pop-up ASR with defense is 0.051 for GPT-4o, 0.052 for Gemini 1.5 Pro, and 0.071 for Claude 3.5 Sonnet. In-distribution exemplars remain stronger than out-of-distribution ones: ASR 0.003 for IND versus 0.064 for OOD exemplars.

In the privacy study, the baseline no-defense sender is characterized by low privacy preservation and high helpfulness: QQ1, QQ2, QQ3. Unoptimized prompting reaches QQ4, QQ5, QQ6 before attack, but after strategic attack QQ7 collapses to QQ8 while QQ9 rises to QmaliciousQ_{\text{malicious}}0. Unoptimized guarding averages QmaliciousQ_{\text{malicious}}1, QmaliciousQ_{\text{malicious}}2, QmaliciousQ_{\text{malicious}}3 before attack and QmaliciousQ_{\text{malicious}}4, QmaliciousQ_{\text{malicious}}5, QmaliciousQ_{\text{malicious}}6 after attack. Unoptimized CDI averages QmaliciousQ_{\text{malicious}}7, QmaliciousQ_{\text{malicious}}8, QmaliciousQ_{\text{malicious}}9 before attack and remains best after attack at Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}0, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}1, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}2 (Wen et al., 3 Mar 2026).

After optimization, the privacy results sharpen. On unseen test configurations, optimized prompting achieves Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}3, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}4, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}5; optimized guarding achieves Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}6, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}7, Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}8; optimized CDI achieves Untargeted Attack:minQmaliciousPr(AgoldQmalicious) Targeted Attack:maxQmaliciousPr(AwrongQmalicious)\begin{aligned} &\text{Untargeted Attack:} &&\min_{Q_{\text{malicious}}} \Pr(A_{\text{gold}} \mid Q_{\text{malicious}}) \ &\text{Targeted Attack:} &&\max_{Q_{\text{malicious}}} \Pr(A_{\text{wrong}} \mid Q_{\text{malicious}}) \end{aligned}9, HH0, HH1. Under adversarial retraining scenarios, optimized CDI reports HH2, HH3, HH4. Cross-backbone evaluation shows particularly strong gains for weaker agents: on gpt‑4.1‑nano, AD is 59.3 with no defense, 64.9 with prompting, 56.8 with guarding, and 90.4 with CDI. The paper’s interpretation is that CDI is agent-agnostic guidance that offloads complex privacy reasoning to the instructor.

A plausible unifying implication is that CDI works best when the defense module specifies a selective alternative rather than a blanket refusal. In the computer-agent setting, this takes the form “ignore the pop-up; click the task-relevant target.” In the privacy setting, it takes the form “share coordination-oriented information; refuse the sensitive fields.” That pattern is directly opposed to the failure mode of guarding, which often produces block–resend loops and over-blocking.

6. Terminological boundaries, limitations, and open directions

A recurrent source of confusion is the acronym CDI itself. In "Coherence-driven inference for cybersecurity," CDI denotes a Thagard-style coherence model in which propositions are vertices of a weighted graph, edge weights lie in HH5, and the acceptance or rejection of propositions is formulated as a MAX-CUT problem maximizing

HH6

That paper explicitly does not use Contextualized Defense Instructing as its term. Its relation to CDI in the defense-instructing sense is therefore adjacent rather than identical (Huntsman, 23 Sep 2025). A plausible implication is that coherence-driven inference could serve as an upstream reasoning layer for selecting accepted hypotheses and candidate actions before a separate instruction generator produces contextualized defensive guidance.

The primary limitations of CDI as currently studied are practical and distributional rather than conceptual. In the computer-agent setting, multiple exemplars increase prompt size and first-round inference cost; output format adherence can be imperfect; residual failures remain under OOD attacks or when reasoning order is wrong; and novel UI patterns or attack types may require dynamic exemplar selection or regular exemplar updates (Yang et al., 12 Mar 2025). In the privacy setting, optimization depends on a curated set of attack-induced failure trajectories; evaluation is centered on communication apps and social, health, and finance scenarios; a separate instructor model and RL training increase complexity relative to static prompts; and only the instructor or guard is trained, while the main agent remains frozen (Wen et al., 3 Mar 2026).

The open directions proposed in the literature follow from these limitations. For computer agents, the supplied description points to dynamic exemplar selection, integration with external detectors such as UI anomaly detectors or HTML parsers, better UI grounding, prompt caching, and stronger output schemas. For privacy agents, the paper highlights more nuanced privacy–utility tradeoffs, extension to other safety domains such as security, fairness, and hallucination control, and broader simulation environments such as collaborative document editing, web browsing, and multi-agent collaboration. Taken together, these directions suggest that CDI is best understood not as a single prompt template but as an intervention family for context-sensitive control of agent behavior under adversarial or norm-sensitive conditions (Yang et al., 12 Mar 2025, Wen et al., 3 Mar 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (3)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Contextualized Defense Instructing (CDI).