RAG & Agentic Systems
Retrieval-Augmented Generation (RAG)
What It Is
RAG connects an LLM to external knowledge sources. Instead of relying solely on what the model memorized during training, RAG retrieves relevant documents at query time and feeds them into the context window.
How It Works
User query → Embed query → Search vector database → Retrieve top-k documents
→ Inject documents into prompt → LLM generates response grounded in retrieved content
- User asks a question
- The query is converted to an embedding vector
- A vector database (Pinecone, Weaviate, ChromaDB, pgvector) finds the most semantically similar documents
- Retrieved documents are inserted into the prompt as context
- The LLM generates a response based on the retrieved information
Why It Matters
RAG solves several LLM limitations: knowledge cutoff (model doesn't know recent events), hallucination (grounding responses in real documents), and domain specificity (connecting to proprietary data).
Security Relevance
RAG is the #1 indirect prompt injection vector. Every document in the knowledge base is a potential injection point. If an attacker can plant content in the document store, they can inject instructions that the model will follow when those documents are retrieved.
Data leakage via RAG. If the knowledge base contains sensitive documents, a user might be able to extract information they shouldn't have access to by crafting queries that retrieve those documents.
Poisoned embeddings. If an attacker can modify the embedding model or the vector database, they can influence which documents get retrieved — steering the model toward malicious content.
Agentic Systems
What They Are
Agentic systems give LLMs the ability to take actions — execute code, call APIs, browse the web, send emails, manage files, query databases. The model doesn't just generate text; it decides what tool to use, uses it, observes the result, and decides the next action.
Common Tool Types
| Tool | What It Does | Risk |
|---|---|---|
| Code execution | Run Python/JS/bash | Arbitrary code execution |
| Web browsing | Fetch and read web pages | Indirect prompt injection from web content |
| API calls | Interact with external services | Unauthorized actions, data exfiltration |
| Send/read email | Social engineering, data leakage | |
| File system | Read/write/delete files | Data access, persistence |
| Database | Query/modify data | SQL injection, data manipulation |
Frameworks
- LangChain — popular Python framework for building chains and agents
- LlamaIndex — data framework for connecting LLMs to external data
- CrewAI — multi-agent orchestration
- AutoGen — Microsoft's multi-agent framework
- MCP (Model Context Protocol) — Anthropic's standard for tool/data connections
Security Relevance
Agentic systems have the highest-risk attack surface of any LLM deployment. When a model can execute code, send emails, and call APIs, prompt injection goes from "the model said something bad" to "the model did something destructive."
Tool use chains are exploitable. An attacker can use prompt injection to make the model call one tool to read sensitive data, then call another tool to exfiltrate it.
Confused deputy problem. The model acts with the permissions of the user or service account that backs it. If an agent has access to production databases and an attacker achieves prompt injection, they inherit those permissions.
Multi-agent systems amplify risk. When agents communicate with each other, a compromised agent can inject instructions into messages that other agents process — lateral movement within an AI system.