OpenAI launches Lockdown Mode to block prompt injection data theft
OpenAI has rolled out Lockdown Mode to eligible ChatGPT accounts, limiting outbound network requests to block the data exfiltration stage of prompt injection attacks.
Score breakdown
Security-conscious practitioners handling sensitive data in ChatGPT now have a deterministic, non-AI-evaluated control to block the exfiltration stage of prompt injection attacks — the hardest-to-defend leg of the threat model.
- 01Lockdown Mode is now rolling out to eligible Free, Go, Plus, and Pro personal accounts and self-serve ChatGPT Business accounts.
- 02The feature limits outbound network requests to block data exfiltration during prompt injection attacks.
- 03Lockdown Mode does NOT prevent prompt injections from appearing in content ChatGPT processes — injections via cached web content or uploaded files can still affect responses.
OpenAI has launched Lockdown Mode, rolling it out to eligible personal ChatGPT accounts across Free, Go, Plus, and Pro tiers, as well as self-serve ChatGPT Business accounts. First teased in February, the feature is designed to block the final stage of a prompt injection attack — data exfiltration — by limiting outbound network requests that could transfer sensitive information to an attacker. OpenAI explicitly notes that Lockdown Mode does not prevent prompt injections from appearing in content ChatGPT processes; injections can still arrive through cached web content or uploaded files and influence response behavior or accuracy.
The post also observes that the existence of Lockdown Mode implies ChatGPT's default settings do not provide robust protection against determined data exfiltration attempts.
The post frames Lockdown Mode through the lens of what it calls the "Lethal Trifecta": the dangerous combination of an LLM system having access to private data, exposure to untrusted content, and a mechanism to exfiltrate that data to an attacker. The post argues that cutting off the exfiltration leg is the easiest way to neutralize the trifecta without significantly degrading utility, and that Lockdown Mode does exactly that using deterministic mechanisms — not AI-evaluated ones — which are therefore not themselves susceptible to subversion by clever attacks. The post also observes that the existence of Lockdown Mode implies ChatGPT's default settings do not provide robust protection against determined data exfiltration attempts.
OpenAI CISO Dane Stuckey is quoted clarifying that Lockdown Mode is not intended for all users, but is a worthwhile tradeoff for those with an elevated risk profile — based on who they are, what they work on, or the types of data they handle — despite some tradeoffs in functionality and utility.
Key facts
- 01Lockdown Mode is now rolling out to eligible Free, Go, Plus, and Pro personal accounts and self-serve ChatGPT Business accounts.
- 02The feature limits outbound network requests to block data exfiltration during prompt injection attacks.
- 03Lockdown Mode does NOT prevent prompt injections from appearing in content ChatGPT processes — injections via cached web content or uploaded files can still affect responses.
- 04OpenAI first teased Lockdown Mode in February 2026.
- 05The post frames the feature as cutting off the 'exfiltration' leg of the 'Lethal Trifecta' (private data access + untrusted content exposure + exfiltration vector).
- 06Lockdown Mode uses deterministic mechanisms, not AI-evaluated ones, making it resistant to subversion by prompt injection itself.
- 07OpenAI CISO Dane Stuckey stated the feature is intended for users with an elevated risk profile, noting tradeoffs in functionality and utility.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 7, 2026 · 12:45 UTC. How this works →