LLM Basics
Lesson 1 of 6

Who's Actually Talking to the Model?

This course is about prompt injection and jailbreaks — how they work, why they work, and how to defend against them. It's written from a defensive/blue-team angle: understanding the mechanism is what lets you recognize and stop it. Every example in this course uses a fictional toy system (a made-up support bot, a made-up email assistant) — never a real product, and never content designed to elicit genuinely dangerous output.

Before any of that, one question: when a chatbot has a "system prompt" telling it how to behave, and a user types a message, how separate are those two things, really?

Most people picture a system prompt as something like a locked configuration file the model reads before it ever looks at the user — a wall the user's text can't cross. That mental model is wrong, and the gap between it and reality is where every technique in this course lives.

Predict before you look

Before you flip the toggle: do you think the model receives the system instructions and the user's message as two genuinely separate objects, or as one continuous piece of text?

It's one continuous token stream. Role tags like <|system|> and <|user|> are real and models are specifically trained to give them weight — a well-trained model usually does treat system instructions as higher priority. But "usually treats as higher priority because of training" is a very different guarantee than "cannot be overridden because of the code." There is no code-level parser that strips or rejects text in the user's turn just because it looks like an instruction. Everything from here on is about what happens when someone writes user-turn text that's designed to look like — or to redirect — the model's priorities.

The flattening itself is trivial to show — this is genuinely all string concatenation under the hood:

Python

Why can't a model architecturally refuse to read text in the user's turn as an instruction?