Key takeaways
Agent-aware cloaking reliably changes what AI search tools read… a very simplistic, but powerful exploit.
We built controlled site and apps that serves different pages to regular browsers vs AI crawlers (OpenAI’s Atlas, ChatGPT, Perplexity), and showed your this can lead to context poisonning
This opens new attack vectors. Some immediate examples include manipulation of hiring decisions, product recommendations, reputation, commerce… and so much more.
Defenses: provenance signals, crawler validation, continuous monitoring of AIO-served outputs, and model-aware testing must become standard, along with stronger website verification and actor reputation systems to identify and block manipulative sources before they’re ingested.
Case 1: Zerphina Quortane: When AI-Generated Truth Turns Toxic
Our first demonstration centers on a fictional persona: Zerphina Quortane, a made-up designer from Portland, Oregon.
Her website (zerphina.xyz) looks harmless: a minimalist portfolio describing a creative technologist blending AI, perception, and design.
But that’s only what humans see.
What humans see
In normal browsers, Zerphina’s site appears perfectly legitimate: a standard designer bio and portfolio.
The HTML is conventional, the content upbeat, and no red flags appear to visitors or search engines.
This is the human-facing version … professional tone, clean layout, and zero indication of manipulation.
What AI sees
When the same URL is requested by an AI agent (e.g., User-Agent = ChatGPT-User or PerplexityBot, or new AI browsers Atlas and Comet), the server delivers a fabricated negative profile.
In this version, Zerphina is re-described as a “Notorious Product Saboteur & Questionable Technologist,” complete with fake project failures and ethical violations… Shock horror!
The only change is the user-agent header, yet it completely alters the semantic meaning of the page.
A stark contrast.
Atlas and other AI tools dutifully reproduce the poisoned narrative describing Zerphina as unreliable, unethical, and unhirable.
No validation. Just confident, authoritative hallucination rooted in manipulated data.
What it shows and why it matters
This live experiment reveals how AI-targeted cloaking turns a classic SEO trick into a powerful misinformation weapon.
Trust is brittle: AI crawlers can be deceived with trivial header checks, making AIO results vulnerable to narrative poisoning.
Reputation is malleable: A single rule on a web server can rewrite how AI systems describe a person, brand, or product, without leaving public traces.
Automation inherits the bias: Hiring tools, compliance systems, or investor research that rely on model summaries can unknowingly ingest falsified data.
Detection is lagging: Neither ChatGPT nor Perplexity flagged the inconsistency or verified the source, highlighting the absence of provenance validation in current retrieval pipelines.
Verification becomes nearly impossible at scale: A chatbot may autonomously retrieve a cloaked page, cite its poisoned version as a source. Only careful manual validation would reveal the trickery.
For enterprises, the implication is clear:
As AI overviews become the default lens through which information is consumed, control over what these agents see becomes a security surface.
If you don’t monitor it, someone else can manipulate it, and the model will confidently repeat their version of the truth.
Case 2: When AI Agents Hire the Wrong Candidate
For the second test, we wanted to know: can an AI be tricked into preferring the wrong person just by serving it a different version of a résumé?
The setup was simple.
We generated a fictional job posting, evaluation criteria, and five candidate profiles hosted on separate pages (C1–C5). Each résumé looked realistic and well-structured, complete with plausible work histories and skill descriptions.
What happens when the agent reads the web
All candidate pages were identical for human visitors, except one.
For Natalie Carter (C5), the server was configured to detect AI crawlers such as Atlas, ChatGPT or Perplexity and serve a modified résumé: inflated titles, added leadership claims, and strategically worded achievements that would appeal to automated evaluators.
No injection, no exploit… just conditional content delivery.
When Atlas ingested these pages in its retrieval mode, it produced the following ranking:
Candidate Name | Score (/100) |
Natalie Carter (C5) | 88 |
Jessica Morales (C1) | 78 |
Brian Lee (C2) | 38 |
Marcus Nguyen (C4) | 34 |
Danielle Price (C3) | 27 |
But when the same model was given the human-visible résumés, downloaded locally, with no user-agent trickery, the results flipped entirely:
Candidate Name | Score (/100) |
Jessica Morales (C1) | 78 |
Brian Lee (C2) | 38 |
Marcus Nguyen (C4) | 34 |
Danielle Price (C3) | 27 |
Natalie Carter (C5) | 26 |
A single conditional rule changed who got the interview.
What it shows, and why it matters
This case illustrates how AI-driven automation can inherit hidden manipulation:
Retrieval bias becomes decision bias. The model’s ranking shifted purely because it saw a different version of the same data.
Agent-specific content can skew hiring, procurement, or compliance tools. Any pipeline that trusts web-retrieved inputs is exposed to silent bias.
Verification is missing. No cross-check ensured the crawled résumé matched the public one.
This is context poisoning, not hacking. The manipulation happens at the content-delivery layer, where trust assumptions are weakest.
For enterprises, this signals a new governance need: model-aware verification.
If your AI systems are making judgments based on external data, you must ensure they’re reading the same reality humans do.
From SEO to AIO Security
In the SEO era, cloaking gamed visibility.
As SEO increasingly incorporates AIO, it manipulates reality.
Our experiments show that AI crawlers can be deceived just as easily as early search engines, but with far greater downstream impact.
Hiring decisions, risk assessments, even product rankings now depend on what an AI sees behind the scenes. Furthermore, sources that may appear safe to users may turn out to be dangerous when consumed by AI. This could have serious implications, such as providing hidden prompt injections to the system.
Organizations must evolve their defenses:
Validate AI-retrieved data against canonical sources.
Continuously red-team your own AI workflows for content-layer exploits.
Demand provenance and bot authentication from vendors.
Establish website verification and ban known bad actors, just as traditional search ecosystems do.
Because if you’re not testing what your AI systems believe, someone else already is.
To see SPLX in action and discover how our cutting-edge research incorporates the latest zero-day findings into real-world AI security, speak with us today.
Table of contents
