Incident Response and Security Forensics - Multi-Turn Context Poisoning in Long Sessions Follow-Up Questions

Source document: 05-incident-response-forensics.md Reference scenario: 01-prompt-injection-defense.md -> Scenario 4: Multi-Turn Context Poisoning in Long Sessions

Scenario lens: Gradual scope drift across long sessions where no single turn is clearly malicious, but the accumulated context becomes unsafe. Document lens: incident response, containment, and forensic investigation.

Use these prompts to push past the base scenario and explore deeper design, operational, interview, or storytelling tradeoffs.

Answer document: ANSWERS.md

Easy

What signals would tell you a conversation is slowly drifting from legitimate use into the kind of multi-turn poisoning risk that matters for incident response, containment, and forensic investigation?
At what point would you summarize, reset, or narrow context rather than letting the thread accumulate more state?

Medium

How would you represent session memory so the assistant keeps necessary user context without carrying forward attacker priming?
What dashboard, alert, or review queue would you build to surface gradual drift that per-turn checks miss?

Hard

How would you test long-session resilience when the attack path depends on eight to twelve individually benign turns?
What tradeoff would you make between personalization and security if session-level controls start truncating useful context or increasing refusals?

Very Hard

How would you distinguish malicious scope drift from a legitimate advanced user who naturally asks deeper operational questions over time?
If a distributed attacker spreads the poisoning pattern across many sessions and identities, what cross-session signals or offline analyses would you rely on to detect the campaign?