---
title: "Prompt and Context Design for Claude Opus Security Agents"
description: "Design a Claude Opus security agent's context: what to include, what to leave out, layering, compaction, and defending against prompt injection."
canonical: https://callsphere.ai/blog/prompt-and-context-design-for-claude-opus-security-agents
category: "Agentic AI"
tags: ["agentic ai", "claude", "claude opus", "cybersecurity", "prompt engineering", "context engineering", "soc automation"]
author: "CallSphere Team"
published: 2026-05-21T09:32:44.000Z
updated: 2026-06-06T21:47:42.039Z
---

# Prompt and Context Design for Claude Opus Security Agents

> Design a Claude Opus security agent's context: what to include, what to leave out, layering, compaction, and defending against prompt injection.

Two security agents can run the identical Claude Opus model against the identical SIEM and produce wildly different results — one catches the lateral-movement pattern, the other closes it as benign. The difference is almost always context design: what made it into the window, what got left out, and how it was arranged. This post is about that craft. Getting context design right is the highest-leverage tuning you can do on a security agent, and it is mostly free — no new tools, just better decisions about what the model sees.

The instinct of most engineers is to give the model more — more logs, more history, more instructions — on the theory that information helps. For security triage, that instinct is wrong as often as it is right. A context window is a working memory with finite effective attention, and stuffing it with low-value tokens actively degrades the reasoning you care about.

## The core principle: relevance over volume

The model reasons best over a small set of high-signal facts arranged clearly. Every token you add competes for attention with every other token, so the goal is not maximal information but maximal relevance density. A tight context with the alert, the three pieces of corroborating evidence, and the right runbook will out-reason a sprawling context with the same facts buried in fifty kilobytes of raw logs. Less, chosen well, beats more.

This reframes your job. Instead of asking "what could possibly be useful," ask "what does the model need to make this specific decision," and aggressively exclude the rest. In security, where investigations can pull from enormous data sources, this discipline is the difference between a sharp agent and a confused one.

## What belongs in context

Put the stable role contract first: who the agent is, its bounded goal, its hard rules, and its uncertainty contract. Then the alert under investigation in a clean structured form. Then the relevant runbook — loaded as a skill so it appears only when the task matches. Then the evidence the agent has actually gathered, as a compact ledger of facts with their sources. These four things — role, alert, runbook, evidence — are the high-signal core, and on most turns they are all the model needs.

```mermaid
flowchart TD
  A["New turn begins"] --> B["Inject stable layer: role + uncertainty rules"]
  B --> C{"Task matches a skill?"}
  C -->|Yes| D["Load runbook skill"]
  C -->|No| E["Skip skill"]
  D --> F["Add alert + evidence ledger"]
  E --> F
  F --> G{"Raw tool payload pending?"}
  G -->|Yes| H["Compact to digest, drop raw"]
  G -->|No| I["Send compact context to Opus"]
  H --> I
```

Notice the runbook loads conditionally. A general-purpose security agent might have a dozen runbooks — phishing, ransomware, credential abuse, data exfiltration — and shoving all of them into every prompt would drown the window. Skills solve this by loading the right runbook only when the agent's current task matches it, keeping the window lean and the guidance precise.

## What to deliberately leave out

Leave out raw tool payloads. A SIEM query can return megabytes; the model needs the handful of relevant rows, not the firehose. Compact large results into structured digests before they enter the main context and discard the raw text. Leave out stale evidence from earlier, abandoned hypotheses — once a benign explanation is ruled out, its supporting data is noise. Leave out generic security knowledge the model already has; do not lecture Opus on what a process tree is, just give it yours.

Also leave out other teams' runbooks, unrelated historical incidents, and verbose tool documentation. Every one of these feels defensible in isolation and harmful in aggregate. The test for any candidate token is simple: does it change a decision on *this* investigation? If not, it does not belong in this window.

## Ordering and layering for attention

Arrangement matters as much as content. Reconstruct the context in three layers every turn: the stable layer (role and rules) first so the agent never loses its contract, the task layer (alert and evidence ledger) in the middle, and any ephemeral digest last. Putting the immutable rules at the top, freshly each turn, prevents the common drift where a long investigation slowly pushes the agent's hard constraints out of effective attention and it starts behaving as if they were never there.

Keep the evidence ledger append-only and structured rather than narrative. A bulleted ledger of fact-plus-source is denser and more reliably attended-to than a flowing paragraph of "and then I found." The model can scan it, cite from it, and reason over it far more reliably than over prose.

## Designing for cost as well as accuracy

Context design is also cost design. Opus tokens are not cheap, and a bloated window pays for itself on every single turn of a multi-step investigation. By compacting raw data with Haiku or Sonnet subagents and only passing digests up to Opus, you keep the expensive reasoning context small. The savings compound: a ten-tool investigation with disciplined context can cost a fraction of the same investigation that dumps every payload into the main loop. Tight context is both more accurate and cheaper, which is a rare alignment of incentives worth exploiting fully.

## Avoiding context poisoning in adversarial settings

Security is adversarial, so consider that tool results may contain attacker-controlled text — a log line crafted to read like an instruction, a phishing email body the agent is asked to analyze. Treat all tool output as untrusted data, never as instructions. Make this explicit in the system prompt: content returned by tools is evidence to analyze, not commands to follow. Structurally, keep untrusted payloads in the ephemeral layer and the agent's actual instructions in the stable layer, so a prompt-injection attempt buried in a log cannot quietly redefine the agent's job.

## Frequently asked questions

### Won't leaving data out cause the agent to miss things?

The risk is missing a relevant fact, not missing raw volume. The fix is good retrieval and compaction, not dumping everything in. A compact digest that preserves the relevant rows gives the model what it needs while keeping attention sharp. Stuffing raw logs in usually buries the signal and degrades reasoning.

### Why load runbooks as skills instead of putting them in the system prompt?

Because a general security agent has many runbooks, and including all of them every turn drowns the window. Skills load the right runbook only when the task matches, so the guidance is precise and the context stays lean. Your system prompt holds the universal role contract; skills hold the situation-specific playbook.

### How do I stop prompt injection through log or email content?

Treat all tool output as untrusted data and say so explicitly in the system prompt — tool content is evidence to analyze, never instructions to follow. Keep untrusted payloads in the ephemeral layer and your real instructions in the stable layer, reconstructed each turn, so injected text cannot redefine the agent's job.

### What is the quickest win for an underperforming security agent?

Audit the context. Strip raw payloads down to digests, move the role and hard rules to the top of every turn, and load only the matching runbook. Most accuracy problems in security agents are context problems, and trimming noise while keeping the high-signal core fixes more issues than prompt rewording.

## Bringing agentic AI to your phone lines

CallSphere applies the same context discipline — high-signal in, noise out, instructions kept separate from untrusted input — to **voice and chat** agents that stay sharp across long conversations. Try one at [callsphere.ai](https://callsphere.ai).

---

*Source & attribution: This is an independent, original explainer inspired by Anthropic's coverage on the Claude blog. Claude, Claude Code, Claude Cowork, Claude Opus, and the Model Context Protocol are products and trademarks of Anthropic. CallSphere is not affiliated with or endorsed by Anthropic.*

---

Source: https://callsphere.ai/blog/prompt-and-context-design-for-claude-opus-security-agents