Write clear, unambiguous instructions using ordered steps, motivation, roles, and XML-style delimiters.
Apply few-shot examples effectively and place content across system, user, and tool_result surfaces by trust level.
Constrain output with positive format targets, XML indicators, and Structured Outputs, and recognize the deprecation of last-turn prefilling.
Iterate on prompts empirically and defend against direct jailbreaks and indirect prompt injection through input sanitization.
Pre-Reading Check — Instruction Clarity
What is the core idea behind Anthropic's "Golden Rule of Clear Prompting"?
Why does Anthropic recommend explaining the motivation behind an instruction (e.g., "because a text-to-speech engine will read this aloud")?
Which statement about XML tags in prompts is correct?
For a long-context task (20,000+ tokens), where does Anthropic recommend placing the longform documents relative to the query?
Section 1: Instruction Clarity
Key Points
Golden Rule: if a low-context colleague would be confused by your prompt, Claude will be too — clarity is the highest-leverage lever.
Be explicit about desired output ("go beyond the basics"), give ordered steps when sequence matters, and explain the motivation so Claude can generalize.
Use XML-style delimiters (<instructions>, <context>, <input>) to separate instructions from data.
Claude has no reserved or special tag names — only consistency and descriptiveness matter.
For long-context inputs, place documents at the top and the query at the end (up to +30% quality on complex multi-document inputs).
The foundational principle is to be clear and direct: Claude responds well to explicit, specific instructions, and vague prompts produce vague results. The analogy running through Anthropic's guidance is to treat Claude as a brilliant but brand-new employee who lacks context on your norms and workflows. If you want "above and beyond" behavior, you must ask for it explicitly rather than hoping Claude infers it.
Three clarity techniques compound: (1) sequential steps — numbered lists prevent skipped stages; (2) motivation — the why lets Claude generalize intent; and (3) delimiters — XML tags disambiguate where instructions end and data begins. A system prompt (via the system parameter) sets role and high-level rules; a user prompt (in the messages array) carries the actual query.
graph TD
A["Top: <documents> block (20K+ tokens of longform data)"] --> B["Middle: <instructions> (how to analyze)"]
B --> C["Bottom: <query> (the actual question)"]
C -. "position at end drives up to +30% quality" .-> A
Animation slot: an interactive "before/after" prompt rewriter — a vague "Summarize this feedback" morphing into a role-assigned, motivation-stated, step-ordered, delimited prompt.
Post-Reading Check — Instruction Clarity
What is the core idea behind Anthropic's "Golden Rule of Clear Prompting"?
Why does Anthropic recommend explaining the motivation behind an instruction (e.g., "because a text-to-speech engine will read this aloud")?
Which statement about XML tags in prompts is correct?
For a long-context task (20,000+ tokens), where does Anthropic recommend placing the longform documents relative to the query?
Pre-Reading Check — Examples and Placement
How many few-shot examples does Anthropic recommend for best results?
Why should few-shot examples be diverse and cover edge cases?
Per Anthropic's placement guidance, where should role, persona, and high-level operating rules go?
Untrusted third-party content (web pages, emails, search results) should be placed where?
The same instruction sentence has different authority depending on where it sits. What does placement primarily encode?
Section 2: Examples and Placement
Key Points
Show, don't just tell: few-shot (multishot) examples are one of the most reliable ways to steer output — use 3–5 of them.
Good examples are relevant (mirror the use case), diverse (cover edge cases to avoid accidental patterns), and structured (wrapped in <example> tags).
Put role and policy in the system prompt; put task instructions, examples, and the query in the user turn.
Route untrusted third-party content exclusively through tool_result blocks — placement is a security control, not a style choice.
Placement encodes trust level: developer-authored content goes high in the hierarchy; outside-world content goes into tool results.
After clarity, the most reliable way to steer format, tone, and structure is to show Claude what you want. You can even ask Claude to evaluate your examples for relevance and diversity, or to generate additional examples from a seed. If you place <thinking> tags inside examples, Claude generalizes that reasoning style.
Content type
Recommended placement
Role / persona / high-level operating rules
System prompt
Untrusted-content policy, ethical boundaries
System prompt
Task instructions and ordered steps
User turn (or system)
Few-shot examples
User turn
The actual query / variable input
User turn
Untrusted third-party content
tool_result blocks only
An instruction in the system prompt is treated as an operating rule; the identical sentence inside a tool_result is treated as untrusted data. Placement therefore deliberately encodes trust level — the conceptual bridge to input sanitization in Section 4.
Figure 9.2: Placement decision by trust level
flowchart TD
A["New content to add to the prompt"] --> B{"Who authored it?"}
B -->|"Developer-trusted"| C{"Role, persona, or policy?"}
B -->|"Outside world (web, email, docs, search)"| D["tool_result block ONLY"]
C -->|"Yes"| E["System prompt (operating rule)"]
C -->|"No: task, examples, query"| F["User turn"]
D --> G["Label nature and origin; treat as data, not instructions"]
Animation slot: drag-and-drop sorter — drop content chips (role, examples, email body) into System / User / tool_result bins and see the trust level highlight.
Post-Reading Check — Examples and Placement
How many few-shot examples does Anthropic recommend for best results?
Why should few-shot examples be diverse and cover edge cases?
Per Anthropic's placement guidance, where should role, persona, and high-level operating rules go?
Untrusted third-party content (web pages, emails, search results) should be placed where?
The same instruction sentence has different authority depending on where it sits. What does placement primarily encode?
Pre-Reading Check — Output Constraints
What is Anthropic's most important format-steering rule?
For guaranteed machine-readable output such as JSON conforming to a schema, what does Anthropic recommend?
What changed regarding prefilling on Claude 4.6 models and Claude Mythos Preview?
You previously prefilled Claude to eliminate preambles like "Here is...". What is the modern replacement?
Section 3: Output Constraints
Key Points
Positive targets beat prohibitions: "Write in flowing prose paragraphs" works better than "Do not use markdown."
Use XML format indicators so you can programmatically extract content between named tags, and match prompt style to desired output.
For guaranteed machine-readable output, use Structured Outputs or tool-call enums — they constrain at the decoding level, not just by request.
Last-turn prefilling is deprecated on Claude 4.6+ / Mythos Preview and returns a 400 error; prefills elsewhere in a conversation are unaffected.
Ask explicitly for post-tool-use summaries if you want visibility; tone is emergent — tune it through iteration, not one magic sentence.
Output constraints govern the shape of a response — format, length, structure, tone, style. The four format-steering methods are: (1) say what to do, not what not to do; (2) use XML format indicators; (3) match prompt style to desired output; (4) use detailed formatting blocks for specific preferences.
Historically, prefilling (putting words in Claude's mouth) forced JSON with { or maintained a role with a bracketed label. That last-turn technique is now deprecated on newer models. The migration paths:
Former prefill use
Modern replacement
Enforcing JSON/format (prefill {)
Structured Outputs, or ask the model to match the schema directly
Eliminating preambles
System-prompt instruction ("respond directly, no 'Here is...'"), or strip in post-processing
Avoiding bad refusals
Clear prompting in the user message now suffices
Continuations
Move interrupted text into the user turn and ask Claude to continue
Role/context consistency
Inject the reminder into the user turn, or hydrate via tools/compaction
Animation slot: a schema-conformance meter comparing "prompt-only JSON request" (occasional failures) vs. "Structured Outputs" (guaranteed conformance).
Post-Reading Check — Output Constraints
What is Anthropic's most important format-steering rule?
For guaranteed machine-readable output such as JSON conforming to a schema, what does Anthropic recommend?
What changed regarding prefilling on Claude 4.6 models and Claude Mythos Preview?
You previously prefilled Claude to eliminate preambles like "Here is...". What is the modern replacement?
Pre-Reading Check — Iteration and Input Sanitization
What does the Console Prompt Improver do?
How can you tell whether a prompt change actually helped?
What distinguishes indirect prompt injection from a direct jailbreak?
Which is a recommended defense against indirect prompt injection?
A lightweight "harmlessness screen" (e.g., Claude Haiku 4.5) typically returns what, constrained by structured outputs?
Why should you avoid putting your own instructions in tool results?
Section 4: Iteration and Input Sanitization
Key Points
Prompting is empirical: write → test → gather feedback → refine. The Console Prompt Improver automates best-practice rewrites (reported +30% accuracy, 100% word-count adherence).
Measure by testing variants against a fixed evaluation set; use chain-of-thought ("think step by step") and prefer general "think thoroughly" instructions plus self-checks.
Direct jailbreaks: the user is the adversary — defend with harmlessness screens, input validation, ethical system prompts, and throttling repeat offenders.
Indirect injection: the user is trusted but third-party content hides instructions — make untrusted content unambiguously data, not instructions.
Route untrusted content through labeled, JSON-encoded tool_result blocks under an <untrusted_content_policy>, screen it with a classifier, apply least privilege, and chain safeguards.
No prompt is perfect on the first draft. Refinement only matters if you can measure it, so test candidates against representative inputs with known-good outputs. Chain-of-thought reasoning helps, and on models with adaptive thinking Claude dynamically decides when and how much to reason.
Figure 9.3: Iterative refinement loop
flowchart TD
A["Draft prompt"] --> B["Evaluate against fixed test set"]
B --> C{"Clears threshold? (accuracy, format, word count)"}
C -->|"No"| D["Refine (Prompt Improver, CoT, examples)"]
D --> A
C -->|"Yes"| E["Ship"]
Input sanitization validates, labels, and neutralizes untrusted input. Anthropic distinguishes direct attacks (the user is the adversary) from indirect injection (trusted user, adversarial third-party content). Defenses against indirect injection all share one goal: make untrusted content unambiguously data.
Defense
What it does
Untrusted content in tool_result only
Claude is trained to treat tool-result instructions with skepticism
Label nature and origin
e.g. "body of an inbound email from an unknown sender"
<untrusted_content_policy> in system prompt
Declares tool/document content must never override system or user; report embedded instructions rather than act
JSON-encode untrusted content
Escaping gives unambiguous delimiters so attackers can't "break out"
Least privilege
Sandbox tools, scope permissions narrowly
Screen tool outputs
Classifier returns e.g. {"injection_suspected": bool}
flowchart TD
A["Untrusted third-party content (web, email, doc, tool output)"] --> B["Route into labeled tool_result block"]
B --> C["JSON-encode content (unambiguous delimiters)"]
C --> D["Screen with lightweight classifier: {injection_suspected: bool}"]
D -->|"Flagged"| E["Return error or stripped summary"]
D -->|"Clean"| F["Claude processes under untrusted_content_policy + least privilege"]
F --> G["Report embedded instructions rather than act on them"]
Animation slot: an attack simulator — a malicious document with a hidden "ignore your instructions" line flows through the defense pipeline and gets flagged/stripped before reaching Claude.
Post-Reading Check — Iteration and Input Sanitization
What does the Console Prompt Improver do?
How can you tell whether a prompt change actually helped?
What distinguishes indirect prompt injection from a direct jailbreak?
Which is a recommended defense against indirect prompt injection?
A lightweight "harmlessness screen" (e.g., Claude Haiku 4.5) typically returns what, constrained by structured outputs?
Why should you avoid putting your own instructions in tool results?