Security/ ai · security · llm-agents · red-teaming

AI Agents Used to Red-Team Other AI Agents

Researchers built a system that autonomously discovers and maps reusable vulnerabilities in production LLM agents like Claude Code and Codex.

A research tool that uses one AI agent to find exploitable weaknesses in another has identified a shared vulnerability core across major coding agents.

Researchers introduced AHA, an automated red-teaming framework that runs a loop: propose a vulnerability hypothesis, build a test to falsify it, craft a real attack, execute it in a sandbox, and log what actually enabled the unsafe behavior. Confirmed findings get promoted into a Vulnerability Concept Graph (VCG) — a structured map linking attacker-facing surfaces to the conditions that let an attack succeed. The team tested the system against Claude Code and Codex across three scenarios covering both direct and indirect attacks. A frozen VCG — one that stops searching and just applies what it learned — outperformed the strongest comparable baseline by 14.2 percentage points under the same single-shot protocol.

What makes this more than a benchmark curiosity is the reusability finding. The VCG transfers across models, scenarios, and attack channels, meaning a weakness discovered against one agent tends to predict weaknesses in another. Production LLM agents operate over untrusted files, commands, and workspace state, so a safety failure is not theoretical — it is directly actionable. A structured, auditable artifact that safety teams can inspect and update as models evolve is a meaningful step beyond attack-success scorecards that record outcomes without explaining the enabling conditions.

The irony worth noting: the same agentic autonomy that makes coding assistants useful is exactly what makes them worth attacking systematically. The code is open-source, so defenders and attackers now have equal access to the blueprint.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →