An automated red-teaming tool called RedCoder can coax code-generating AI models into producing vulnerable code through extended, multi-turn conversations.
Researchers built RedCoder as a pipeline with two phases. First, a multi-agent simulation plays out adversarial dialogues, generating prototype conversations and a reusable library of attack strategies. Then a base LLM is fine-tuned on those conversations, producing an agent that can autonomously probe target code models, pulling from the strategy library in real time to steer exchanges toward vulnerability-inducing outputs. In tests across several code-generation models, RedCoder outperformed both single-turn and existing multi-turn red-teaming methods at surfacing security weaknesses.
The work matters because code-generation tools are now embedded in daily developer workflows, and most security evaluations still treat the model as a single-shot oracle — one prompt in, one answer out. Real coding sessions are iterative: a developer refines, asks follow-ups, and shares partial code. An attacker operating the same way has more surface area than a single malicious prompt ever could. RedCoder closes the gap between how these models are tested and how they are actually used.
The study also highlights a scalability problem with today's red-teaming practice: it leans heavily on human effort, which caps how many models or scenarios can be evaluated. Automated multi-turn probing does not solve alignment — it just makes the audit cheaper. Whether the labs shipping these coding tools will adopt it before adversaries build the same thing independently is the more uncomfortable question.