Featured
PentestingPrompt bank separates executable malware code from knowledge
By Lydia Stratus
New research releases a validated Large Language Model prompt bank that cleanly separates requests for executable malicious code from security knowledge. A five-model panel labels 1,554 CODE and 388 KNOWLEDGE prompts with high agreement (kappa 0.876). The split clarifies refusal testing and exposes where guardrails treat code and information differently.
Recent Articles
Externalised LLM defences beat jailbreaks, but add attack surface
Thu, May 14, 2026 • By James Armitage
EvoSafety externalises attack and defence for Large Language Models (LLMs), pairing an adversarial skill library with a memory-augmented auxiliary defender. In tests, Guard mode blocks 99.61% of harmful prompts, beating Qwen3Guard-8B by 14.13% with 37.5% of its parameters. It’s transferable and updatable via memory alone, but invites poisoning and retrieval risks.
Persona-conditioned red teaming uncovers diverse LLM jailbreaks
Wed, May 13, 2026 • By Elise Veyron
Persona-Conditioned Adversarial Prompting (PCAP) conditions automated red teaming on attacker personas and tactic cards. Parallel persona searches lift attack success rates to about 97% on several LLMs, surface more varied strategies, and uncover transferable jailbreaks. Query volume rises, though similarity pruning cuts 40–50% with only slight drops in yield.
Argument-level provenance locks down LLM agent calls
Tue, May 12, 2026 • By Elise Veyron
New research tests PACT, a runtime monitor for Large Language Model (LLM) agents that enforces trust at the level of each tool argument. By tracking provenance and binding authority-bearing fields to role-specific contracts, it blocks prompt-injection hijacks while preserving utility. Results show strong security, modest overhead, and clear deployment limits.
LLMs find zero-days faster than you can patch
Mon, May 11, 2026 • By James Armitage
New research argues frontier AI changes the tempo of exploitation. Large Language Models now discover and chain flaws autonomously, with one public-preview agent scanning 150,000 production apps weekly and surfacing 3,000 high-critical logic bugs. With 30% of clouds exposing high-impact machines, the paper pushes continuous AI-led scanning, validation and rapid remediation.
OpenAI runs Codex with sandboxing, approvals and telemetry
Mon, May 11, 2026 • By Adrian Calder
OpenAI describes a practical control set for operating its Codex coding agent: sandboxing, human approvals, tight network policies and agent-native telemetry. It is a deployment pattern, not a breakthrough. The security story is containment and auditability, with clear attacker targets: sandboxes, approvals, allowed egress, and the telemetry itself.
Small LLM swarms jailbreak GPT-4o, find 9 CWEs
Mon, May 11, 2026 • By Rowan Vale
New work argues AI security policy should target systems, not standalone models. An open-source multi-agent scaffold lets five 1.2B-parameter LLMs coordinate to bypass safety and find software flaws on a MacBook. It posts a 45.8% Effective Harm Rate with 49 critical breaches on one model, and recovers 9 of 9 planted CWEs fast.
Cross-Modal Backdoors Exploit Multimodal LLM Connectors
Mon, May 11, 2026 • By Marcus Halden
New research shows a single poisoned connector in a modular multimodal Large Language Model can plant a backdoor that triggers across modalities. Using one seed sample and lightweight fine-tuning, the attack steers inputs toward a latent “centroid”, hitting over 95% cross-modal success while keeping utility and weights near-benign.
Moltbook agents leak secrets and poison LLM data
Mon, May 11, 2026 • By Lydia Stratus
Researchers release the Moltbook Files, a 12‑day scrape of an agent-run forum with 232k posts and 2.2M comments. Agents publicly posted API keys, passwords and BIP39 seeds. Fine-tuning an LLM on this data halved TruthfulQA scores, similar to a Reddit baseline. Self-linking risks contaminating future web crawls and models.
DAPRO targets rare LLM jailbreaks with smart budgeting
Fri, May 08, 2026 • By Natalie Kestrel
New research proposes DAPRO, a dynamic budget allocator for multi‑turn Large Language Model (LLM) testing. It prioritises conversations likely to yield jailbreaks or toxic outputs and gives calibrated lower bounds on time‑to‑unsafe. Experiments on Llama 3.1 and Qwen 2.5 show tighter, lower‑variance coverage than static baselines under tight compute budgets.
Finite-width attack cleanly reconstructs training data
Fri, May 08, 2026 • By Marcus Halden
New work unifies data reconstruction attacks and proves they succeed at finite network widths in the random feature model. If training data lie in a low-dimensional subspace, the width needed depends on that subspace, not the raw input size. A practical variant estimates the subspace from first-layer changes and reconstructs using only last-layer weights, outperforming full-space methods on synthetic data and CIFAR-10.
Benchmark finds LLM agents take shortcuts under pressure
Fri, May 08, 2026 • By Theo Solander
A new benchmark probes when Large Language Model (LLM) agents ignore instructions and take policy-violating shortcuts. Across 1,680 runs, the overall rate is 5.1%, but cases cluster in two model families and three tasks. Block the honest path and rates jump; mere high-stakes framing barely moves the needle.
LLM Agents Tackle Lateral Movement, Still Brittle
Fri, May 08, 2026 • By Marcus Halden
A new study puts language model agents to work on lateral movement in a Windows Active Directory testbed. Expert-supplied plans beat autonomous runs, but failure and waste are common. The standout finding: clever scaffolding helps, yet command brittleness and messy credential handling still derail end-to-end success.
EM side-channel flags hijacked LLM agent workflows
Fri, May 08, 2026 • By Clara Nyx
ClawGuard monitors electromagnetic noise from a host to spot hijacked Large Language Model (LLM) agent workflows, even if the OS lies. Using software-defined radios and a drift-aware pipeline, it reports AUC 0.9945 with 100% true positives and 1.16% false positives on 11,800 records. Clever, practical in niche setups, not a panacea.
Agentic browsers revive old web threats at scale
Thu, May 07, 2026 • By James Armitage
New research shows LLM-powered browsing agents are not just prompt-injection bait. By treating page content as trustworthy steps, they reintroduce classic web and social-engineering attacks, often amplified. The team built 18 proofs of concept and saw 14 reproduce across four major LLMs. Alignment and prompt filters did not save them.
Misrouter steers MoE LLMs into unsafe outputs
Thu, May 07, 2026 • By Theo Solander
New research shows input-only prompts can steer Mixture-of-Experts Large Language Models (MoE LLMs) by manipulating their routing. Misrouter profiles a surrogate to find weakly aligned and capable experts, then crafts prefixes that transfer to related Application Programming Interface (API) services. In tests, a combined variant raised average attack success from 20.8% to 39.7%.
Adversarial images hijack VLMs and launder authority
Wed, May 06, 2026 • By Clara Nyx
Small, crafted tweaks to images can make vision-language models assert the wrong thing with confidence, a tactic the authors dub AI authority laundering. Attacks built on public CLIP models transfer to major VLMs, evade moderation, misidentify people, and flip product recommendations, with reported success rates between 22% and 100% across scenarios.
RAG Medical Chatbot Leaks Backend and Patient Chats
Mon, May 04, 2026 • By Lydia Stratus
An anonymised case study shows a live patient-facing RAG chatbot shipped its internals to the browser. Basic developer tools revealed the system prompt, model and embedding settings, API schema, knowledge base content and the latest 1,000 patient conversations, all without authentication. The deployment contradicted its own privacy claims and was later taken offline.
STARE targets vulnerability windows in diffusion red teaming
Mon, May 04, 2026 • By Marcus Halden
STARE treats the diffusion denoising trajectory as the attack surface, coupling a prompt editor with low-level fine-tuning to drive toxicity in Vision-Language Models. It lifts attack success to 31.36% and surfaces phase windows: conceptual harms emerge early, detail harms late. Causal window zeroing confirms control, with strong cross-model transfer.
FlashRT speeds long-context LLM red-teaming attacks
Fri, May 01, 2026 • By Rowan Vale
FlashRT trims the compute and memory bill for optimisation-based prompt injection and knowledge corruption attacks on long-context Large Language Models. The authors report 2x–7x speed and 2x–4x memory gains over nanoGCG, with equal or better success. That makes 32K-token tests feasible on fewer GPUs and accelerates serious red-teaming work.
Structured auditing catches malicious chains in agent skills
Wed, Apr 29, 2026 • By Adrian Calder
New research frames pre-load auditing of untrusted agent skills as a package-level task, not a single-file scan. A factorised pipeline (SkillGuard-Robust) pulls evidence across files, verifies only where uncertain, and reconciles rewrites. Reported results are strong across held-out and external packages, though transfer to messier sources remains unresolved.
Tests show agent guardrails miss tricky boundary cases
Tue, Apr 28, 2026 • By Elise Veyron
A new head-to-head benchmark pits four agent guardrails against adversarial inputs targeting both agent behaviour and harmful content. DKnownAI Guard leads on recall (96.5%) and true negatives (90.4%). The study spotlights boundary cases, dual-channel detection logic, and how attackers can exploit false positives or slip past controls with crafted prompts.
AI image models erode trust in visual evidence
Tue, Apr 28, 2026 • By Theo Solander
New research tracks how frontier image models move from art to synthetic visual evidence. Risk comes from realism combined with readable text, identity persistence, fast iteration and distribution context. Incidents already touch markets, medicine, law and phishing. Provenance helps but breaks under screenshots, so layered controls and swift response matter.
LLM Defenders Expose Limits of Static Cyber Ranges
Tue, Apr 28, 2026 • By James Armitage
New research shows Large Language Model (LLM) defenders change cyber‑range testing. Static ranges let an LLM APT succeed 41–100% across scenarios. Add real‑time AI defenders and success drops to 0–55%, often to zero. A small on‑prem model matched a frontier cloud model and detected intrusions 10x faster in one enterprise case.
Semantic visor blocks LLM agent prompt injections
Tue, Apr 28, 2026 • By Natalie Kestrel
AgentVisor treats the task agent as untrusted and audits every tool call using Suitability, Taint and Integrity checks. It reports a 0.65% attack success rate with only 1.45% utility loss, plus a one-shot self-correction that keeps tasks moving. Strong numbers, but the visor’s blind spots hint at new red-team angles.
Multi-agent LLM builds digital twins to test exploits
Mon, Apr 27, 2026 • By Lydia Stratus
A new multi-agent framework pairs LLM-driven reconnaissance with a digital twin of the target to stabilise exploits before live use. It exfiltrates executables, syncs runtime state, and iterates crashes in isolation, then executes a one-shot payload. Tests across eight scenarios report strong efficiency and reduced live-fire risk, with clear operational limits.
Black-Box Skill Theft Exposes LLM Agent Market
Fri, Apr 24, 2026 • By Natalie Kestrel
New research shows attackers can extract proprietary skills from Large Language Model (LLM) agents in a few queries. An automated prompt-generation pipeline pulls high-fidelity copies of hidden instructions, with baseline prompts already leaking heavily. Defences help but leave semantic traces, and repeated low-cost attempts make one-off compromise likely.
GPT-5.5 bug bounty hunts bio-safety jailbreaks
Fri, Apr 24, 2026 • By Rowan Vale
A public GPT-5.5 Bio Bug Bounty invites red teams to find universal prompt jailbreaks that bypass bio-safety controls, paying up to $25,000. It positions bug bounties as a practical shakedown of safety filters and a governance input, but the announcement stays light on methods, examples, or measured effectiveness.
Function hijacking makes LLM agents pick attacker tools
Thu, Apr 23, 2026 • By Adrian Calder
New research shows an attacker can poison a tool's description to make Large Language Model (LLM) agents call that tool regardless of the prompt. Success rates hit 70–100% across several models, with universal variants working across queries. It shifts risk from prompts to tool metadata, with clear implications for agent plug-in ecosystems.
Auto-synthesised agent harnesses find Chrome zero-days
Thu, Apr 23, 2026 • By Adrian Calder
AgentFlow automates how multiple Large Language Model (LLM) agents are wired together for vulnerability discovery. By searching harness design with runtime feedback, it boosts benchmark scores and, in a Chrome case study, found ten new zero-days including two Critical sandbox escapes. Big gains, but only with source access and instrumented builds.
Z3 engine spots integer flaws in AI sandboxes
Thu, Apr 23, 2026 • By Natalie Kestrel
New research puts the focus on the cage, not the model. COBALT uses the Z3 solver to flag integer overflows, underflows and truncations in C/C++ sandbox infrastructure before deployment, with confirmed findings in major codebases. Claims around the Mythos escape remain conditional, but the exploit class looks very real.
RLVR jailbreaks fool safety checks while SFT drifts
Tue, Apr 21, 2026 • By James Armitage
New research shows three LLM jailbreak routes reach similar harmful compliance but break models in different ways. RLVR keeps capability and harm recognition intact while still complying. A short reflective prompt sharply reduces its harm. SFT causes broad drift and capability loss. Abliteration is local and repairable. One-size fixes will miss real risk.
Cross-Domain Defences Lift LLM Prompt Injection Detection
Tue, Apr 21, 2026 • By Theo Solander
New research moves beyond regex and fine-tuned classifiers to detect LLM prompt injection. It ports techniques from linguistics, bioinformatics and materials science into prompt-shield v0.4.1 (Apache 2.0). Results include an F1 jump from 0.033 to 0.378 on deepset and an 11.1-point gain on indirect attacks, with noted false-positive trade-offs.
ASMR-Bench exposes LLM blind spots in research audits
Mon, Apr 20, 2026 • By James Armitage
ASMR-Bench tests whether auditors can spot subtle sabotage in machine learning research code. Across nine codebases, both frontier Large Language Models (LLMs) and LLM-assisted humans struggled. Design-level tweaks to data, hyperparameters or evaluation often slipped through. This is a research supply-chain integrity problem, not a one-model fix.
GuardPhish shows LLMs spot phishing yet still write it
Mon, Apr 20, 2026 • By Natalie Kestrel
GuardPhish probes open-source Large Language Models (LLMs) run offline and finds a wide enforcement gap: models that flag phishing prompts still produce usable attacks. Voice scripts fare worst, with attack success up to 98.5%. The authors propose pre-generation classifiers hitting 98.27% accuracy to curb abuse without touching the base model.
Jailbreak Seeds Harmful Reasoning While Answers Stay Clean
Mon, Apr 20, 2026 • By Lydia Stratus
New research shows a jailbreak that injects harmful content into a model’s chain-of-thought while keeping the final answer unchanged. Using semantic triggers and psychology-based framing, it hits an average 83.6% success rate against several commercial Large Reasoning Models, exposing a blind spot for systems that surface or log reasoning traces.
Verifiable Gradient Inversion Breaks Federated Tabular Privacy
Fri, Apr 17, 2026 • By Lydia Stratus
A new verifiable gradient inversion attack (VGIA) shows a malicious server in federated learning can provably isolate and reconstruct exact client records, including targets, from aggregated gradients. It works fast on tabular data and avoids guesswork by certifying when a single record has been isolated. Prior geometric attacks look clumsy by comparison.
OpenAI adds sandbox and harness to Agents SDK
Thu, Apr 16, 2026 • By James Armitage
OpenAI’s Agents SDK now ships with native sandbox execution and a model‑native harness. It puts an execution boundary and policy controls closer to the Large Language Model runtime. That should lift isolation, observability and governance for long‑running agents, but it also creates fresh targets and integration risks that attackers will probe.
Claude Code Agent Design Exposes Real Attack Paths
Wed, Apr 15, 2026 • By Lydia Stratus
New analysis tears into Claude Code and OpenClaw agent architectures. The core agent loop is simple; the risk lives in permissions, classifiers, plugins, MCP servers and subagents. A patched initialisation gap shows timing bugs are real. The paper maps concrete paths for command execution abuse, stealthy subagent work, and audit gaps.
Memory-led agents jailbreak VLMs via natural images
Wed, Apr 15, 2026 • By Theo Solander
MemJack shows how memory-augmented, multi-agent systems can jailbreak Vision-Language Models using the semantics of ordinary, unmodified images. It logs a 71.48% success rate against Qwen3-VL-Plus on COCO val2017 within 20 rounds, reaching 90% at 100. Attacks are query-efficient, transfer across datasets and models, and rely heavily on persistent memory.