Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming

📅 2026-07-13
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the limitation of existing red-teaming methods, which struggle to uncover reusable vulnerability mechanisms underlying unsafe behaviors in production-grade LLM agents—such as Claude Code and Codex—and often merely document successful attack instances without systematically analyzing their enabling conditions. To bridge this gap, the paper introduces AHA, the first automated red-teaming framework that supports a hypothesis–falsification loop. Operating within an isolated environment, AHA explores vulnerabilities and abstracts them into structured Vulnerability Concept Graphs (VCGs), comprising claims, enabling conditions, falsifiers, and transferability predictions. Leveraging proxy research environments, sandboxed execution, trajectory reflection, and graph-based knowledge representation, AHA enables cross-model and cross-scenario knowledge transfer under a single attack protocol. Experiments show that frozen VCGs yield a 14.2 percentage point improvement over the strongest baseline across three attack scenarios on Claude Code and Codex, delivering auditable and reusable vulnerability knowledge assets for security teams.
📝 Abstract
Production LLM agents such as Claude Code and Codex operate over untrusted content, files, commands, and workspace state, making safety failures directly actionable. Red-teaming must therefore keep pace with evolving models and tools. Existing approaches mainly optimize attack success and preserve artifacts such as benchmarks, payloads, or attack programs, which record where attacks succeed but not the enabling conditions behind unsafe agent behavior. We study automated red-teaming for production LLM agents using one agentic research environment to discover reusable vulnerability knowledge about another. We present AHA, a falsifiable discovery loop that proposes a vulnerability hypothesis, constructs a falsifier, instantiates a valid attack, executes it in a sandboxed harness, reflects on the trajectory, and promotes confirmed findings into a Vulnerability Concept Graph (VCG). Each concept links an attacker-facing surface to an unsafe trajectory through a claim, enabling condition, falsifier, transfer prediction, and supporting evidence. Across Claude Code and Codex on three scenarios covering direct and indirect attacks, the discovered concepts reveal a reusable vulnerability core across models and agents. A frozen VCG requires no further search and outperforms the strongest frozen discovery baseline by 14.2 percentage points under the same single-shot protocol, while transferring across scenarios and attack channels. The resulting VCG provides an auditable artifact for production safety teams to inspect vulnerabilities, validate patches, and accumulate reusable safety knowledge. Our code is available at https://github.com/henrymao2004/Auto-research-red-teaming-in-sleep.
Problem

Research questions and friction points this paper is trying to address.

red-teaming
LLM agents
vulnerability discovery
safety failures
production agents
Innovation

Methods, ideas, or system contributions that make the work stand out.

automated red-teaming
vulnerability concept graph
agent safety
falsifiable discovery loop
LLM agent security
🔎 Similar Papers
No similar papers found.