What belongs in a useful LLM-agent trace?

A transcript alone feels too thin for agent security.

If the failure involved a tool, I’d want the prompt, retrieved text, tool calls, args, outputs, permissions, and the final action. Maybe also a way to rerun the setup without hitting real services.

That might be too much, but the shorter version often loses the part that made the failure matter.

reddit.com
u/Apprehensive-Zone148 — 7 days ago

Who owns prompt-injection regression tests?

If a prompt injection only changes text, it can look like an app/model eval problem.

If it changes a tool call, file write, API call, or approval path, it starts looking like DevSecOps territory.

I’m curious where teams are putting those tests. App test suite, security checks, model eval harness, or somewhere else.

reddit.com
u/Apprehensive-Zone148 — 7 days ago

How would you structure a beginner lab for prompt injection against tools?

Most prompt-injection examples are chat-only. They’re useful, but the real lesson lands harder when the model can do something.

A beginner lab could be tiny: fake email, fake docs, one read tool, one write tool, and an injected instruction hidden in retrieved text.

The hard part is making it teach the boundary without turning into “lol the model obeyed bad text.” I’d start with tool permissions and replay logs.

reddit.com
u/Apprehensive-Zone148 — 7 days ago

Do you treat failed tool calls as eval failures or security events?

I’m trying to sort out the line here.

If an agent gives a bad final answer, that feels like an eval failure.

If it calls the wrong tool, uses the wrong repo, reads from an unrelated file, or writes before approval, that feels closer to a security event even if the final answer looks fine.

For people building LLM apps with tools, where do you log that? In evals, app telemetry, security logs, or all three?

reddit.com
u/Apprehensive-Zone148 — 7 days ago

How would you model prompt injection for agents that can take actions?

Prompt injection is easy to talk about as “bad text in, bad answer out.”

It gets more interesting when the model can take actions. Then the failure is not just the generated text. It might be a tool call, a permission mistake, or untrusted data changing the goal.

If you were modeling this cleanly, would you treat it more like input validation, confused deputy, capability security, or something else?

reddit.com
u/Apprehensive-Zone148 — 7 days ago

Looking for feedback on an open-source LLM red-team CLI

I’m building RedThread, an open-source CLI for repeatable LLM and agent red-team campaigns.

https://github.com/matheusht/redthread

The use case is testing things like prompt injection, jailbreak behavior, and tool/action boundary failures before an agent gets real permissions.

I’m mostly looking for product feedback right now: is the CLI understandable, are the examples clear, and what would make the first run less annoying?

reddit.com
u/Apprehensive-Zone148 — 7 days ago

If an LLM can run tools, what do you test before shipping it?

For normal code I know what to reach for: unit tests, integration tests, logs, staging data, maybe chaos testing if the system earns it.

For an LLM agent that can call tools, it feels less obvious. The risky part isn’t always the final text. It’s whether it read the wrong input, called the wrong tool, used stale context, or took an action the user didn’t really ask for.

If you’ve shipped anything like this, what did you actually test before trusting it with real permissions?

reddit.com
u/Apprehensive-Zone148 — 7 days ago

Where do you put the guardrails for tool-using agents?

When an agent can read untrusted text and call real tools, I keep landing on the tool wrapper as the real boundary, not the prompt.

Prompts can ask nicely. The wrapper decides what gets executed.

For people designing these systems: do you keep those checks in the agent framework, the service layer, or a separate policy layer?

I’m mostly thinking about scoped credentials, dry runs for risky calls, and logs you can replay after something weird happens.

reddit.com
u/Apprehensive-Zone148 — 7 days ago

How do you stop prompt optimization from just gaming the grader?

I’ve been testing a prompt optimizer inside an LLM red-team project.

The obvious failure is that it can improve the aggregate score while getting worse on one class of test. I ended up keeping per-objective scores and a Pareto frontier instead of picking one winner.

Still not sure how much that helps when the judge itself is an LLM.

Do you keep a held-out judge, human labels, adversarial fixtures, something else?

reddit.com
u/Apprehensive-Zone148 — 13 days ago

Should an AI system ever be allowed to promote its own guardrail changes?

I’m working on a system that can propose guardrail changes from failed red-team runs.

I keep proposal, validation, and promotion separate. Even if replay improves, nothing becomes active without an explicit gate.

It’s less automatic, but that seems like the honest boundary.

Where do people here draw the line? Machine proposes and tests, human promotes? Or can policy-based auto-promotion ever be defensible?

reddit.com
u/Apprehensive-Zone148 — 13 days ago

Keeping agent prompt optimization from hiding tool-use failures

I added a shadow optimization lane to a red-team harness and kept the search space pretty strict.

A candidate can only touch allowlisted prompt fields. It runs against cached objectives. The control split is a gate, not another score. Pareto selection keeps one strong specialist from being thrown away just because another candidate has a better average.

Promotion stays separate from optimization.

For LangChain agents, I’m unsure whether tool traces should be scored as their own objective or treated as a hard failure gate. A single aggregate score feels too easy to game.

reddit.com
u/Apprehensive-Zone148 — 13 days ago

Would replayable LLM-agent failures be useful to blue teams?

Question for blue team folks.

If an internal AI agent gets tricked by untrusted text and takes a bad action, what evidence would actually help you?

I’m thinking about stuff like:

  • original prompt/task
  • untrusted input
  • action or tool call
  • logs around the decision
  • replay steps

I’m working on this from the testing side and don’t want to build evidence that only makes sense to the person who ran the test.

My guess is replay beats severity labels here.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

How should people share agent-security tests without making it vendor spam?

I’m asking because this topic gets messy fast.

Prompt injection is more interesting once the model can use tools, but most posts end up as either scary headlines or someone sneaking in a product pitch.

What would be a useful format here?

My gut says small reproducible examples, clear limits, no “we solved it” claims, and enough detail that people can argue with the result.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

For tool-using agents, where do you draw the security boundary?

I keep seeing demos where agents can read docs, call APIs, write files, or trigger some business action.

That’s the part that makes prompt injection feel less theoretical to me.

The risky bit is not the model saying something weird. It’s untrusted text changing what the agent does with a tool.

I’m working on tests around that boundary right now. No magic fix. Just trying to make the failures repeatable enough that someone else can inspect them later.

Curious how people here are testing agents before giving them real permissions.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

How would you teach security testing for AI agents?

Most agent tutorials stop at “connect tools and run a task.”

The security side gets skipped, or it turns into vague advice like “validate inputs.”

If you were teaching agent builders, what would you make them test first?

My first pick would be indirect prompt injection: the agent reads untrusted text, trusts it too much, and calls a tool it shouldn’t.

I’m putting together small repeatable tests around this and trying to keep them beginner-friendly without making them fake.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

What would make AI-agent red-team results useful instead of noisy?

I don’t trust most agent-security screenshots by themselves.

One person posts a scary transcript. Someone else says it’s just a bad prompt. Then nobody can really reproduce what happened.

For tool-using agents, I think the useful artifact is probably the replay: what the agent saw, what it was allowed to do, what it actually did, and whether the same setup fails again.

No product link here. I’m mostly trying to understand what people would trust as evidence.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

Would an LLM-agent prompt-injection lab make sense as a CTF challenge?

Been thinking about making small LLM-agent security fixtures more like CTF challenges.

Not “jailbreak this chatbot.” More like:

  • agent has a task
  • agent has limited tools
  • attacker controls one piece of input
  • win condition is making the agent misuse the tool
  • replay shows the failure path

I’m not sure if that belongs in CTF land or if it’s too fuzzy compared to classic web/crypto/pwn.

Could be a useful way to teach prompt injection without turning it into random prompt guessing.

reddit.com
u/Apprehensive-Zone148 — 22 days ago

Replay evidence for LLM-agent security testing

I am working on RedThread, an open-source CLI for authorized LLM/agent red-team campaigns.

Repo: https://github.com/matheusht/redthread

Demo result: 3 runs, 33.3% attack success rate, one SUCCESS, one PARTIAL, one FAILURE.

The security question I am exploring: what should evidence look like when an LLM-agent failure involves untrusted text crossing into an action boundary?

RedThread tries to preserve:

  • campaign traces
  • tactic/persona metadata
  • rubric scoring
  • exploit replay
  • benign replay
  • candidate defense notes

This is for staging/internal targets, not live exploitation.

What evidence would make this kind of finding worth remediating?

u/Apprehensive-Zone148 — 1 month ago

Learning project: replayable LLM/agent red-team evidence

I am building RedThread, an open-source CLI for learning and running safe LLM/agent red-team campaigns.

Repo: https://github.com/matheusht/redthread

Demo campaign result: 3 runs, 33.3% ASR, one SUCCESS, one PARTIAL, one FAILURE.

The learning goal is to move past “I found a scary prompt” and toward repeatable evidence:

  • what was the target?
  • what did the attack try?
  • what trace was produced?
  • what was the scored outcome?
  • can the failure be replayed?
  • does the fix break benign behavior?

Not live exploitation and not production enforcement. It is for staged targets and safe fixtures.

What would make this easiest to learn from: toy vulnerable agents, walkthrough labs, sample reports, or annotated traces?

u/Apprehensive-Zone148 — 1 month ago

How do you test AI coding agents for prompt-injection-style failures?

I am working on RedThread, an open-source CLI for LLM/coding-agent red-team campaigns.

Repo: https://github.com/matheusht/redthread

Small demo result: 3 runs, 33.3% ASR, one SUCCESS, one PARTIAL, one FAILURE.

The question: if a coding agent reads a repo, issue, README, dependency output, docs, or generated logs, how do you test whether that untrusted text can influence actions?

Current RedThread workflow:

  • run adversarial campaigns
  • keep traces
  • score outcomes
  • replay exploit and benign cases
  • write candidate defense notes

Not a product pitch for a hosted service. It is open-source CLI tooling for safer agent workflows.

What coding-agent failure would you test first?

u/Apprehensive-Zone148 — 1 month ago