News · 2026-07-07
A red-teaming study cracked production AI agents 94% of the time
A new red-teaming framework called Vera stress-tested real, production AI agent systems - including Claude Code, Hermes, and OpenClaw - and found that multi-channel attacks succeeded 93.9% of the time. The result marks a shift in the security conversation: the weak point is no longer just the model's willingness to say something harmful, but the whole apparatus of tools, protocols, and skill packages that turns a model into an agent.
Key facts
- Vera runs multi-turn attacks in isolated sandboxes using a control agent plus an evidence-grounded verifier.
- Against production frameworks (Claude Code, Hermes, OpenClaw), multi-channel attacks achieved a 93.9% success rate.
- Two companion works landed the same day: AI-Infra-Guard (auditing the Model Context Protocol layer) and DT-Guard (fast runtime moderation).
- The through-line: agent security must be tested at the infrastructure and tool layer, not just the prompt.
For years, "AI safety testing" mostly meant jailbreaking - crafting a clever prompt to get a chatbot to say something it shouldn't. That framing made sense when the model was the whole product. It stops making sense the moment the model becomes an agent that reads your files, browses the web, calls tools, and connects to external servers. Now the interesting attacks don't target the model's morals; they target the plumbing. A malicious instruction hidden in a web page the agent visits, a compromised tool it calls, a poisoned entry in a Model Context Protocol server - each is a channel into the agent that never touches the "please be harmful" prompt at all.
Vera's contribution is a way to test that realistically, which is genuinely hard because agents are non-deterministic. The same attack against the same agent can succeed or fail depending on random sampling and the exact state of the environment, so a single trial tells you almost nothing. Vera handles this by running full multi-turn interactions in isolated sandboxes: a "control agent" drives the attack over many turns, and an "evidence-grounded verifier" inspects what actually happened - did the agent leak the secret, run the command, exfiltrate the file - rather than trusting the agent's own account of itself. That closes a loophole in a lot of safety evaluations, where the system is graded on what it says it did instead of what it demonstrably did.
The headline number is alarming precisely because of how it was obtained. A 93.9% success rate for multi-channel attacks means that when an adversary comes at a real agent through more than one path at once - say, a booby-trapped document plus a subtly malicious tool - the defenses fold almost every time. "Multi-channel" is the key qualifier. Defenses tuned to spot a single obvious prompt-injection string are far weaker when the malicious signal is split across several innocuous-looking inputs that only combine into an exploit inside the agent's reasoning. The attack surface widened faster than the defenses did.
The two companion papers show the field organizing a response. AI-Infra-Guard formalizes the idea that agent security has to be stratified: you cannot certify an agent by reading its text output; you must separately audit the MCP servers it trusts and the supply chain of skill packages it loads - the same kind of dependency scrutiny software security already applies to package registries. DT-Guard attacks a different bottleneck, runtime latency: it trains a moderation model to reason during training but emit only fast, structured safety labels at inference, so a 4-billion-parameter guard can outperform larger reasoning-based ones without paying the cost of generating a full reasoning trace on every action. Together they sketch the new stack: sandboxed verification of what agents actually do, plus fast guards and supply-chain audits around what they're allowed to touch.
The caveat is scope. A 93.9% figure comes from a specific attack suite against specific configurations, and a red-team framework is designed to find failures - it does not tell you how often such attacks occur in the wild, or how much a determined defender could harden these systems in response. Some of the tested setups may have had guardrails disabled or permissions wide open to expose the underlying weaknesses. But the strategic message survives the caveat: as agents like Claude Code get more capable and more connected, the security problem stops being about the model's manners and becomes about auditing everything the model is wired into. The plumbing is the attack surface now.
Key questions
What is Vera and what did it find?
Why are AI agents harder to secure than chatbots?
What is a 'multi-channel' attack on an agent?
Cite this
APA
Ground Truth. (2026, July 7). A red-teaming study cracked production AI agents 94% of the time. Ground Truth. https://groundtruth.day/news/red-team-cracks-ai-agents-94-percent-of-the-time.html
BibTeX
@misc{groundtruth:red-team-cracks-ai-agents-94-percent-of-the-time,
title = {A red-teaming study cracked production AI agents 94% of the time},
author = {{Ground Truth}},
year = {2026},
month = {jul},
url = {https://groundtruth.day/news/red-team-cracks-ai-agents-94-percent-of-the-time.html}
}
Comments are replies to this story on Bluesky — reply with any Bluesky account to join in.