Ground Truth.
AI, checked against the source.

News · 2026-07-07

A red-teaming study cracked production AI agents 94% of the time

A new red-teaming framework called Vera stress-tested real, production AI agent systems - including Claude Code, Hermes, and OpenClaw - and found that multi-channel attacks succeeded 93.9% of the time. The result marks a shift in the security conversation: the weak point is no longer just the model's willingness to say something harmful, but the whole apparatus of tools, protocols, and skill packages that turns a model into an agent.

Key facts

For years, "AI safety testing" mostly meant jailbreaking - crafting a clever prompt to get a chatbot to say something it shouldn't. That framing made sense when the model was the whole product. It stops making sense the moment the model becomes an agent that reads your files, browses the web, calls tools, and connects to external servers. Now the interesting attacks don't target the model's morals; they target the plumbing. A malicious instruction hidden in a web page the agent visits, a compromised tool it calls, a poisoned entry in a Model Context Protocol server - each is a channel into the agent that never touches the "please be harmful" prompt at all.

Vera's contribution is a way to test that realistically, which is genuinely hard because agents are non-deterministic. The same attack against the same agent can succeed or fail depending on random sampling and the exact state of the environment, so a single trial tells you almost nothing. Vera handles this by running full multi-turn interactions in isolated sandboxes: a "control agent" drives the attack over many turns, and an "evidence-grounded verifier" inspects what actually happened - did the agent leak the secret, run the command, exfiltrate the file - rather than trusting the agent's own account of itself. That closes a loophole in a lot of safety evaluations, where the system is graded on what it says it did instead of what it demonstrably did.

The headline number is alarming precisely because of how it was obtained. A 93.9% success rate for multi-channel attacks means that when an adversary comes at a real agent through more than one path at once - say, a booby-trapped document plus a subtly malicious tool - the defenses fold almost every time. "Multi-channel" is the key qualifier. Defenses tuned to spot a single obvious prompt-injection string are far weaker when the malicious signal is split across several innocuous-looking inputs that only combine into an exploit inside the agent's reasoning. The attack surface widened faster than the defenses did.

The two companion papers show the field organizing a response. AI-Infra-Guard formalizes the idea that agent security has to be stratified: you cannot certify an agent by reading its text output; you must separately audit the MCP servers it trusts and the supply chain of skill packages it loads - the same kind of dependency scrutiny software security already applies to package registries. DT-Guard attacks a different bottleneck, runtime latency: it trains a moderation model to reason during training but emit only fast, structured safety labels at inference, so a 4-billion-parameter guard can outperform larger reasoning-based ones without paying the cost of generating a full reasoning trace on every action. Together they sketch the new stack: sandboxed verification of what agents actually do, plus fast guards and supply-chain audits around what they're allowed to touch.

The caveat is scope. A 93.9% figure comes from a specific attack suite against specific configurations, and a red-team framework is designed to find failures - it does not tell you how often such attacks occur in the wild, or how much a determined defender could harden these systems in response. Some of the tested setups may have had guardrails disabled or permissions wide open to expose the underlying weaknesses. But the strategic message survives the caveat: as agents like Claude Code get more capable and more connected, the security problem stops being about the model's manners and becomes about auditing everything the model is wired into. The plumbing is the attack surface now.


Primary source, verified: read the paper → (arXiv 2607.01793)

Key questions

What is Vera and what did it find?

Vera is an end-to-end agent red-teaming framework that runs multi-turn attacks against real agent systems in isolated sandboxes; it found that multi-channel attacks succeeded 93.9% of the time against production frameworks like Claude Code and Hermes.

Why are AI agents harder to secure than chatbots?

Because an agent's attack surface is no longer just the model's text output - it includes the tools it calls, the Model Context Protocol servers it connects to, and the skill packages it loads, all of which can be targeted.

What is a 'multi-channel' attack on an agent?

It's an attack that reaches the agent through more than one path at once - for example, a malicious instruction hidden in a document the agent reads plus a compromised tool - which the study found far more effective than single-channel prompt attacks.
Cite this

APA

Ground Truth. (2026, July 7). A red-teaming study cracked production AI agents 94% of the time. Ground Truth. https://groundtruth.day/news/red-team-cracks-ai-agents-94-percent-of-the-time.html

BibTeX

@misc{groundtruth:red-team-cracks-ai-agents-94-percent-of-the-time,
  title  = {A red-teaming study cracked production AI agents 94% of the time},
  author = {{Ground Truth}},
  year   = {2026},
  month  = {jul},
  url    = {https://groundtruth.day/news/red-team-cracks-ai-agents-94-percent-of-the-time.html}
}

Topics: ai-safety · agents · security · red-teaming · prompt-injection

Comments are replies to this story on Bluesky — reply with any Bluesky account to join in.