All articles
RESEARCH · 9 min read

Mapping the AI Agent Attack Surface

An LLM that can call tools is no longer a chatbot — it's a privileged process with a natural-language API. The attack surface looks different from anything we've defended before.

Trust boundaries blur

Instructions, retrieved content and tool outputs all flow into the same context window. Classic IPO modeling doesn't fit.

New primitives, new bugs

Tool confusion, plan hijacking, memory poisoning, cross-session leakage via shared vector stores.

  • Confused-deputy via tool-calling
  • Indirect injection from RAG corpora
  • Persistent backdoors in long-term memory

Test like an attacker, agent edition

Red-team the full agent: tools, memory, retrievers, guardrails. Single-prompt jailbreaks are the easy mode.

Tools mentioned

PyRITGarakPromptfooBurp SuiteLangSmithHelicone
⟩ takeaway

Treat every agent as a service account with a chat interface. Threat-model it the same way.

⟩ keep reading

Related articles