Agentic AI Testing / Scenario

Red-Team Campaign: Injection via Tool Results

The input filter blocks jailbreaks all day. Then a fetched webpage whispers to the agent, and it emails a customer's invoice to a stranger.

Difficulty
Hard
Format
Scenario
Points
200
Estimate
15 min

// MISSION BRIEF

Your Mission

Your support agent browses pages and sends emails. Security ran the quarterly red-team campaign: 150 scripted attacks across four families. Direct jailbreaks mostly bounced off. The numbers that matter are elsewhere.

Read the campaign results and the exfiltration transcript, then decide what actually needs fixing and how this suite becomes a permanent gate.

// FIRST CONTACT

Battle teaser

First artifact

Campaign results by attack family

Why is direct-jailbreak ASR low (2.5%) while indirect-injection ASR is 15-22%?

  1. AThe numbers must be a measurement error
  2. BThe only filter watches USER input. Tool results enter the context unfiltered, and the model treats instructions embedded in fetched content as legitimate, the classic indirect prompt injection gap
  3. CIndirect attacks are harmless, so nobody defends them
  4. DAttackers are simply better at writing webpages than messages
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

agenticred-teamingprompt-injectionsecurityevaluation