Agentic AI Testing / Scenario
Red-Team Campaign: Injection via Tool Results
The input filter blocks jailbreaks all day. Then a fetched webpage whispers to the agent, and it emails a customer's invoice to a stranger.
- Difficulty
- Hard
- Format
- Scenario
- Points
- 200
- Estimate
- 15 min
// MISSION BRIEF
Your Mission
Your support agent browses pages and sends emails. Security ran the quarterly red-team campaign: 150 scripted attacks across four families. Direct jailbreaks mostly bounced off. The numbers that matter are elsewhere.
Read the campaign results and the exfiltration transcript, then decide what actually needs fixing and how this suite becomes a permanent gate.
// FIRST CONTACT
Battle teaser
First artifact
Campaign results by attack family
Why is direct-jailbreak ASR low (2.5%) while indirect-injection ASR is 15-22%?
- AThe numbers must be a measurement error
- BThe only filter watches USER input. Tool results enter the context unfiltered, and the model treats instructions embedded in fetched content as legitimate, the classic indirect prompt injection gap
- CIndirect attacks are harmless, so nobody defends them
- DAttackers are simply better at writing webpages than messages
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
agenticred-teamingprompt-injectionsecurityevaluation