AI & RoboticsJul 14, 2026 · 8 min read
New agent red-team paper argues one-off jailbreak scores are the wrong safety artifact
A new arXiv preprint argues that AI-agent safety teams need reusable failure mechanisms they can patch and rerun, not just benchmark-breaking prompts.

The Shadowfetch Brief
Get the free Daily Brief
The day’s biggest technology stories — one short morning email. Always free.
AI reporting: New agent red-team paper argues one-off jailbreak scores are the wrong safety artifact
Plain-English takeaway: A new arXiv preprint, Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming, says the useful output of AI-agent red-teaming should not be a trophy list of prompts that broke a system. It should be a reusable, auditable explanation of why the agent failed, what condition made the failure possible, and how to test whether a fix actually closed the hole.
That matters because coding and tool-using agents are no longer just chat windows producing questionable text. Official product documentation for Claude Code describes an agentic coding tool that runs across terminal, IDE, desktop and web surfaces, while OpenAI’s Codex documentation describes cloud-based software-engineering help. In that category, a failure can become a file edit, command, workflow action, or other operational step. The new paper is not evidence that every deployed coding agent is unsafe. It is evidence that agent safety evaluation is moving toward a more practical question: after a red team finds a break, can anyone reuse the finding to patch the system and check the patch later?
What was released
The paper, posted as arXiv:2607.11698v1 on July 13, 2026 and surfaced in the July 14 arXiv feed, is by Xutao Mao, Xiang Zheng and Cong Wang of City University of Hong Kong. It introduces AHA, short for “Agent Hacks Agent,” a research pipeline for automated red-teaming of production-style LLM agents. The authors also link a public code repository from the arXiv page.
The central distinction is important. The paper does not announce a new general-purpose model, a consumer product, or a deployed safety standard. It reports an experimental red-teaming method. The method uses an agentic research loop to propose a vulnerability hypothesis, define what would falsify it, test it in a sandboxed harness, and promote confirmed findings into what the authors call a Vulnerability Concept Graph, or VCG. In the paper’s terms, a concept is not merely a payload; it is a claim about an attacker-facing surface, an enabling condition, a failure trajectory, a falsifier, a transfer prediction and supporting evidence.
That is a research result, not a deployment. The claim is not “agents are solved” or “agents are doomed.” The claim is narrower and more useful: a red-team artifact can be structured so that safety teams can inspect the suspected mechanism, patch a policy or workflow, and rerun a check without starting a new search from scratch.
What the authors tested
The authors evaluated AHA across two victim-agent environments named in the paper, Claude Code and Codex, and three red-team scenarios: AgentHazard, AgentDyn and DTap. They used three victim models: Minimax-M2.7, Kimi-K2.6 and Deepseek-V4-Pro. The work is black-box red-teaming: the attack route is through the agent’s allowed surface rather than through privileged access to model internals.
The paper’s evaluation design tries to separate discovery from reuse. During discovery, the method searches for vulnerability concepts on discovery instances. For evaluation, the concept library is frozen. On held-out instances, the method gets one attack per instance and no further search or feedback. That is the piece worth paying attention to, because a live red-team search can overfit a benchmark, learn judge quirks, or simply spend more attempts. A frozen, single-shot evaluation asks whether the artifact left behind by discovery is still useful when the search engine is removed.
The headline result in the paper is that AHA reached a 47.0% average attack success rate across the tested agents, scenarios and victim models under that frozen single-shot protocol, compared with 32.8% for the strongest frozen discovery baseline the authors report. That is a 14.2 percentage-point advantage. On Claude Code specifically, the paper reports 50.0% for AHA versus 36.5% for the strongest frozen baseline, a 13.5-point gap.
Those numbers should be read carefully. They are attack-success rates in the paper’s benchmark harnesses, not a field measurement of real-world compromise rates. They depend on the selected scenarios, models, judges, splits and implementation choices. They also do not establish that AHA is the best possible red-team method. They do show that, under the authors’ protocol, recording reusable vulnerability concepts outperformed storing other kinds of frozen red-team artifacts.
Why this is more consequential than another leaderboard bump
A lot of AI safety coverage still gets trapped in benchmark theater: one method beats another by a few points, vendors post a chart, and the reader is left wondering whether anything changed outside the chart. This paper is more interesting because it challenges the object being measured.
For agentic systems, the highest-scoring break is not automatically the most actionable safety finding. A payload might succeed because of a quirk in a benchmark prompt, a permissive judge, a temporary model behavior, or a surface detail that vanishes after the next product update. If the red-team artifact is only the payload, a defender may know that something broke without knowing what to fix.
A vulnerability concept is meant to be closer to a bug report with a theory of the bug. The paper says AHA requires the system to state the vulnerability claim and falsifier before designing the attack, then records confirmed and falsified findings. That pre-commitment matters because it reduces the temptation to explain a success after the fact. In safety evaluation, post-hoc stories can be clean, persuasive and wrong.
The paper also reports recurring concept families across models and agent environments. One family the authors call “claimed authorization” appeared in 16 of 18 settings, while another, “task-goal hijack,” appeared across indirect, tool-mediated settings. I am intentionally describing those at a high level rather than reproducing operational examples. The useful reader takeaway is not a recipe for misuse; it is that the same broad failure mechanisms may reappear across different agent products and model backends, which makes reusable safety knowledge more valuable than one-off jailbreak strings.
What the result does not prove
First, this is a preprint. It has not, from the paper record available today, been peer reviewed. The authors provide a detailed method and code link, but independent reproduction is the next check, not a formality.
Second, the benchmark environments are not the whole world. AgentHazard, AgentDyn and DTap are designed test settings. They can be useful precisely because they are controlled, but controlled settings do not capture every production permission boundary, organizational workflow, human approval step, logging system, rate limit, sandbox, or incident-response process.
Third, attack-success rate is an incomplete metric. The authors are trying to improve the artifact behind the rate, and that is welcome, but ASR still compresses many questions into one number: severity, exploitability, repeatability, required access, user friction, detectability and blast radius. A method that finds more breaks is not automatically safer unless the findings help defenders reduce real risk.
Fourth, the paper’s setup includes named commercial agent surfaces, but the paper itself is not a vendor audit. It is not a comprehensive security evaluation of Claude Code, Codex, Minimax, Kimi or Deepseek. The official Claude Code and OpenAI Codex documentation establish that these are real user-facing software-agent products or surfaces; the paper’s harness establishes only the experiment the authors ran.
The practical implication for builders
For teams adopting coding agents, the useful shift is from “Did the agent pass a safety benchmark?” to “Can we preserve, audit and rerun the reasons it failed?” That means treating red-team findings as durable engineering knowledge: a hypothesis, a boundary condition, evidence, a regression test and a patch target.
If an agent can read untrusted files, browse issue comments, execute commands, call tools, or modify a repository, then a safety review that only checks isolated messages is thin cover. The agent’s risk lives in the trajectory: what it reads, how it frames the request, which tool calls it chooses, what state it changes, and whether any human or automated checkpoint interrupts the wrong action. The paper’s contribution is to formalize that trajectory-level view into a reusable concept library.
The next useful checks are straightforward. Independent teams should reproduce the frozen single-shot protocol, test whether the concept graph helps patch real agent workflows, and report severity-weighted outcomes rather than only attack-success rates. Vendors should disclose more about agent permissions, default sandboxes, approval gates and logging. Enterprise buyers should ask whether red-team results become regression tests, not just slides.
For readers, the bottom line is calm but firm: this is not a sky-is-falling agent story. It is a sign that the serious safety work is moving from screenshotable jailbreaks toward mechanisms, evidence and repair. That is the direction agent evaluation has to go if these systems are going to touch real code, real files and real workflows.
Claim-evidence ledger
| Claim | Evidence | Confidence | Caveat |
|---|---|---:|---|
| A new preprint proposes AHA for production-agent red-teaming. | arXiv:2607.11698v1 abstract and PDF. | High | Preprint status; not peer reviewed. |
| AHA stores confirmed findings as a Vulnerability Concept Graph rather than only attack payloads. | Paper abstract and method sections. | High | The utility of the graph outside the paper’s scenarios still needs independent testing. |
| The paper reports a 47.0% frozen single-shot ASR for AHA versus 32.8% for the strongest frozen discovery baseline. | Paper Section 5.2 and Table 2 discussion. | High for reported number | This is the authors’ benchmark protocol, not a real-world compromise rate. |
| The work evaluates Claude Code and Codex-style agent environments with Minimax, Kimi and Deepseek victim models. | Paper methods section. | High | The paper is not a full vendor security audit. |
| Claude Code and Codex are user-facing agentic software-development products or surfaces. | Official Claude Code overview and OpenAI Codex documentation. | Medium-high | Product features and names can change; documentation is not evidence of the paper’s measured safety results. |
External primary sources
- Xutao Mao, Xiang Zheng and Cong Wang, “Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming,” arXiv:2607.11698v1: https://arxiv.org/abs/2607.11698
- Paper PDF: https://arxiv.org/pdf/2607.11698
- Public code repository linked from the arXiv record: https://github.com/henrymao2004/Auto-research-red-teaming
- Claude Code overview, Anthropic: https://code.claude.com/docs/en/overview
- OpenAI Codex documentation: https://platform.openai.com/docs/codex
Shadowfetch is a technology publication. Explore Shadowfetch Linux — our own Linux build — and the Shadowfetch apps on the App Store.
How the story is being framed
- The preprint reports 47.0% ASR for AHA versus 32.8% for the strongest frozen baseline.
- AHA structures red-team findings as a Vulnerability Concept Graph rather than only attack payloads.
- Evaluation used black-box methods on held-out instances with no further search after discovery.
- Recurring concept families such as claimed authorization appeared across multiple settings.
The research advances practical methods for identifying and addressing failure mechanisms in AI agents.
The paper proposes structuring red-team outputs as reusable vulnerability concepts for better safety evaluation.
The work shows that recording auditable explanations of agent failures improves safety assessment over isolated successes.
Shadowfetch’s read of how each side is framing this story — not the reporting itself. How we do this.
How we reported this
The brief draws from the arXiv preprint abstract, methods sections, evaluation results and claim-evidence ledger described in the article.
- arXiv preprint
- paper methods
- evaluation results
- public code link
The Shadowfetch Brief
Get The Shadowfetch Brief
Stories like this — the technology that matters, one short morning email. Free.
See a problem in this story? Report an error · Corrections policy · Our methodology