AgentRedBench: Dynamic Redteaming and Integration-Aware Defense for LLM Agents over SaaS Integrations

Researchers introduce AgentRedBench, a dynamic benchmark testing LLM agents against indirect prompt injection attacks through third-party SaaS integrations. The study reveals significant vulnerabilities across major AI models, with attack success rates up to 81%, while proposing AgentRedGuard, a specialized defense that reduces attacks to 2.4% with minimal false positives.

This research addresses a critical vulnerability in production AI agent systems that has received limited academic attention. LLM agents interfacing with enterprise tools like Gmail, Salesforce, and Jira create attack surfaces through untrusted data flowing into model decision-making—a threat distinct from traditional prompt injection because users cannot control the third-party source content. The vulnerability emerges at authorization boundaries where subtle manipulation of tool responses could trick agents into executing unintended actions.

The benchmark itself represents methodological advancement in AI safety. Previous evaluations relied on static payloads repeated across runs, failing to capture the nuanced threat landscape. AgentRedBench's dynamic approach with 215 scenarios across 24 integrations and five attack types provides realistic coverage of enterprise deployment contexts. The 32-81% attack success rate variance across models (Claude Sonnet to Gemini Flash) demonstrates that scale or capability alone doesn't guarantee robustness—architectural assumptions about tool interaction differ significantly.

AgentRedGuard's performance is noteworthy: reducing 69.9% baseline ASR to 2.4% while maintaining 0.37% false-positive rate outperforms existing open-source guards substantially. The maintainer-mediated evaluation channel and immutable versioning suggest maturity in preventing benchmark contamination through training data leakage—a persistent problem in AI safety research.

For developers and enterprises deploying AI agents, this work signals that integration security requires dedicated defenses beyond general-purpose guard rails. The open-sourced codebase enables broader testing but also raises implementation questions around latency, cost, and deployment complexity in production systems already managing multiple tool integrations.

• →LLM agents face 32-81% attack success rates when receiving untrusted data from third-party integrations, representing a distinct production threat from traditional prompt injection.
• →AgentRedGuard reduces attack success rates to 2.4% with minimal false positives, substantially outperforming existing open-source baseline guards across integration and attack type holdouts.
• →Current AI safety benchmarks underestimate real-world threats by using static attacks; dynamic, integration-diverse testing reveals model vulnerabilities previous evaluations missed.
• →Enterprise deployment of AI agents requires integration-aware security layers specifically trained on tool-response adversarial content, not generic chat-based guard models.
• →Open-sourced defenses with immutable versioning enable broader adoption while preventing benchmark contamination through training data leakage.