Command Palette
Search for a command to run...
Securing the AI Agent: A Unified Framework for Multi-Layer Agent Red Teaming
Securing the AI Agent: A Unified Framework for Multi-Layer Agent Red Teaming
Yong Yang Xing Zheng Huiyu Wu Huangsheng Cheng Xiaorong Shi Jing Guo Bo Yang Yi Zhou Xiangfan Wu Zonghao Ying
Abstract
The fast growth of open-source AI infrastructure, from model serving engines and agent platforms to the Model Context Protocol (MCP) ecosystem and the language models themselves, has outpaced the security tooling available to defend it. We present AI-Infra-Guard, an opensource framework that organizes AI red teaming around a single observation: the attack surface of an AI agent is stratified across layers (infrastructure, protocol/tool, agent behavior, and model), and no single detection paradigm fits all of them. The framework therefore matches a paradigm to each layer, from deterministic rule matching over 75+ AI components and 1,400+ vulnerability rules, through LLM-driven agentic auditing of MCP servers and agent-skill packages and multi-turn black-box agent red teaming, to a jailbreak harness with 26+ attack operators over sixteen datasets. To our knowledge it is the only open-source framework to span all of these, including supply-chain auditing of the agent skills that increasingly extend AI agents. We release AI-Infra-Guard as open source so that layer-paradigm matching can serve as a practical foundation for agent security and a shared base for the community to build on.
One-sentence Summary
Tencent Zhuque Lab’s AI-Infra-Guard is an open-source unified red-teaming framework that matches detection paradigms to the stratified attack surface of AI agents—infrastructure, protocol/tool, agent behavior, and model layers—by combining deterministic rule matching over 75+ AI components and 1,400+ vulnerability rules, LLM-driven agentic auditing of MCP servers and agent-skill packages, multi-turn black-box agent red teaming, and a jailbreak harness with 26+ attack operators across sixteen datasets, making it the only open-source framework to span all of these, including supply-chain auditing of agent skills, and providing a community foundation for securing open-source AI infrastructure.
Key Contributions
- AI-Infra-Guard is an open-source framework that red-teams an AI agent across infrastructure, protocol/tool, agent behavior, and model layers, matching each layer to a detection paradigm suited to its evidence requirements. The framework uses deterministic rule matching over 75+ AI components and 1,400+ vulnerability rules, LLM-driven agentic auditing of MCP servers and agent-skill packages, multi-turn black-box red teaming, and a jailbreak harness with 26+ attack operators over sixteen datasets.
- An agentic auditing module analyzes MCP servers and agent-skill packages through a bounded reason–act loop with Prompt‑as‑Rule encoding, while defending the scanner itself against indirect prompt injection from untrusted artifacts.
- A unified jailbreak harness at the model layer integrates 26+ attack operators across 16 standard datasets into a composable, extensible component that completes the cross-layer framework without introducing new attack techniques.
Introduction
The rapid proliferation of self-hosted AI components—inference servers, agent platforms, MCP servers, and workflow engines—has introduced a broad, network-exposed attack surface that is routinely deployed by teams with limited security expertise. This surface matters because failures lead to stolen compute, credential leakage, prompt injection, and tool misuse. Prior security tools are inadequate: they lack fingerprints for such new software, break on non-semantic versioning schemes (build IDs, dev tags), and focus on injection flaws rather than the dominant AI-specific exposures. Moreover, existing scanners address only isolated layers (infrastructure, code, or behavior) and ignore the emerging agent-skill supply chain.
The authors’ main contribution is a stratified assessment framework, AI-Infra-Guard, that matches a detection paradigm to each of four attack-surface layers. It combines deterministic rule matching with version normalization for infrastructure, LLM-driven agentic auditing with a Prompt-as-Rule method for protocol and tooling, multi-turn red-teaming for agent behavior, and attack-operator enumeration with model-based judgment for alignment. The system also audits agent-skill packages and defends itself against indirect prompt injection, providing the first open-source platform to span all layers cohesively.
Method
The authors propose AI-Infra-Guard, a security assessment framework built on the layer-paradigm matching principle. The core thesis is that the AI attack surface decomposes into four distinct layers of abstraction, each requiring a specific detection paradigm to produce sufficient evidence for security findings. This correspondence is formalized as Li↦Pi for i∈{1,2,3,4}, where each layer is matched with the least expensive assessment paradigm capable of producing the required evidence.
At the infrastructure layer, the authors leverage deterministic rule matching to identify exposed AI services, known CVEs, and leaked configurations. The infrastructure-scanning pipeline processes targets such as IP lists, IP ranges, domain lists, and URL lists. It flows through a fingerprint analysis phase that initializes the scanning engine, identifies the AI framework, performs CVE matching, and conducts framework risk analysis. This is followed by an infrastructure-scan agent that handles dynamic page rendering, visual asset capture, and multimodal risk assessment. The final output includes a security score, asset inventory, vulnerability details, and a business-impact summary.
For the protocol and tool layer, which encompasses MCP servers and agent skills, the framework employs LLM-driven agentic auditing. This paradigm is necessary because vulnerabilities at this level, such as command injection, tool poisoning, or indirect prompt injection, cannot be captured by fixed signatures. The MCP-auditing pipeline begins with a recon agent that performs project structure analysis, configuration parsing, API endpoint discovery, and dependency mapping to generate a project analysis report. This context is passed to an MCP scan agent, which executes static analysis, runtime interaction, vulnerability pattern matching, malicious behavior detection, and misconfiguration detection. Finally, a vulnerability review agent validates the findings through dependency checks, sandboxed deployment, exploit payload generation, and dynamic risk validation, ultimately producing a security score, risk details, and fix suggestions.
At the agent behavior layer, the system addresses runtime vulnerabilities like data leakage, tool abuse, and prompt injection through LLM-driven multi-turn red teaming. The assessor operates as an adversarial agent that converses with the target, utilizing a bounded reason-act loop to escalate probes from benign queries to overt jailbreak attempts. The model layer focuses on the underlying language model safety alignment under adversarial prompting, utilizing attack-operator enumeration and an LLM-as-judge benchmark-style statistical assessment.
To orchestrate these heterogeneous detection modules, the authors design a distributed server-agent architecture.
This architecture supports both a centralized server-agent deployment and an agent skill distribution model. The backend services, including a Gin web server, plugin management, storage, and LLM providers, drive core engines for AI infrastructure scanning, MCP server scanning, and LLM jailbreak evaluation. These engines draw upon an AI agents layer and a shared knowledge base containing fingerprints, CVEs, MCP plugins, and jailbreak datasets. The server dispatches tasks to worker agents via a WebSocket channel, enabling horizontal scalability and fault isolation. Fast deterministic scans run in-process within Go-based workers, while compute-heavy LLM audits are launched as Python subprocesses, with intermediate results streamed back to the user interface in real time.
Experiment
Infrastructure scanning generates security scores from CVE and component-level findings, while skill scanning classifies results as normal, suspicious, or malicious and validates detection on SkillTrustBench, where top models exceed 0.98 loose F1 across 5,520 real-world cases. Agent red teaming uses multi-turn conversational attacks with objective verification (canary tokens) to test data leakage, tool abuse, indirect injection, and authorization bypass under budget-conscious escalation and stop rules. Jailbreak evaluation unifies a large attack library with an LLM judge to produce attack success rate profiles that directly compare safety alignment across models.
The AI attack surface is decomposed into four layers—infrastructure, protocol/tool, agent behavior, and model—each paired with a distinct detection paradigm suited to its characteristics. Deterministic rule matching handles known infrastructure signatures with speed and reproducibility, while LLM-driven auditing, red teaming, and attack-operator enumeration with LLM judging address the increasing semantic and interactive demands of higher layers. This layered matching avoids forcing one method on all, recognizing that paradigms are not interchangeable across layers. Infrastructure scanning relies on fast, reproducible rule matching for known CVEs and observables, whereas model-layer assessment uses attack-operator enumeration and LLM-as-judge to evaluate alignment robustness under adversarial transformations. The progression from infrastructure to model shows decreasing determinism and increasing semantic demand, shifting from matching known signatures to judging behavioral safety through interaction and transformation.
The infrastructure scanning module uses a deterministic rule corpus with 107 fingerprint rules and 1,443 vulnerability rules spanning 75 AI components. Vulnerability rules predominantly rely on explicit version predicates, while a small subset uses empty predicates for inferred matches. The matching engine evaluates four field types using equal counts of match and comparison operators. Detection logic is separated from code: rules are declarative YAML, executed by a lightweight Go engine. Vulnerability rules outnumber fingerprint rules more than ten to one. The matching system operates on exactly four field types: body, header, icon, and hash. Nearly all vulnerability rules (1,356 of 1,443) check explicit component versions.
The same AI-Infra-Guard skill scanner, when paired with different base models, uniformly achieves loose F1 scores above 0.96, with the best models exceeding 0.98 and recall near 1.0. False positive rates show notable variation across models, from 0.012 to 0.072, while precision remains high (≥0.97) for all. This demonstrates that the detection harness cleanly separates base-model capability from the audit specification, so upgrading the underlying model directly improves detection outcomes. Claude Opus 4.6 and GLM 5.1 lead the leaderboard with loose F1 of 0.9848 and 0.9836, both achieving a recall of 0.9974. False positive rate varies substantially across base models, ranging from 0.0120 for Gemini 3.5 Flash to 0.0723 for GLM 5.1, even though all models maintain precision above 0.97. The harness isolates base-model ability: simply changing the model without altering the audit logic yields different detection performance, confirming that improvements in the underlying model translate directly to more trustworthy skill scanning.
The four risk families are stratified by the objectivity of their vulnerability judgments, from fully deterministic to context-dependent. Data leakage and tool abuse allow objective verification through actual secret disclosure or a canary token, indirect injection uses a planted marker for semi-objective detection, and authorization bypass requires subjective interpretation of privilege boundaries. Tool abuse introduces a canary token for SSRF, turning a potentially ambiguous response into a deterministic check for the token's presence. Indirect injection uses a marker like INDIRECT_SUCCESS, providing an unambiguous signal that mirrors the canary approach and yields a semi-objective verdict.
The evaluation harness incorporates sixteen red-teaming datasets totaling approximately 7,000 harmful prompts. The collection is dominated by two large general-safety corpora, while the remaining datasets are smaller and targeted at specific harms such as misinformation, weapons, and known jailbreak attacks. This composition enables broad coverage across a taxonomy of vulnerabilities. Two datasets, cnsafe (3,030 prompts) and SafeBench (2,300 prompts), account for the majority of the total prompt corpus. The remaining fourteen datasets each contain fewer than 600 prompts, with many focusing on narrow harm categories like misinformation, cyber-attack, and copyright. All datasets are accessed through a unified loader supporting common formats, allowing consistent evaluation across the diverse prompt sources.
The evaluation setup decomposes the AI attack surface into four layers, pairing each with a detection paradigm suited to its characteristics: deterministic rule matching for infrastructure, LLM-driven auditing for protocols and tools, red teaming for agent behavior, and attack-operator enumeration with LLM judges for models. The infrastructure scanner relies on a declarative YAML rule corpus with predominantly version-based vulnerability checks, while the skill scanner demonstrates that detection performance is a function of the base model's capability, yielding high recall and a clean separation of audit logic from model choice. Risk families are stratified from objective (data leakage, tool abuse) to subjective (authorization bypass), with canary tokens and planted markers turning ambiguous signals into deterministic or semi-objective verdicts, and the red-teaming harness aggregates 16 datasets totaling thousands of prompts to cover a broad taxonomy of harms.