system: OPERATIONAL
← back to all hacks
RESEARCH MEDIUM NEW

When one agent red-teams another: a vulnerability concept graph for coding agents

A July 13, 2026 paper shows one research agent probing production coding agents, then storing what it learns as reusable, falsifiable concepts — a durable artifact for safety teams, not another one-off exploit.

2026-07-17 // 6 min affects: claude-code, codex, llm-agents

What is this?

On July 13, 2026, Xutao Mao, Xiang Zheng and Cong Wang published Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming (arXiv:2607.11698). The paper asks a practical question: production coding agents such as Claude Code and Codex now act over untrusted content, files, commands and workspace state, so their safety failures are directly actionable — and the models and tools change every few weeks. How do you red-team something that keeps moving?

The authors’ answer is to use one agentic research environment to study another. Their system, called AHA, runs a falsifiable discovery loop and — this is the part that matters — does not just record where an attack worked. It records why. Confirmed findings are promoted into a Vulnerability Concept Graph (VCG), an auditable structure that safety teams can inspect, reuse and test patches against. This is a defensive-research writeup, not an actionable exploit.

How it works

Most red-teaming pipelines optimise for attack success and keep the artifacts that success produces: a benchmark, a payload, an attack program. Those tell you a prompt broke an agent on a given day; they do not tell you the enabling condition behind the unsafe behaviour, which is exactly what transfers to the next model version.

AHA reframes red-teaming as research. Each iteration of the loop runs, at a high level, like this:

Propose      -> a vulnerability hypothesis about an agent surface
Falsify      -> construct a test that could prove the hypothesis wrong
Instantiate  -> build one valid attack consistent with the hypothesis
Execute      -> run it inside a sandboxed harness (no live targets)
Reflect      -> read the trajectory: did the enabling condition hold?
Promote      -> if confirmed, write it into the Vulnerability Concept Graph

Every node in the graph is a concept that links an attacker-facing surface to an unsafe trajectory, and it carries five fields: a claim, an enabling condition, a falsifier, a transfer prediction, and supporting evidence. The falsifier is the discipline here — a concept only survives if there was a genuine way to disprove it and it held anyway. That is closer to how a scientist frames a finding than to how a fuzzer dumps successful inputs.

The reported results are what make the idea worth attention for defenders. Tested across Claude Code and Codex on three scenarios spanning direct and indirect attacks, the discovered concepts revealed a reusable vulnerability core shared across models and agents. Once the graph is frozen — no further search allowed — it still beat the strongest frozen discovery baseline by 14.2 percentage points under the same single-shot protocol, and the concepts transferred across scenarios and across attack channels. In other words, the knowledge, not the payload, is the transferable asset.

Why it matters

Two things stand out for anyone running agents in production.

First, red-teaming knowledge can compound instead of expiring. The usual failure mode of agent security work is that a jailbreak or injection is patched, the write-up ages out, and the next model release starts the clock over. A concept graph that captures enabling conditions and predicts transfer is an attempt to build institutional memory that survives model churn — the same reason coordinated-disclosure programmes keep structured records rather than loose proof-of-concepts.

Second, the “reusable vulnerability core” finding is a warning about monoculture. If the same underlying weaknesses show up across two independently built frontier coding agents, then defences tuned to one product’s quirks are probably missing the shared root causes. Direct and indirect attack channels drawing on the same core also reinforces a lesson this field keeps relearning: the untrusted-input problem for agents is structural, not a per-model bug.

The paper is a method and an evaluation, not a disclosure of a specific flaw — there is no CVE and no product patch attached. Its value is the artifact it proposes: an inspectable, testable record of why agents fail, which safety teams can use to validate their own fixes.

Status

ItemDetail
PublicationarXiv preprint, submitted 13 Jul 2026 (v1)
Systems studiedClaude Code, Codex (three scenarios, direct + indirect attacks)
NatureDefensive red-teaming methodology; no CVE, no product vulnerability disclosed
Key claimFrozen concept graph beats strongest frozen baseline by 14.2 pts, single-shot
CaveatPreprint, not yet peer-reviewed; results are the authors’ own

Sources