system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

MAGE: a shadow memory that catches long-horizon agent attacks

A May 2026 paper borrows the shadow-stack idea from systems security to give LLM agents a parallel security memory, cutting a 100% multi-turn attack to 8.3%.

2026-07-06 // 6 min affects: gpt-5.1, gpt-4o-mini, qwen3-235b, llama-3.3-70b

What is this?

On May 4, 2026, researchers from Stony Brook University and Cisco published MAGE (Memory As Guardrail Enforcement), a defense aimed at a class of attack that single-turn guardrails routinely miss: long-horizon threats. These are attacks that exploit extended user–agent–environment interactions, where the malicious intent, in the authors’ words, “emerges only at the trajectory level, while remaining latent within individual turns.”

The canonical example is a tool-chaining attack: a sequence of individually innocuous tool calls whose cumulative effect is destructive — data exfiltration, a financial loss, a policy violation. Each step looks fine to a per-turn filter. Only the whole trajectory is malicious. The same pattern shows up in multi-turn poisoning and persistent prompt injection, and it is exactly what conventional, short-context safety alignment fails to generalize to.

How it works

MAGE borrows an abstraction from systems security: the shadow stack, which defends against control-flow hijacking by keeping a separate, protected copy of return addresses. MAGE runs an analogous shadow memory in parallel with the agent’s normal working memory. Where working memory is optimized for completing the task, shadow memory selectively distills only the security-critical context as the trajectory unfolds and discards the rest.

Two components sit on top of it. A memory manager updates the shadow memory each turn, and a judge performs retrospective inspection of the trajectory and rules on the pending action, returning both a decision (approve or reject) and a human-readable rationale. Concretely, before each action executes, MAGE enforces a checkpoint: the memory manager refreshes shadow memory, the judge scores the pending action against it, and execution resumes only if the judge approves — otherwise the action is blocked and the rationale is surfaced to a human operator.

Both roles are implemented as external LLM tool calls (a single shared model differentiated by role-specific prompting), so MAGE plugs into an existing agent without retraining the target model. The design also matters for cost: naively re-judging the full trajectory every turn is quadratic, while distilling into a fixed-size shadow memory keeps aggregate token overhead linear. The manager and judge are tuned with a turn-wise reinforcement-learning variant that decouples the memory-update and risk-assessment reward signals — the authors show that without this training, an untrained judge only reaches zero attack success by rejecting essentially everything, destroying benign utility.

Why it matters

The results quantify how exposed unguarded agents are over multiple turns. Against Sequential Tool-Attack Chaining on the SHADE-Arena benchmark, with a GPT-5.1 agent, attack success climbed from about 89.7% at two turns to 100% at five or more turns. MAGE, running on a small Qwen3-4B backbone, held attack success to roughly 4.6%–10% across all horizons — an overall drop from 100% to 8.3% while preserving 94.4% benign utility at about 7,000 extra tokens per task. In an environment-as-adversary setting on an extended AgentDojo (banking and Slack suites, up to 18 tool calls per task), MAGE drove the success rate of persistent indirect prompt injection to 0.0% while keeping benign utility on par with the no-defense baseline, across GPT-4o-mini, Qwen3-235B and Llama-3.3-70B agents.

Two points stand out for defenders. Detection was early — average latency near zero turns, so the malicious action was typically caught at the step it appeared. And baselines that looked competitive on frontier models degraded on open-weight agents: one prior defense the paper compares against fell to 42.1% attack success on Llama-3.3 and 20.7% on Qwen3, where MAGE stayed near zero.

Defenses

The takeaway generalizes beyond the specific system. Treat security context as trajectory-level state, not a per-turn afterthought: maintain a compact, protected record of user intent and known attack patterns that survives context compaction, and inspect pending actions against that record before they execute rather than after. Keep the security memory and its schema explicit — the ablations show that dropping either the user-intent field or the attack-pattern field measurably raised attack success. Enforce a hard checkpoint so a blocked action stops the agent, and log the judge’s rationale so a steered trajectory is auditable afterward. Finally, MAGE’s own adaptive-attack tests are a reminder that any monitor is itself a target: unguarded shadow memory could be poisoned, and only the trained configuration held up when the adversary specifically targeted the memory and judge.

The authors are explicit about scope: MAGE was evaluated on two representative long-horizon attacks in single-agent settings, and they flag memory poisoning, goal drifting, coding and computer-use agents, and multi-agent extension as open work.

Status

AspectDetail
DisclosurearXiv preprint, submitted May 4, 2026
ClassDefense — trajectory-level runtime guardrail for long-horizon agent attacks
Tested onGPT-5.1, GPT-4o-mini, Qwen3-235B, Llama-3.3-70B agents; Qwen3-4B defense backbone
Attacks evaluatedSequential Tool-Attack Chaining (SHADE-Arena); persistent indirect prompt injection (AgentDojo)
ResultSTAC 100% → 8.3% ASR at 94.4% benign utility; PI2 → 0.0% ASR
Exploited in the wildNot reported; research finding

Sources