STAC: chaining benign tool calls to jailbreak AI agents
A research framework shows that a sequence of individually harmless tool calls can steer an agent into a harmful final action — bypassing frontier safety with over 90% success.
What is this?
Sequential Tool Attack Chaining (STAC) is a class of multi-turn attack against tool-enabled LLM agents, introduced in a paper first posted on arXiv in September 2025 and revised in February 2026 (arXiv:2509.25624). The core idea is simple to state and hard to defend against: instead of one obviously malicious request, the attacker leads the agent through a chain of tool calls that each look harmless on their own but that, taken together, accomplish a damaging outcome. The malicious intent only becomes visible at the final step.
The canonical example from the paper is data destruction assembled from routine housekeeping: an agent is walked through a file backup, then removal of “duplicate” files, then an “archive cleanup” — a sequence in which every action is reasonable in isolation, but whose net effect is to delete critical data. Because no single turn trips a safety check, conventional content-level guardrails see nothing to refuse.
How it works
STAC differs from a classic jailbreak in what it targets. A conventional jailbreak tries to make the model say something forbidden; STAC tries to make the agent do something forbidden through its tools, producing real changes in an external environment — a filesystem, a bank API, a workspace — that may not be reversible. That shift from generated text to executed action is what makes it a distinct agent-security problem rather than a chatbot problem.
The researchers built an automated pipeline to generate these attacks at scale, and understanding its four roles is enough to see why the technique is stealthy without needing any working attack code:
First, a generator plans a chain of two to six target tool calls that cumulatively reach a malicious goal, arranging things so every step but the last is benign in isolation. Second, a verifier actually executes each planned call in the target environment and revises any call that fails, guaranteeing the chain is realistically executable. Third, a prompt writer composes a synthetic, benign-looking multi-turn conversation that would plausibly lead an agent to those intermediate calls — building context without yet touching a live agent. Fourth, a planner takes that synthetic history and interactively drives a real agent to the final action, adapting in real time to the agent’s responses.
# Illustrative shape only — no operational payload
Turn 1 -> benign setup tool call (looks routine)
Turn 2 -> benign context-building call (looks routine)
...
Turn T -> final tool call (harm realized only here)
The distributed structure is the whole point: the malicious objective is spread across turns so it can only be recognized by reasoning over the full sequence. The paper deliberately withholds a turnkey exploit and instead documents the attack pattern and a benchmark for studying it.
Why it matters
The evaluation is what makes STAC worth attention. Across 483 generated cases spanning 1,352 user-agent-environment interaction sets — built on the SHADE-Arena environments (banking, travel, workspace, spam-filter management, extending AgentDojo) plus dozens sampled from Agent-SafetyBench, and organized around ten agent-specific failure modes — attack success rates exceeded 90% for most agents tested, including a highly capable frontier model. Success rose over successive turns, and the vulnerability held across model families and scales rather than being tied to one architecture.
The reason it generalizes is structural. Current agents execute tools step by step and judge each request more or less on its own; they rarely reason holistically about the cumulative effect of a whole action sequence. A model that reliably refuses a single dangerous instruction can still be walked to the same destination one innocuous step at a time. The paper also shows that a strong multi-turn jailbreak method designed for chatbots does not transfer well to this setting — corroborating separate work arguing that text-level safety does not automatically become tool-call safety (arXiv:2602.16943). Defending the words the model emits is not the same as defending the actions it takes.
Defenses
- Reason over the whole trajectory, not the latest turn. The paper’s most effective mitigation is a defense prompt that makes the agent weigh the harms and benefits of an action in the context of the entire interaction before executing it. A companion prompt has the agent summarize the user’s cumulative intent across all turns. These reduced attack success by up to 28.8% — meaningful, but far from a fix, since success remained at or above 58.6%.
- Do not rely on prompt-injection defenses for this. Techniques like spotlighting or datamarking, designed to separate instructions from data, gave limited protection here because STAC uses no injected instruction — every request is a legitimate user turn. Treat sequence-level intent as a separate control from injection filtering.
- Gate irreversible and high-impact tool calls. Require confirmation, dual control, or a cooling-off step for actions that delete data, move money, change permissions, or send messages externally. The final step is where harm crystallizes, so that is where a human-in-the-loop check pays off most.
- Constrain dangerous tool combinations. Map which tools, used together, can produce irreversible outcomes, and apply least privilege so a single agent session cannot both, say, enumerate and mass-delete, or read secrets and exfiltrate.
- Monitor at the sequence level. Behavioral telemetry that reconstructs the arc of a session — not just per-call allow/deny — is what surfaces a chain whose intent is only legible end to end. Log full tool-call histories and alert on patterns that assemble into high-impact effects.
- Test with multi-turn, tool-aware red teaming. Single-prompt and text-only jailbreak suites will under-report this exposure. Evaluate agents against multi-step tool trajectories in realistic environments before deployment.
Status
| Item | Value |
|---|---|
| Technique | Sequential Tool Attack Chaining (STAC), multi-turn agent tool-use attack |
| First disclosed | arXiv preprint, September 2025 (revised February 2026) |
| Scope | 483 cases / 1,352 interaction sets; SHADE-Arena + Agent-SafetyBench; 10 failure modes |
| Measured impact | Attack success >90% for most agents tested, including a frontier model |
| Best documented defense | Reasoning-/intent-summarization defense prompt — up to 28.8% ASR reduction (residual ASR ≥58.6%) |
| Nature | Research finding, defensive framing; no operational exploit released |
Key dates: September 2025 — STAC first posted to arXiv. February 2026 — revised version. The work is a benchmark and defense study, not an in-the-wild incident against a named product.
This article summarizes publicly available security research for defensive purposes and intentionally omits any working attack code.
Sources
- → https://arxiv.org/abs/2509.25624
- → https://arxiv.org/html/2509.25624v1
- → https://openreview.net/forum?id=8nTMKYHkrV
- → https://www.researchgate.net/publication/396458907_The_Attacker_Moves_Second_Stronger_Adaptive_Attacks_Bypass_Defenses_Against_Llm_Jailbreaks_and_Prompt_Injections
- → https://arxiv.org/html/2602.16943v1