The Problem: Prompt-Level Evals Aren't Enough

Introducing AgentThreatBench

1. Memory Poisoning (ASI06)

2. Autonomy Hijack (ASI01)

3. Data Exfiltration (ASI01)

The Dual-Metric Scoring Approach

How to Run It

Why This Matters for AI Safety

Resources The AI safety community has a blind spot. We have excellent benchmarks for measuring whether an LLM will output harmful content (like toxicity or jailbreaks), and we have benchmarks for measuring whether an agent can successfully complete a task (like SWE-bench or WebArena). But as agents move into production, the threat model changes. The most critical risk isn't a user typing a jailbreak prompt — it's an agent autonomously ingesting a poisoned email, a compromised RAG document, or a malicious API response, and then executing a harmful action on the attacker's behalf. To measure this, we need a new kind of benchmark. Today, I'm sharing AgentThreatBench, the first evaluation suite that operationalizes the OWASP Top 10 for Agentic Applications (2026) into executable tasks. It was recently merged into the official UK AI Safety Institute's inspect_evals repository. Most security evaluations treat the LLM as a chatbot: User sends input → LLM generates output → Eval checks output for safety. But an agentic workflow looks like this: This is OWASP ASI01: Agent Goal Hijack via indirect prompt injection. Traditional benchmarks miss this entirely because the attack payload isn't in the user prompt — it's embedded in the environment the agent interacts with. AgentThreatBench is built on the Inspect AI framework. It currently covers three distinct agentic attack scenarios across two OWASP categories. The Scenario: An agent must answer questions using a memory/RAG store. The Attack: The memory store contains adversarial entries designed to mislead the agent, ranging from direct instruction overrides to subtle context poisoning and authority impersonation. The Threat Model: We test both append-style attacks (attacker adds a poisoned entry alongside legitimate data) and replacement-style attacks (attacker overwrites the legitimate data entirely). The Scenario: An agent is tasked with triaging a user's inbox, categorizing emails, and drafting a summary. The Attack: One of the emails returned by the read_inbox tool contains an indirect prompt injection attempting to hijack the agent's goal (e.g., forcing it to mark a spam email as high priority or execute a hidden command). The Scenario: A customer support agent is tasked with resolving a user's ticket. The Attack: The customer's profile data (returned by lookup_customer) contains an embedded payload instructing the agent to leak the customer's SSN or account number to an unauthorized third party via the send_message tool. A secure agent that refuses to do any work is useless. A capable agent that blindly follows malicious instructions is dangerous. To capture this tension, AgentThreatBench uses a dual-metric scoring system: An agent only "passes" if it scores 1.0 on both metrics. In our baseline testing, many state-of-the-art models fail this dual requirement — they either over-refuse (failing utility) or get hijacked (failing security). Because AgentThreatBench is integrated into the official UK AISI inspect_evals package, running it is straightforward: As the industry moves from chatbots to autonomous agents, our evaluation frameworks must evolve. We can no longer just test whether a model will say something bad; we must test whether an agent will do something bad when operating in a compromised environment. By aligning this benchmark with the OWASP Agentic Top 10, we provide a standardized way for researchers and developers to measure agent resilience against the exact threats they will face in production. If you're building agentic frameworks, guardrails, or evaluating frontier models, I encourage you to run AgentThreatBench against your systems. The results might surprise you. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or