Contents
In brief
LLMs find severe software vulnerabilities; agents are increasingly abused for cyberattacks. Attackers split harmful work across many accounts so each transcript looks benign — danger appears only in aggregate. Monitors that score one context at a time miss this structurally.
What they studied
The authors build a distributed agent attack scaffold that completes hard security tasks while hiding the objective across subagents. A standard monitor catches it five times less often than prior single-account attacks.
Their defense is a stateful online monitor: weak suspicion signals are clustered across transcripts; a heavy LLM runs only on escalation. On simulated datacenter traffic it detects distributed attacks ~30% earlier with negligible added latency for ~99% of benign traffic.
Key findings
- Agent safety cannot rely on single-session analysis alone.
- Aggregate weak signals + rare escalation beats scoring every turn with a large model.
- After red-teaming, the same pipeline also catches standard jailbreaks when attackers reuse variants across accounts.
What this means for developers
- Add a cross-user monitoring layer for multi-tenant agent APIs.
- Store behavior aggregates, not just the latest prompt.
- Escalate to LLMs sparingly — cheap heuristics and clustering first.
- Red-team task splitting across sessions, not only one-shot malicious prompts.
Limitations
Evaluated on simulated traffic; thresholds need product-specific tuning. Advantage narrows as benign background traffic grows very large.

