The Red Team That Never Sleeps: When Small Models Attack Large Ones

A 1.5-billion parameter model just learned to jailbreak GPT-5 Nano, Claude 3.5 Sonnet, and Gemini 2.5 Flash. It didn't need human creativity or domain expertise, just reinforcement learning and limited query access. Welcome to AutoInject, where the attacker is automated, the attacks are universal, and the safety testing never stops.

This isn't a thought experiment. In June 2025, a single crafted email exploited Microsoft 365 Copilot via zero-click prompt injection (CVE-2025-32711), exfiltrating data with no user interaction required. GitHub Copilot fell to code comments that instructed the model to enable "YOLO mode" and execute arbitrary commands. Lenovo's AI chatbot leaked session cookies through a single malicious prompt. Across 3,000 U.S. companies running AI agents, prompt injection incidents averaged 1.3 per day in 2025. The red team doesn't sleep because it doesn't need to. It's a loop of small models learning to break large ones.

The pattern emerging from recent research is stark: safety is becoming a runtime property, not a pre-deployment checkbox. The AI Safety Report 2026 provides the policy framework for this shift, arguing that continuous monitoring must replace point-in-time evaluations as AI systems gain autonomy. Automated attacks are cheap and continuous. Domain-specific failures escape generic benchmarks. And uncertainty, counterintuitively, can shrink through interaction, making agents more confident in their confusion.

The Economics of Adversarial Automation

Traditional red teaming has always been a bottleneck. Human red teamers are expensive, slow, and can't scale. Anthropic spent 150+ hours with biosecurity experts stress-testing Claude for harmful biological information. That's thorough, but it's not continuous. It's not even repeatable at scale.

AutoInject flips this model. A compact 1.5B-parameter policy trained with Group Relative Policy Optimization (GRPO) generates adversarial suffixes that work across unseen models and injection tasks. The approach yields two attack modes: online query-based attacks that jointly optimize for both attack success and utility preservation, and universal transferable suffixes that generalize as reusable attack primitives. On the AgentDojo benchmark spanning nine frontier models, AutoInject substantially outperformed baseline methods, not by being smarter, but by being relentless.

The asymmetry is what matters. A defender needs to protect against every possible attack. An attacker only needs to find one that works. When that attacker is a reinforcement learning loop running 24/7, the economics shift decisively. As one security framework notes, "attackers are automated-defenses should be too." But automation doesn't just level the playing field; it tilts it toward whoever runs the most experiments.

Where Generic Benchmarks Break

Standard safety evaluations assume adversaries are creative humans trying obvious attacks. Real adversaries are increasingly domain-specific and subtle. Consider financial RAG systems, where RAGAS hallucination detection failed on 83.5% of financial examples in benchmark testing. The ECLIPSE paper demonstrated a hallucination detection method achieving 0.89 AUC on financial question-answering, substantially outperforming existing approaches on failures that generic red teaming never surfaced.

This isn't an edge case. OWASP's LLM Top 10 for 2025 lists prompt injection as vulnerability #1, noting that "prompt injections don't need to be human-visible/readable, as long as the content is parsed by the model." Indirect prompt injection, where malicious instructions are hidden in documents, images, or RAG-retrieved content, accounts for an increasing share of real-world failures. Air Canada lost a lawsuit because their chatbot hallucinated a refund policy. A job seeker gamed an AI resume screener by hiding fake skills in light gray text. These aren't sophisticated attacks. They're domain-aware exploitation of known architectural weaknesses.

The problem is specificity. A model trained to refuse bioweapon instructions might confidently explain financial fraud. A system hardened against jailbreaks might leak data through RAG poisoning. Domain-specific red teaming finds these gaps, but only if someone thinks to look. Automated adversarial loops don't need intuition. They brute-force the possibility space until something breaks.

The Uncertainty Paradox

The Agent UQ paper introduces the first framework for agentic uncertainty quantification, and its findings are counterintuitive. Uncertainty can decrease mid-task, even when the agent is making mistakes. An agent querying its own knowledge might become more confident through interaction, not because it's learning correct information, but because repeated retrieval creates false consensus.

This matters because uncertainty is supposed to be a safety signal. If an agent knows it doesn't know something, it should abstain or escalate. But if uncertainty shrinks through self-consultation, the diagnostic fails. The agent becomes confidently wrong, the worst possible outcome in high-stakes domains like medical diagnosis or financial advice.

The paper's contribution is formalizing when uncertainty is reliable. In multi-step agentic workflows, epistemic uncertainty (model ignorance) interacts with aleatoric uncertainty (environmental noise) in unpredictable ways. A retrieval step might inject noise, lowering confidence. A reasoning step might compress that noise into a single confident prediction. The net effect depends on task structure, not just model quality.

This has implications for agents that reshape themselves. If an agent is rewriting its own prompts or training subroutines, uncertainty quantification becomes a moving target. The framework for measuring "what the agent doesn't know" must evolve as the agent evolves. We barely have vocabulary for this problem, let alone solutions.

The Defender's Dilemma

Here's the counterargument: automated red teaming helps defenders more than attackers. Anthropic and OpenAI both run automated adversarial loops precisely because continuous testing catches failures before deployment. Anthropic's red/blue team dynamic uses one model to generate attacks and another to fine-tune defenses, iterating repeatedly to harden against new vectors. OpenAI's research on diverse and effective red teaming with auto-generated rewards demonstrates that automation can discover edge cases humans miss.

The security argument is sound: 24/7 automated testing provides real-time insights into evolving attack surfaces. When red teaming tools circumvent endpoint detection and response (EDR) or network intrusion detection systems (NIDS), defenders gain clearer understanding of detection gaps. Running full automated kill-chain simulations increases testing frequency and consistency. As IBM's framework notes, enabling systems to "know what they don't know" is foundational for reliability.

But there's a catch. Open-sourcing adversarial frameworks accelerates both sides. AutoInject's code is publicly available on GitHub. The Evolve-CTF framework for adversarial code challenges is published. OWASP's prompt injection prevention cheat sheet catalogs attack patterns alongside mitigations. This transparency serves defense, but it also industrializes offense. The UK's National Cyber Security Centre warned in December 2025 that prompt injection "may never be fixed," not because defenses are impossible, but because the attack surface is fundamental to how LLMs process natural language.

The real question isn't whether automated red teaming helps. It's whether the help scales linearly or exponentially. If every new attack technique requires a bespoke defense, defenders fall behind. If defenses generalize across attack classes, they catch up. The research doesn't yet tell us which future we're in.

What Runtime Safety Actually Looks Like

If safety is a runtime property, what does runtime actually entail? The emerging answer is continuous adversarial loops, domain-specific hallucination detection, and uncertainty quantification integrated into agent decision-making, not as pre-deployment tests, but as ongoing processes.

For agents that rewrite themselves, this means safety checks aren't static gates but adaptive constraints. An agent modifying its own retrieval strategy should trigger uncertainty recalibration. An agent querying external APIs should sandbox responses through adversarial filters before integrating them into context. The practical guide to building agents emphasizes start-simple architectures, but "simple" no longer means "stateless." It means composable safety primitives that scale with agent capability.

This shift has precedent. Traditional software moved from static analysis to runtime monitoring as systems became dynamic. Firewalls evolved from packet filters to stateful inspection to behavior-based anomaly detection. The pattern is consistent: as systems gain autonomy, safety moves from design-time to runtime. LLM agents are following the same trajectory, but faster.

The technical debt accumulates quickly. A RAG system deployed six months ago wasn't designed for adversarial document poisoning. A code generation agent from last year doesn't quantify uncertainty over multi-step reasoning. Retrofitting these capabilities is harder than building them in, but the alternative, accepting that deployed agents are vulnerable by design, isn't tenable for production systems handling sensitive data or high-stakes decisions.

The Arms Race Has No Finish Line

Automated adversarial testing won't end with AutoInject. Small models attacking large ones is just the current equilibrium, one that shifts every time a new defense hardens the frontier. The next step is likely adversarial loops that adapt in real-time, learning from failed attacks to generate new variants mid-session. We already see this in Anthropic's iterative red/blue training. The gap between research prototype and production exploit is narrowing.

The optimistic case: defenders industrialize faster than attackers, and automated red teaming becomes a commoditized layer of the AI stack, bundled into frameworks, enabled by default, continuously running in the background. The pessimistic case: attack automation outpaces defense automation, and deploying an agent without 24/7 adversarial monitoring becomes negligence.

Either way, the red team doesn't sleep. The question is whether the blue team can keep up, or whether we're building systems that fundamentally can't be secured, only monitored as they fail.

What happens when the adversarial loop becomes the system itself? When agents reshape, audit, and trade with each other, who's red-teaming the red team?

Sources

Research Papers:

• AutoInject: Learning to Inject via Reinforcement Learning
• Agentic Uncertainty Quantification
• OpenAI: Diverse and Effective Red Teaming

Industry / Case Studies:

• OWASP LLM Top 10: Prompt Injection
• OWASP Prompt Injection Prevention Cheat Sheet
• Lakera: Indirect Prompt Injection Incidents
• RAG Hallucination Detection Benchmark
• Anthropic: Frontier Threats Red Teaming
• Anthropic: Challenges in Red Teaming AI Systems

Commentary:

• Understanding Reliability in AI: Uncertainty Quantification
• Galileo: AI Agent Reliability Metrics
• Mend.io: Automated Red Teaming Benefits
• CyCognito: Red Teaming in 2026
• Malwarebytes: NCSC Warns Prompt Injection May Never Be Fixed

Related Swarm Signal Coverage:

• Agents That Reshape, Audit, and Trade with Each Other
• From Prompt to Partner: Building Your First AI Agent
• Agents That Rewrite Themselves