Past SAST: Automating AI Agent Safety with Nemesis

In 2025, safety researchers at Intention Labs found EchoLeak, a zero-click immediate injection vulnerability in Microsoft 365 Copilot. The assault was deceptively easy: an attacker sends a benign-looking e mail with hidden directions embedded in its formatting. When Copilot processes the e-mail, it silently follows these injected prompts, bypassing Microsoft’s security classifiers totally and extracting the consumer’s complete chat historical past, referenced recordsdata, and delicate knowledge, then exfiltrates it to an attacker-controlled server by way of trusted domains like Microsoft Groups.

No malware. No phishing hyperlink. No code. Simply phrases injected in an e mail, and an AI assistant doing precisely what it was designed to do: be useful.

Microsoft patched it rapidly and acknowledged no clients had been affected. However EchoLeak revealed a wholly new class of risk: LLM scope violations, the place the assault floor is within the mannequin’s reasoning as a substitute of the code. SAST, DAST, antivirus, and static file scanning are all structurally blind to payloads written in pure language.

As GoDaddy deploys Generative AI brokers that work together with buyer knowledge, and take actual actions, this assault floor grows dramatically. Immediate injection, jailbreaks, social engineering, these are cognitive vulnerabilities that stay within the hole between what the mannequin was advised to do and what a motivated adversary can persuade it to do. The present mitigation is handbook red-teaming. Safety engineers spending hours crafting adversarial prompts, and testing one agent at a time. This strategy does not scale, it blocks releases, and it might probably’t maintain tempo with a rising fleet of AI brokers. We would have liked to automate this course of.

Venture Nemesis inverts the normal AI testing mannequin. It’s an automatic red-teaming framework developed at GoDaddy to repeatedly stress-test our Generative AI brokers in opposition to agent particular social engineering assaults. As a substitute of scheduling periodic handbook safety critiques, it runs as an automatic nightly cron job. Each day, an adversarial agent wages a contemporary marketing campaign in opposition to our AI fashions whereas the staff sleeps. By morning, engineers have a safety scorecard ready.

The core thought is to pit an LLM in opposition to an LLM in a managed and observable area so we are able to discover the cracks in our agent’s guardrails earlier than a malicious hacker does.

The LLM-vs-LLM fight area

We have constructed a fight area consisting of three agent personas- the Attacker, the Defender, and the Decide. The next picture illustrates 4 attackers getting initialised to focus on the Defender agent inside the sector:

The Attacker (Crimson Workforce) runs a number of dialog threads powered by Microsoft’s PyRIT framework, utilizing any LLM of alternative (GPT-4, Claude, Llama, or any mannequin accessible by way of an API gateway). Every thread is loaded with assault eventualities tailor-made to the goal agent’s particular system immediate and guidelines, alongside a library of generic eventualities. A number of attackers can run in parallel for a extra strong, however time environment friendly testing.

The assault eventualities usually are not a static immediate checklist. PyRIT runs a stateful suggestions loop: the attacker sends a immediate, a scorer evaluates the goal’s response, and each the decision and the total response are fed again into the attacker’s context. The attacker does not simply understand it failed; it is aware of how the goal refused and adapts its subsequent transfer accordingly. After the defending mannequin partially complies in early turns, it tends to maintain the assaults constant, making additional compliance extra seemingly. Lengthy conversations push security directions out of the mannequin’s consideration window, and gradual escalation disguises harmless-looking steps that collectively cross a safety boundary.

PyRIT orchestrates this by means of methods like Crescendo, which begins with harmless requests and slowly escalates towards the target, and Tree of Assaults with Pruning, which explores a number of assault paths in parallel, doubling down on promising instructions and discarding useless ends.

The Defender (Blue Workforce) is the goal AI agent beneath check. It receives adversarial inputs by means of the identical API floor it makes use of in manufacturing, guaranteeing the check displays real-world situations.

The Decide (Referee) is a separate LLM occasion, that evaluates every attacker-vs-target dialog together with the goal’s safety guidelines, returning a structured JSON verdict (success, severity, confidence, reasoning, proof, violated guidelines). Severity is classed into the next 4 tiers based mostly on influence scope:

Particular person severities feed into an mixture rating: the bottom is the proportion of assaults blocked, minus the weighted penalties proven above, producing a 0–100 rating with a letter grade. Attackers can use this rating to refine their technique, and builders can use it to gauge their agent’s efficiency.

Nemesis produces a Safety Scorecard for each run containing violation summaries (Crucial, Medium, Low counts), per-scenario outcomes exhibiting which methods succeeded and which had been deflected, redacted dialog excerpts for each detected violation, and hardening suggestions that spotlight the particular sentences within the system immediate that must be strengthened.
The next photos present a redacted attacker-versus-target dialog hint and the ultimate Safety Scorecard generated for your complete run:

The prompt-drift downside

AI brokers evolve always. System prompts get up to date, guidelines get added, safety constraints shift. An adversarial check suite that was complete final week is likely to be irrelevant after a immediate replace.

Nemesis handles this by means of automated prompt-drift detection. On each run, the framework checks for modifications within the system immediate by evaluating commit SHAs. If the immediate has modified, the up to date file is retrieved and despatched to an LLM that intelligently updates the assault situation library: including new eventualities that probe modified constraints, modifying current ones, and retiring these concentrating on guidelines that not exist. The adversarial check suite stays present with zero handbook intervention.

Maintaining the Attacker within the sandbox

Constructing a system that tries to hack your individual AI brokers raises an apparent concern: what if it by accident targets manufacturing?

Nemesis implements a number of layers of isolation. Endpoint allowlisting validates each configured URL on startup in opposition to non-production hostname patterns; if any resolves to manufacturing, the framework refuses to begin. PII and secret redaction scans all dialog logs and stories earlier than they’re written, masking API keys, tokens, SSNs, bank card numbers, emails, cellphone numbers, and IP addresses throughout each report path. Ephemeral storage (RAM) holds dialog historical past in in-memory SQLite; when the method exits, the adversarial dialogue is gone and solely the redacted report survives.

If the attacker efficiently performs a breach, the developer staff is alerted with all the mandatory particulars as illustrated within the following picture:

Scaling past a single agent

The core Nemesis engine (area orchestration, attacker methods, decide framework, and report era) is totally agent-agnostic. All target-specific code lives in every agent’s personal repository. For safety crimson teaming, “clone the template and configure” sounds easy, however the true onboarding problem is crafting the correct assault eventualities and decide standards for every agent’s distinctive risk profile which isn’t only a generic guidelines.

Nemesis addresses this by delivery a situation template that groups populate based mostly on their agent’s system immediate, together with a decide configuration information that maps the agent’s guidelines to violation severity tiers. The framework auto-generates a baseline situation library from the system immediate utilizing an LLM, which groups then evaluation and refine. The prompt-drift pipeline retains these eventualities present because the agent evolves.

The result’s that every agent will get a red-teaming suite that exams its particular safety posture, working inside its personal CI pipeline, with no modifications to the Nemesis core.

The next diagram illustrates how NEMESIS separates its reusable red-team engine from the target-specific code that lives within the agent’s repo, alongside the end-to-end attack-evaluate-report move:

From reactive patching to proactive hardening

With out Nemesis, the safety mannequin for AI brokers is reactive: deploy, look forward to one thing unhealthy to occur, patch, redeploy; that meant safety was all the time trailing behind improvement.

Nemesis breaks that cycle. A developer pushes a immediate change, and by the following morning an adaptive attacker has already tried to take advantage of it from each angle it might probably discover. The scorecard tells them precisely what held and what did not. Over time, as brokers get hardened in opposition to every nightly marketing campaign, the safety baseline ratchets upward, that is the distinction between including guardrails and proving they work.