Saved in:
Bibliographic Details
Main Authors: Atta, Hammad, Huang, Ken, Lambros, Kyriakos Rock, Mehmood, Yasir, Baig, Zeeshan, Rahman, Mohamed Abdur, Bhatt, Manish, Haq, M. Aziz Ul, Aatif, Muhammad, Shahzad, Nadeem, Noor, Kamal, Narajala, Vineeth Sai, Ali, Hazem, Abed, Jamel
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.17239
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917351214022656
author Atta, Hammad
Huang, Ken
Lambros, Kyriakos Rock
Mehmood, Yasir
Baig, Zeeshan
Rahman, Mohamed Abdur
Bhatt, Manish
Haq, M. Aziz Ul
Aatif, Muhammad
Shahzad, Nadeem
Noor, Kamal
Narajala, Vineeth Sai
Ali, Hazem
Abed, Jamel
author_facet Atta, Hammad
Huang, Ken
Lambros, Kyriakos Rock
Mehmood, Yasir
Baig, Zeeshan
Rahman, Mohamed Abdur
Bhatt, Manish
Haq, M. Aziz Ul
Aatif, Muhammad
Shahzad, Nadeem
Noor, Kamal
Narajala, Vineeth Sai
Ali, Hazem
Abed, Jamel
contents Agentic LLM systems equipped with persistent memory, RAG pipelines, and external tool connectors face a class of attacks - Logic-layer Prompt Control Injection (LPCI) - for which no automated red-teaming instrument existed. We present LAAF (Logic-layer Automated Attack Framework), the first automated red-teaming framework to combine an LPCI-specific technique taxonomy with stage-sequential seed escalation - two capabilities absent from existing tools: Garak lacks memory-persistence and cross-session triggering; PyRIT supports multi-turn testing but treats turns independently, without seeding each stage from the prior breakthrough. LAAF provides: (i) a 49-technique taxonomy spanning six attack categories (Encoding~11, Structural~8, Semantic~8, Layered~5, Trigger~12, Exfiltration~5; see Table 1), combinable across 5 variants per technique and 6 lifecycle stages, yielding a theoretical maximum of 2,822,400 unique payloads ($49 \times 5 \times 1{,}920 \times 6$; SHA-256 deduplicated at generation time); and (ii) a Persistent Stage Breaker (PSB) that drives payload mutation stage-by-stage: on each breakthrough, the PSB seeds the next stage with a mutated form of the winning payload, mirroring real adversarial escalation. Evaluation on five production LLM platforms across three independent runs demonstrates that LAAF achieves higher stage-breakthrough efficiency than single-technique random testing, with a mean aggregate breakthrough rate of 84\% (range 83--86\%) and platform-level rates stable within 17 percentage points across runs. Layered combinations and semantic reframing are the highest-effectiveness technique categories, with layered payloads outperforming encoding on well-defended platforms.
format Preprint
id arxiv_https___arxiv_org_abs_2603_17239
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems
Atta, Hammad
Huang, Ken
Lambros, Kyriakos Rock
Mehmood, Yasir
Baig, Zeeshan
Rahman, Mohamed Abdur
Bhatt, Manish
Haq, M. Aziz Ul
Aatif, Muhammad
Shahzad, Nadeem
Noor, Kamal
Narajala, Vineeth Sai
Ali, Hazem
Abed, Jamel
Cryptography and Security
Agentic LLM systems equipped with persistent memory, RAG pipelines, and external tool connectors face a class of attacks - Logic-layer Prompt Control Injection (LPCI) - for which no automated red-teaming instrument existed. We present LAAF (Logic-layer Automated Attack Framework), the first automated red-teaming framework to combine an LPCI-specific technique taxonomy with stage-sequential seed escalation - two capabilities absent from existing tools: Garak lacks memory-persistence and cross-session triggering; PyRIT supports multi-turn testing but treats turns independently, without seeding each stage from the prior breakthrough. LAAF provides: (i) a 49-technique taxonomy spanning six attack categories (Encoding~11, Structural~8, Semantic~8, Layered~5, Trigger~12, Exfiltration~5; see Table 1), combinable across 5 variants per technique and 6 lifecycle stages, yielding a theoretical maximum of 2,822,400 unique payloads ($49 \times 5 \times 1{,}920 \times 6$; SHA-256 deduplicated at generation time); and (ii) a Persistent Stage Breaker (PSB) that drives payload mutation stage-by-stage: on each breakthrough, the PSB seeds the next stage with a mutated form of the winning payload, mirroring real adversarial escalation. Evaluation on five production LLM platforms across three independent runs demonstrates that LAAF achieves higher stage-breakthrough efficiency than single-technique random testing, with a mean aggregate breakthrough rate of 84\% (range 83--86\%) and platform-level rates stable within 17 percentage points across runs. Layered combinations and semantic reframing are the highest-effectiveness technique categories, with layered payloads outperforming encoding on well-defended platforms.
title LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems
topic Cryptography and Security
url https://arxiv.org/abs/2603.17239