T-MAP: Red-Teaming Framework for LLM Agents Targeting MCP Ecosystem
T-MAP (Trajectory-aware MAP) is a new research framework from KAIST for red-teaming LLM agents, specifically targeting vulnerabilities in the rapidly growing MCP (Model Context Protocol) ecosystem. The paper has received 29 upvotes on HuggingFace Daily Papers.
While prior red-teaming focused on eliciting harmful text from LLMs, T-MAP addresses agent-specific vulnerabilities that emerge through multi-step tool execution. It uses execution trajectories to guide the discovery of adversarial prompts that bypass safety guardrails and realize harmful objectives through actual tool interactions.
The method maintains a multidimensional archive spanning risk categories and attack styles, using a four-step iterative cycle: Cross-Diagnosis extracts success factors and failure causes from past prompts, which combined with a learned Tool Call Graph (TCG), guides mutation of new attack prompts.
Empirical evaluations across diverse MCP environments show T-MAP substantially outperforms baselines in attack realization rate and remains effective against frontier models including GPT-5.2, Gemini-3-Pro, and Qwen3.5. This is timely during RSAC 2026 week, as agent security becomes the industry's top priority.
https://arxiv.org/abs/2603.22341
https://github.com/pwnhyo/T-MAP
← Back to all articles
While prior red-teaming focused on eliciting harmful text from LLMs, T-MAP addresses agent-specific vulnerabilities that emerge through multi-step tool execution. It uses execution trajectories to guide the discovery of adversarial prompts that bypass safety guardrails and realize harmful objectives through actual tool interactions.
The method maintains a multidimensional archive spanning risk categories and attack styles, using a four-step iterative cycle: Cross-Diagnosis extracts success factors and failure causes from past prompts, which combined with a learned Tool Call Graph (TCG), guides mutation of new attack prompts.
Empirical evaluations across diverse MCP environments show T-MAP substantially outperforms baselines in attack realization rate and remains effective against frontier models including GPT-5.2, Gemini-3-Pro, and Qwen3.5. This is timely during RSAC 2026 week, as agent security becomes the industry's top priority.
https://arxiv.org/abs/2603.22341
https://github.com/pwnhyo/T-MAP
Comments