{"id":1152834,"date":"2025-11-04T09:00:00","date_gmt":"2025-11-04T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=1152834"},"modified":"2025-12-19T06:47:05","modified_gmt":"2025-12-19T14:47:05","slug":"redcodeagent-automatic-red-teaming-agent-against-diverse-code-agents","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/redcodeagent-automatic-red-teaming-agent-against-diverse-code-agents\/","title":{"rendered":"RedCodeAgent: Automatic red-teaming agent against diverse code agents"},"content":{"rendered":"\n
\"Icons<\/figure>\n\n\n\n

Introduction<\/h2>\n\n\n\n

Code agents are AI systems that can generate high-quality code and work smoothly with code interpreters. These capabilities help streamline complex software development workflows, which has led to their widespread adoption.<\/p>\n\n\n\n

However, this progress also introduces critical safety and security risks. Existing static safety benchmarks and red-teaming methods\u2014in which security researchers simulate real-world attacks to identify security vulnerabilities\u2014often fall short when evaluating code agents. They may fail to detect emerging real-world risks, such as the combined effects of multiple jailbreak tools. In the context of code, effective red-teaming requires more than simply checking whether the target code agent rejects unsafe requests. Instead, the agent must generate and execute correct code that performs the intended risky functionality, making it essential to evaluate execution behaviors beyond static code analysis. <\/p>\n\n\n\n

To address these challenges, researchers from the University of Chicago, University of Illinois Urbana\u2013Champaign, VirtueAI, the UK AI Security Institute, University of Oxford, UC Berkeley, and Microsoft Research recently proposed RedCodeAgent<\/a>, the first fully automated and adaptive red-teaming agent designed specifically to evaluate the safety of large language model\u00a0(LLM)-based code agents.<\/p>\n\n\n\n

Comprehensive experimental results demonstrate the effectiveness and efficiency of RedCodeAgent across (1) diverse Common Weakness Enumeration (CWE) vulnerabilities and malware types, (2) multiple programming languages\u2014including Python, C, C++, and Java\u2014and (3) a wide range of code agents, such as OpenCodeInterpreter, ReAct, MetaGPT, and commercial agents like Cursor and Codeium. RedCodeAgent also uncovers common vulnerabilities across agents such as generating and executing unsafe code, exposes variations in red-teaming difficulty across goals, identifies frequently triggered attack tools, and detects previously unknown vulnerabilities that all other baseline methods overlook. <\/p>\n\n\n\n

Framework for automatic red-teaming against code agents<\/h2>\n\n\n\n
\"A
Figure 1: Illustration of RedCodeAgent on automatic red-teaming against a target code agent <\/figcaption><\/figure>\n\n\n\n

As shown in Figure 1, RedCodeAgent is equipped with a memory module<\/strong> that accumulates successful attack experiences, enabling the system to continuously learn and adapt its attack strategies<\/strong>. After learning from the previous experiences, RedCodeAgent further leverages a tailored toolbox<\/strong> that combines representative red-teaming tools with a specialized code substitution module<\/strong>, enabling realistic and diverse code-specific attack simulations through function calling. Based on the target agent\u2019s responses across multiple interactive trials, RedCodeAgent optimizes its strategies, systematically probing for weaknesses and vulnerabilities in real time. <\/p>\n\n\n\n

In the evaluation phase, RedCodeAgent integrates simulated sandbox environments to enable code execution and assess the impact of the resulting behaviors. This sandbox-based evaluation ensures a more robust assessment of harmful behaviors and addresses the potential biases of previous static methods that rely solely on \u201cLLM-as-a-judge\u201d evaluations.<\/p>\n\n\n\n

A case study is shown in Figure 2. Initially, RedCodeAgent discovers that the request was rejected, then RedCodeAgent calls the Greedy Coordinate Gradient (GCG) algorithm to bypass the safety guardrail. After the second request was rejected by the code agent, RedCodeAgent invoked both Code Substitution and GCG to optimize the prompt. Ultimately, RedCodeAgent successfully combined the suggestion from Code Substitution (i.e., using pathlib) with the adversarial suffix generated by GCG, making the target code agent delete the specified file.<\/p>\n\n\n\n

\"A
Figure2. A case study of RedCodeAgent calling different tools to successfully attack the target code agent<\/figcaption><\/figure>\n\n\n\n

Insights from RedCodeAgent <\/h2>\n\n\n\n

Experiments on diverse benchmarks show that RedCodeAgent achieves both a higher attack success rate (ASR) and a lower rejection rate, revealing several key findings outlined below.<\/p>\n\n\n\n

Using traditional jailbreak methods alone does not necessarily improve ASR on code agents<\/h3>\n\n\n\n

The optimized prompts generated by GCG, AmpleGCG, Advprompter, and AutoDAN do not always achieve a higher ASR compared with static prompts with no jailbreak, as shown in Figure 3. This is likely due to the difference between code-specific tasks and general malicious request tasks in LLM safety. In the context of code, it is not enough for the target code agent to simply avoid rejecting the request; the target code agent must also generate and execute code that performs the intended function. Previous jailbreak methods do not guarantee this outcome. However, RedCodeAgent ensures that the input prompt has a clear functional objective (e.g., deleting specific sensitive files). RedCodeAgent can dynamically adjust based on evaluation feedback, continually optimizing to achieve the specified objectives.<\/p>\n\n\n\n

\"A
Figure 3\uff1aRedCodeAgent achieves the highest ASR compared with other methods<\/figcaption><\/figure>\n\n\n\n

RedCodeAgent exhibits adaptive tool utilization <\/h3>\n\n\n\n

RedCodeAgent can dynamically adjust its tool usage based on task difficulty. Figure 4 shows that the tool calling combination is different for different tasks. For simpler tasks, where the baseline static test cases already achieve a high ASR, RedCodeAgent spends little time invoking additional tools, demonstrating its efficiency. For more challenging tasks, where the baseline static test cases in RedCode-Exec achieve a lower ASR,we observe that RedCodeAgent spends more time using advanced tools like GCG and Advprompter to optimize the prompt for a successful attack. As a result, the average time spent on invoking different tools varies across tasks, indicating that RedCodeAgent adapts its strategy depending on the specific task. <\/p>\n\n\n\n

\"A
Figure 4: Average time cost for RedCodeAgent to invoke different tools or query the target code agent in successful cases for each risk scenario <\/figcaption><\/figure>\n\n\n\n

RedCodeAgent discovers new vulnerabilities<\/h3>\n\n\n\n

In scenarios where other methods fail to find successful attack strategies, RedCodeAgent is able to discover new, feasible jailbreak approaches. Quantitatively, we find that RedCodeAgent is capable of discovering 82 (out of 27*30=810 cases in RedCode-Exec benchmark) unique vulnerabilities on the OpenCodeInterpreter code agent and 78 on the ReAct code agent. These are cases where all baseline methods fail to identify the vulnerability, but RedCodeAgent succeeds.<\/p>\n\n\n\n

Summary<\/h2>\n\n\n\n

RedCodeAgent combines adaptive memory, specialized tools, and simulated execution environments to uncover real-world risks that static benchmarks may miss. It consistently outperforms leading jailbreak methods, achieving higher attack success rates and lower rejection rates, while remaining efficient and adaptable across diverse agents and programming languages.<\/p>\n","protected":false},"excerpt":{"rendered":"

Code agents help streamline software development workflows, but may also introduce critical security risks. Learn how RedCodeAgent automates and improves \u201cred-teaming\u201d attack simulations to help uncover real-world threats that other methods overlook.<\/p>\n","protected":false},"author":43518,"featured_media":1152887,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-author-ordering":null,"msr_hide_image_in_river":null,"footnotes":""},"categories":[1],"tags":[],"research-area":[13556,13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[269148,243984,269142,269145],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-1152834","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-blog","msr-research-area-artificial-intelligence","msr-research-area-security-privacy-cryptography","msr-locale-en_us","msr-post-option-approved-for-river","msr-post-option-blog-homepage-featured","msr-post-option-include-in-river","msr-post-option-pinned-for-river"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[199565],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[437022],"related-projects":[],"related-events":[],"related-researchers":[{"type":"guest","value":"chengquan-guo-2","user_id":"1152980","display_name":"Chengquan Guo ","author_link":"Chengquan Guo <\/a>","is_active":true,"last_first":"Guo , Chengquan","people_section":0,"alias":"chengquan-guo-2"},{"type":"guest","value":"chulin-xie","user_id":"1152981","display_name":"Chulin Xie","author_link":"Chulin Xie<\/a>","is_active":true,"last_first":"Xie, Chulin","people_section":0,"alias":"chulin-xie"},{"type":"guest","value":"yu-yang","user_id":"1152982","display_name":"Yu Yang","author_link":"Yu Yang<\/a>","is_active":true,"last_first":"Yang, Yu","people_section":0,"alias":"yu-yang"},{"type":"guest","value":"zhaorun-chen","user_id":"1152983","display_name":"Zhaorun Chen","author_link":"Zhaorun Chen<\/a>","is_active":true,"last_first":"Chen, Zhaorun","people_section":0,"alias":"zhaorun-chen"},{"type":"user_nicename","value":"Zinan Lin","user_id":42327,"display_name":"Zinan Lin","author_link":"Zinan Lin<\/a>","is_active":false,"last_first":"Lin, Zinan","people_section":0,"alias":"zinanlin"},{"type":"guest","value":"xander-davies","user_id":"1152984","display_name":"Xander Davies","author_link":"Xander Davies<\/a>","is_active":true,"last_first":"Davies, Xander","people_section":0,"alias":"xander-davies"},{"type":"guest","value":"yarin-gal","user_id":"1152985","display_name":"Yarin Gal","author_link":"Yarin Gal<\/a>","is_active":true,"last_first":"Gal, Yarin","people_section":0,"alias":"yarin-gal"},{"type":"guest","value":"dawn-song-3","user_id":"1152986","display_name":"Dawn Song","author_link":"Dawn Song<\/a>","is_active":true,"last_first":"Song, Dawn","people_section":0,"alias":"dawn-song-3"},{"type":"guest","value":"bo-li-2","user_id":"1152987","display_name":"Bo Li","author_link":"Bo Li<\/a>","is_active":true,"last_first":"Li, Bo","people_section":0,"alias":"bo-li-2"}],"msr_type":"Post","featured_image_thumbnail":"\"white","byline":"","formattedDate":"November 4, 2025","formattedExcerpt":"Code agents help streamline software development workflows, but may also introduce critical security risks. Learn how RedCodeAgent automates and improves \u201cred-teaming\u201d attack simulations to help uncover real-world threats that other methods overlook.","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/1152834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/43518"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=1152834"}],"version-history":[{"count":18,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/1152834\/revisions"}],"predecessor-version":[{"id":1155359,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/1152834\/revisions\/1155359"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/1152887"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=1152834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=1152834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=1152834"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=1152834"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=1152834"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=1152834"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=1152834"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=1152834"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=1152834"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=1152834"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=1152834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}