Claude Sonnet demonstrated superior resilience against indirect prompt injection attacks in a comprehensive new security benchmark, achieving a 32% attack success rate compared to competitors ranging up to 81%. However, the findings reveal that all major AI models, including those from Anthropic, OpenAI, and Google, remain vulnerable to sophisticated attacks when deployed as autonomous agents in enterprise environments.

What Are Indirect Prompt Injection Attacks on AI Agents?

Indirect prompt injection represents a growing threat in AI-driven business applications. Unlike traditional prompt injection, which targets the AI model directly through user input, indirect attacks exploit the fact that AI agents often process content they don't control. When an AI agent reads an email from Gmail, pulls data from Salesforce, or retrieves information from other third-party services, malicious instructions hidden in that external content can trick the agent into performing unintended actions. This creates a security blind spot that most organizations haven't adequately addressed.

The risk becomes especially acute when agents have access to sensitive systems. If an AI agent can transfer money, delete records, or access confidential files, a successful indirect prompt injection attack could compromise data, drain accounts, or expose trade secrets. The integration of AI into enterprise workflows demands robust defenses, yet the threat landscape has evolved faster than security measures.

How Does the New AGENTREDBENCH Security Test Work?

• Scope of Testing: The benchmark evaluated 215 distinct authorization scenarios across 24 enterprise integrations, including popular tools like Gmail and Salesforce that millions of businesses rely on daily.
• Attack Diversity: The test included five different types of attacks spanning nine functional families, ensuring comprehensive coverage of real-world threat vectors rather than isolated edge cases.
• Model Coverage: Eight major AI models were tested, including Claude Sonnet from Anthropic, GPT models from OpenAI, and Gemini variants from Google, providing a representative snapshot of the current AI landscape.

AGENTREDBENCH isn't a static test that becomes obsolete. Instead, it functions as a dynamic tool designed to evolve alongside the technology it scrutinizes, allowing researchers and security teams to continuously assess new threats as they emerge.

Which Models Performed Best and Worst?

The results revealed striking differences in vulnerability across models. Claude Sonnet achieved the strongest baseline defense, with attackers succeeding only 32% of the time without any additional security measures. At the opposite end, Gemini 3 Flash showed significantly higher vulnerability, with attack success rates reaching 81%. This 49-percentage-point gap underscores that model architecture and training methodology directly influence security posture.

The variance matters because it suggests that some design choices inherently make AI agents more resistant to manipulation. Anthropic's Claude models, which the company has emphasized are built with safety considerations, demonstrated this advantage in real-world attack scenarios. However, even Claude Sonnet's 32% baseline means that roughly one in three attacks still succeeded without protective measures, highlighting that no model is immune.

What Is AGENTREDGUARD and How Effective Is It?

To address these vulnerabilities, researchers introduced AGENTREDGUARD, a specialized security model trained on a diverse corpus of adversarial tool-response content. Rather than trying to patch individual models, AGENTREDGUARD acts as a protective layer that sits between the AI agent and external data sources, filtering malicious instructions before they reach the agent.

The results were dramatic. AGENTREDGUARD reduced attack success rates to just 2.4% across all tested scenarios, while maintaining a false-positive rate of only 0.37%. This means the defense successfully blocked malicious attacks without incorrectly flagging legitimate business communications. The improvement represents a significant leap forward compared to existing open-source security tools like Llama Guard, PromptGuard 2, and ProtectAI.

What makes this particularly important is that AGENTREDGUARD doesn't require retraining the underlying AI model. Organizations can deploy it as an additional security layer without disrupting existing workflows or requiring expensive model updates. This practical advantage could accelerate adoption across enterprises concerned about agent security.

Why Does This Matter for Businesses Using AI Agents?

As AI agents increasingly handle sensitive business operations, the stakes grow higher. An agent with access to financial systems, customer databases, or proprietary information represents a potential attack surface that traditional cybersecurity measures don't adequately address. A successful indirect prompt injection could allow attackers to bypass authorization controls, extract confidential data, or execute unauthorized transactions.

The research team emphasized that this isn't a theoretical concern. By openly releasing the AGENTREDBENCH codebase, integration schemas, and the AGENTREDGUARD model itself, they're encouraging a community-driven approach to safeguarding AI infrastructure. This transparency allows security researchers, enterprises, and AI developers to collectively strengthen defenses rather than working in isolation.

The convergence of AI technologies and enterprise applications demands vigilance and innovation in equal measure. Organizations deploying AI agents in production environments should view this research as a wake-up call. The question is no longer whether indirect prompt injection attacks are possible, but whether your AI infrastructure can withstand them.