HackerTrans
TopNewTrendsCommentsPastAskShowJobs

zachdotai

no profile record

Submissions

AI evaluation startup Braintrust confirms breach

techcrunch.com
4 points·by zachdotai·2 ay önce·1 comments

I built an agent that breaks your AI agents before someone else does

fabraix.com
3 points·by zachdotai·3 ay önce·4 comments

Bret Taylor's Sierra Buys YC-Backed AI Startup Fragment

techcrunch.com
2 points·by zachdotai·3 ay önce·0 comments

Show HN: Nyx – multi-turn, adaptive, offensive testing harness for AI agents

fabraix.com
20 points·by zachdotai·3 ay önce·8 comments

Workshop Labs Is Joining Thinking Machines

workshoplabs.ai
2 points·by zachdotai·3 ay önce·0 comments

Show HN: ACE – A dynamic benchmark measuring the cost to break AI agents

fabraix.com
9 points·by zachdotai·3 ay önce·3 comments

We've had more AI security incidents in 2026 than all of 2024

fabraix.com
4 points·by zachdotai·3 ay önce·0 comments

NeurIPS Tightens Sanctions Compliance

neurips.cc
2 points·by zachdotai·4 ay önce·0 comments

SWE-bench will hit 90% this year

fabraix.com
2 points·by zachdotai·4 ay önce·0 comments

Cursor trained Composer to self-summarize through RL instead of a prompt

cursor.com
1 points·by zachdotai·4 ay önce·0 comments

Stripe-backed startup Tempo releases the Machine Payments Protocol

fortune.com
12 points·by zachdotai·4 ay önce·0 comments

Show HN: Open-source playground to red-team AI agents with exploits published

github.com
30 points·by zachdotai·4 ay önce·13 comments

Weekly "Wordle" for Breaking AI Agents

playground.fabraix.com
1 points·by zachdotai·4 ay önce·0 comments

My First AI Bug Bounty – A Technique for AI Recon – Peter Hendy

peterhendy.dev
2 points·by zachdotai·5 ay önce·0 comments

Expanding our long-running agents research preview · Cursor

cursor.com
1 points·by zachdotai·5 ay önce·0 comments

Weekly "Wordle" for Breaking AI Agents

playground.fabraix.com
2 points·by zachdotai·5 ay önce·1 comments

AI agents are easy to break

github.com
4 points·by zachdotai·5 ay önce·6 comments

Show HN: Fabraix Playground – Weekly Wordle for Breaking AI Agents

playground.fabraix.com
5 points·by zachdotai·5 ay önce·1 comments

comments

zachdotai
·12 gün önce·discuss
We're building open source challenges where you can inspect the actual agent to see if it's possible or not. We're planning to revamp this over the next couple of days and maintain a weekly cadence. https://playground.fabraix.com/
zachdotai
·3 ay önce·discuss
I wrote about this recently here: https://fabraix.com/blog/adversarial-cost-to-exploit

I think the core issue is in static benchmarks and the community needs to start moving beyond measuring pass/fail (which worked when agents were incapable of doing much of the work) to dynamic evals that simulate more how we evaluate humans.
zachdotai
·3 ay önce·discuss
We're doing that internally to continuously improve our own agent and make it robust against adversarial attacks itself. We will release some insights about self-improvement soon!
zachdotai
·3 ay önce·discuss
AI agents break in ways traditional software doesn't. Logic bugs, reasoning failures, edge cases that manual testing and static benchmarks don't fully explore.

Nyx is an autonomous adversarial harness that probes your agents for vulnerabilities. Since agents are non-deterministic, it can be hard to find the gaps by just reading code. So it interacts with your AI agents in blackbox mode to surface issues across security, logic, and alignment at scale, before they reach users. It's also massively parallel by default

Instead of spending time writing static evals for the key failure modes of your AI agents, point Nyx at any system and it autonomously discovers failure modes that matter. It can typically find issues in under 10 minutes that manual audits take hours to surface.

This is early work and we know the methodology is still going to evolve. We would love nothing more than feedback from the community as we iterate on this.
zachdotai
·3 ay önce·discuss
Why did I read this title and immediately think Ketchup?
zachdotai
·3 ay önce·discuss
[dead]
zachdotai
·3 ay önce·discuss
Yes! The docs can be found here: https://docs.fabraix.com
zachdotai
·3 ay önce·discuss
We wrote some thoughts on static vs. dynamic evals and how it relates to understanding the security posture of an AI system. Static security evals no longer carry the signal they used to. A one-shot pass/fail tells you almost nothing about real-world risk.

Would love your thoughts on this: https://fabraix.com/blog/adversarial-cost-to-exploit
zachdotai
·3 ay önce·discuss
we did a lot of thinking around this topic. and distilled it into a new way to dynamically evaluate the security posture of an AI system (which can apply for any system for that matter). we wrote some thoughts on this here: https://fabraix.com/blog/adversarial-cost-to-exploit
zachdotai
·3 ay önce·discuss
Easily one of my favorite LLM personalities! It's interesting as well that it recognizes you're trying to jailbreak it and calls you out for it :D
zachdotai
·3 ay önce·discuss
Not sure which version of Gemini are you using but Claude is so much better for me. Gemini is generally overeager to make a code change even when I am just asking conceptual questions, among other issues.
zachdotai
·4 ay önce·discuss
Yup! But in my opinion the current state of guardrails is still lacking and I hope this is one way that helps improve our understanding of these systems.
zachdotai
·4 ay önce·discuss
Yeah it's closer to how you'd think about deceiving a person than exploiting software.
zachdotai
·4 ay önce·discuss
That's amazing! Just checked the logs and you're right, it's in there. Nice work.

I've patched the playground so successful extractions now show a confirmation, and added your name to the leaderboard.

Would love to chat about your thought process if you're up for it. Any suggestions or feedback welcome too - [email protected]
zachdotai
·4 ay önce·discuss
The agent isn’t stateful across sessions, but the guardrail layer is — it has access to the full conversation history when evaluating each tool call. So you’d think it would catch exactly the kind of multi-step pattern you’re describing.

Have you managed to make it work?
zachdotai
·4 ay önce·discuss
Mostly just better training data and instruction following in the newer models. They’re much better at recognising encoded content and understanding intent regardless of language. A base64 string that would’ve slipped past a model a year ago gets decoded and flagged now because the model just… understands what you’re trying to do.

The attacks that still work tend to be the ones that don’t try to hide the intent at all. The winning attack on our first challenge was in plain English. It just reframed the context so that the dangerous action looked like the correct thing to do. Harder to train against because there’s nothing obviously malicious in the input.
zachdotai
·4 ay önce·discuss
Scoped keys and least privilege make sense as a baseline. But I think the deeper issue is that if the main answer to “agents aren’t reliable enough” is “limit what they can do,” we’re leaving most of the value on the table. The whole promise of agents is that they can act autonomously across systems. If we scope everything down to the point where an agent can’t do damage, we’ve also scoped it down to where it can’t do much useful work either.

We think the more interesting problem is closing the trust gap - making the agent itself more reliable so you don’t have to choose between autonomy and reliability. Our goal is to ultimately be able to take on the liability when agents fail.
zachdotai
·4 ay önce·discuss
Thanks for trying it out! Base64 and language switching are solid approaches but they don't tend to work anymore with the latest models in my experience.

You're right that LLM-as-a-judge is fragile though. We saw that as well in the first challenge. The attacker fabricated some research context that made the guardrail want to approve the call. The judge's own reasoning at the end was basically "yes this normally violates the security directive, but given the authorised experiment context it's fine." It talked itself into it.

Full transcript and guardrail logs are published here btw: https://github.com/fabraix/playground/blob/master/challenges...

The leaderboard should start populating once we have more submissions!
zachdotai
·5 ay önce·discuss
Tool invocation. Each time the agent emits a tool call, the evaluator assesses it against the original task intent plus a rolling window of recent tool results.

We tried coarser units (plan nodes, full steps) but drift compounds fast, by the time a step finishes, the agent may have already chained 3-4 bad calls. Tool-level gives the tightest correction loop. The cost is ~200ms latency per invocation. For hot paths we sample (every 3rd call, or only on tool-category changes) rather than evaluate exhaustively.
zachdotai
·5 ay önce·discuss
Basically through two layers. Hard rules (token limits, tool allowlists, banned actions) trigger an immediate block - no steering, just stop. Soft rules use a lightweight evaluator model that scores each step against the original task intent. If it detects semantic drift over two consecutive steps, we inject a corrective prompt scoped to that specific workflow.

The key insight for us was that most failures weren't safety-critical, they were the agent losing context mid-task. A targeted nudge recovers those. Generic "stay on track" prompts don't work; the correction needs to reference the original goal and what specifically drifted.

Steer vs. kill comes down to reversibility. If no side effects have occurred yet, steer. If the agent already made an irreversible call or wrote bad data, kill.