An unreviewed arXiv preprint posted on 14 July 2026 describes a system called AHA that turns one AI agent loose to automatically discover vulnerabilities in another, testing Claude Code and Codex across three attack scenarios [S1]. The authors report that a frozen knowledge graph of confirmed flaws outperforms the strongest baseline by 14.2 percentage points, and transfers across attack channels [S1]. If that transferability holds up, it changes who can find AI agent weaknesses, and how fast, before anyone outside a vendor's security team notices.
How the attack loop works
The system, built by researchers at City University of Hong Kong, runs a six-step cycle [P2, S1]. It proposes a vulnerability hypothesis, builds a falsifier (a test that would prove the hypothesis wrong), instantiates a real attack, runs it inside a sandboxed harness, reflects on what happened, and if the attack succeeds, promotes the finding into a structured knowledge graph called a Vulnerability Concept Graph, or VCG [S1].
Each entry in the VCG connects an attacker-facing surface to a specific unsafe agent trajectory. It records the claim, the conditions that enable it, the falsifier, a transfer prediction, and supporting evidence [S1]. Think of it as a field guide to how agents fail under adversarial pressure, with each entry cross-referenced so the next round of testing can build on what was already found.
The authors tested AHA against Claude Code and Codex, two production coding agents, across three scenarios covering both direct and indirect attacks [S1]. Direct attacks try to manipulate the agent through its own input. Indirect attacks hide malicious instructions in data the agent reads from its environment, like a file or a web page.
The 14.2-point gap
The headline number: a frozen VCG, meaning one that requires no further search, outperforms the strongest frozen discovery baseline by 14.2 percentage points under the same single-shot protocol [S1]. The authors also claim the VCG transfers across scenarios and attack channels, and that the discovered concepts reveal a reusable vulnerability core across models and agents [S1].
That last claim matters because it suggests the flaws are not random. If the same vulnerability patterns show up across different agents and different attack surfaces, then a security team could patch an entire class of problems rather than chasing individual bugs.
The code is public on GitHub under an MIT licence [S1, P4].
What it means
Red-teaming, the practice of attacking your own system to find weaknesses before adversaries do, has been a manual and expensive process. Human testers probe agents, document findings, and hope they have covered enough ground. AHA proposes a different model: let an agent do the probing, and let it build a structured, auditable record of what it finds [S1].
The VCG is the key idea here. It is a graph that links how an attacker reaches an agent to what the agent does wrong, with enough structure that a safety team can inspect each finding, validate a patch against it, and accumulate knowledge over time [S1]. That last point, accumulation, is what separates this from one-off fuzzing. Each testing cycle adds to the graph rather than starting from scratch.
This connects to a broader wave of agent security work. AHA sits in the same ecosystem: it is an offensive tool that produces the kind of structured vulnerability data defensive systems need to work against.
What it means for business
For a two-person AI startup shipping a coding agent, this research matters in two ways. First, it suggests that the cost of finding agent vulnerabilities is dropping. A system like AHA could, if it matures, let a small team run automated red-teaming against their own product before launch, rather than hiring a dedicated security firm. Second, the VCG format gives a startup something concrete to show auditors, investors, or enterprise customers who ask about safety testing: a structured, inspectable record of known vulnerabilities and what was done about them.
For a larger company running agents in production, the transferability claim is the one to watch. If the same vulnerability patterns recur across Claude Code, Codex, and other agents, then a VCG built against one model could surface problems in another before they are exploited. That would change how security teams allocate testing time.
The code is open source, so a technical team can clone the repository and run it against their own agent today [P4]. The caveat: this is an unreviewed preprint, and the authors tested only two agents. Whether the results generalise to other production agents is unknown.
What we don't know yet
The paper has not been peer-reviewed, and all findings are self-reported by the authors [S1]. The 14.2 percentage point improvement has not been independently verified by a third party. Neither Anthropic (maker of Claude Code) nor OpenAI (maker of Codex) has publicly acknowledged or validated the discovered vulnerabilities, and there is no evidence the flaws are being exploited in the wild.
The transferability claim, that a VCG built for one agent predicts vulnerabilities in another, rests on the authors' evaluation across three scenarios and two agents. Whether it holds across a wider range of agents, or against models with different architectures, is untested.
The next concrete event to watch: whether the paper undergoes peer review and whether the named vendors respond. The code is public, so independent researchers can attempt to reproduce the results. Until then, the VCG is a promising idea with provisional evidence behind it.
If this kind of work matters to you, subscribe to keep reading. We track the tools that find AI agent flaws and the ones that fix them.
Sources
- [S1] Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming — arXiv preprint (cs.CR, q-fin.GN) (attributed)
- [P2] Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming — Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming (attributed)
- [P3] tmlr-group/AgentHijack — tmlr-group/AgentHijack (attributed)
- [P4] henrymao2004/Auto-research-red-teaming — henrymao2004/Auto-research-red-teaming (attributed)
- [P5] agent-redteaming/redteam-core — agent-redteaming/redteam-core (attributed)
More from Not A Tech Guy
- FactorDiff routes diffusion experts by pixel on ARC-AGI
- AMT-X multi-turn red teaming hits 100% attack success on frontier LLMs
- Playful AI email tone lifts positivity in 16,880-email field study
Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.