{
"metadata": {
"report_id": "TI-2026-M01",
"year": 2026,
"month": 1,
"status": "final",
"date_range": {
"start": "2026-01-01",
"end": "2026-01-31"
},
"data_through": "2026-01-31",
"generated_at": "2026-02-01T00:00:00Z",
"updated_at": "2026-02-01T00:00:00Z",
"model_version": "gemma-5head-v3.2.1",
"schema_version": "3.0.0",
"tlp_level": "WHITE"
},
"summary": {
"total_interactions": 74636,
"total_threats": 28194,
"detection_rate": 37.8,
"high_confidence_rate": 92.8,
"unique_deployments": 38,
"classification_breakdown": {
"high_threat": 26177,
"threat": 1734,
"likely_threat": 283
},
"latency": {
"p50_ms": 45,
"p95_ms": 200,
"p99_ms": 412
},
"executive_stats": {
"cybersecurity_related_pct": 74.8,
"agent_capability_targeted_pct": 15.1
}
},
"hero": {
"tagline": "Protecting AI Agents in Production",
"title_line_1": "Inaugural Threat Intelligence",
"title_line_2": "Report for AI Systems",
"subtitle": "Analysis of 28,194 threat detections across 74,636 agent interactions over a full 31 days of January data establishes a comprehensive baseline of attack patterns targeting production AI systems, including the first observations of inter-agent attacks as an emerging category.",
"urgency_text": "over a full 31 days of January data",
"social_proof": {
"interactions_label": "74K+ Interactions Protected",
"threats_label": "28K+ Threats Detected"
}
},
"executive_summary": {
"bottom_line": "The AI threat landscape is real and measurable: more than one in three agent interactions triggers a threat detection. January's inaugural dataset of 74,636 interactions across 38 unique deployments revealed 28,194 threats with a 37.8% detection rate and 92.8% high-confidence classification. Data exfiltration dominates at 19.2%, followed by jailbreaks at 12.3% and RAG/context attacks at 10.0%. The most significant finding is the emergence of agent-targeting attacks, namely tool abuse (8.1%), goal hijacking (3.6%), and inter-agent attacks (3.4%), which collectively represent 15.1% of all threats despite agentic deployments comprising only a fraction of monitored systems. Cybersecurity-related threats account for 74.8% of all detections, confirming that LLM exploitation is overwhelmingly a security problem, not a content moderation problem.",
"whats_new": [
"Inter-agent attacks tracked for the first time at 3.4% of threats, representing a new category where attackers target communication channels between cooperating AI agents in multi-agent systems",
"Tool/command abuse established at 8.1%, already showing an increasing trend as early agentic deployments expose tool-calling surfaces to adversarial manipulation",
"RAG poisoning reached 10.0% as retrieval-augmented generation architectures become standard in production, creating a significant new attack surface for document injection and context manipulation"
],
"top_vectors": [
{
"rank": 1,
"name": "Data Exfiltration",
"percentage": 19.2,
"previous_percentage": null
},
{
"rank": 2,
"name": "Benign (FP Review)",
"percentage": 16.7,
"previous_percentage": null
},
{
"rank": 3,
"name": "Jailbreak",
"percentage": 12.3,
"previous_percentage": null
}
],
"recommended_actions": [
"Protect system prompts: data exfiltration leads all families at 19.2% with system prompt extraction as the dominant technique",
"Deploy layered jailbreak detection: jailbreaks at 12.3% have the highest confidence (96.3%), making confidence-based auto-blocking highly effective",
"Secure RAG pipelines: context poisoning at 10.0% is targeting the retrieval layer. Validate all ingested documents before they enter the index",
"Monitor agent tool calls: tool abuse at 8.1% is already trending upward and demands least-privilege enforcement on all tool-calling agents"
],
"stats_bar": [
{ "value": "37.8%", "label": "Detection Rate" },
{ "value": "74.8%", "label": "Cybersecurity-Related" },
{ "value": "15.1%", "label": "Target Agent Capabilities" },
{ "value": "200ms", "label": "P95 Detection Latency" }
]
},
"key_findings": [
{
"rank": 1,
"id": "exfiltration",
"title": "Data Exfiltration Dominates",
"headline_stat": "19.2%",
"stat_label": "5,416 detections",
"count": 5416,
"description": "Leading threat family with 90.9% average confidence, primarily targeting system prompts and confidential context through extraction techniques and context window manipulation.",
"link_text": "Explore this threat",
"link_target": "threat-families",
"link_highlight": "data_exfiltration",
"is_featured": true,
"icon": "upload"
},
{
"rank": 2,
"id": "jailbreak-confidence",
"title": "Jailbreaks Show Clear Signatures",
"headline_stat": "96.3%",
"stat_label": "confidence score",
"description": "Jailbreak detection confidence at 96.3% is the highest across all families, indicating well-established attack patterns with reliable detection signatures suitable for auto-blocking.",
"link_text": "Explore this threat",
"link_target": "threat-families",
"link_highlight": "jailbreak",
"icon": "shield-check"
},
{
"rank": 3,
"id": "agents",
"title": "Agent Attacks Are Growing",
"headline_stat": "15.1%",
"stat_label": "combined",
"description": "Combined tool abuse (8.1%), goal hijacking (3.6%), and inter-agent attacks (3.4%) already represent 15.1% of all threats with 97%+ confidence, establishing a significant baseline for agent-targeting attacks.",
"link_text": "Explore emerging threats",
"link_target": "emerging-threats",
"icon": "settings"
},
{
"rank": 4,
"id": "rag",
"title": "RAG Poisoning Emerges",
"headline_stat": "10.0%",
"stat_label": "2,817 detections",
"count": 2817,
"description": "Context injection and retrieval manipulation attacks reached 10.0% with 93.4% average confidence as RAG architectures become standard in production deployments.",
"link_text": "Explore this threat",
"link_target": "threat-families",
"link_highlight": "rag_or_context_attack",
"icon": "document"
},
{
"rank": 5,
"id": "cybersecurity-harm",
"title": "Cybersecurity Dominates Harm",
"headline_stat": "74.8%",
"stat_label": "of all harm categories",
"description": "Three-quarters of all detected threats relate to cybersecurity objectives including malware generation, exploit development, and security bypass techniques, confirming LLM exploitation is primarily a security problem.",
"link_text": "View harm analysis",
"link_target": "harm-categories",
"is_wide": true,
"icon": "image"
}
],
"threat_families": [
{
"id": "data_exfiltration",
"name": "Data Exfiltration",
"count": 5416,
"percentage": 19.2,
"confidence": 90.9,
"risk_level": "HIGH",
"description": "Attempts to extract sensitive information from LLM systems, primarily targeting system prompts, training data hints, and user context.",
"techniques": ["System prompt extraction", "Encoded extraction attempts", "Context window manipulation"],
"mitigations": ["Implement system prompt protection layers", "Use prompt injection detection before processing", "Monitor for repeated extraction attempts across sessions"],
"color": "#ff4d8d",
"trend": "stable",
"card_short_id": "exfiltration",
"previous_percentage": null,
"previous_count": null
},
{
"id": "benign",
"name": "Benign (FP Review)",
"count": 4715,
"percentage": 16.7,
"confidence": 85.8,
"risk_level": "LOW",
"description": "Potential false positives where L1 rules triggered but L2 classification indicated likely benign content.",
"techniques": ["Security research discussions", "Red team testing content", "Educational content"],
"mitigations": ["Maintain FP review queues for continuous model improvement", "Allowlist known security research contexts", "Use multi-signal classification to reduce FP rate"],
"color": "#4b5563",
"trend": "stable",
"card_short_id": "benign",
"previous_percentage": null,
"previous_count": null
},
{
"id": "jailbreak",
"name": "Jailbreak",
"count": 3455,
"percentage": 12.3,
"confidence": 96.3,
"risk_level": "HIGH",
"description": "Attempts to bypass safety guidelines and content policies through various manipulation techniques.",
"techniques": ["DAN variants", "Roleplay scenarios", "Hypothetical framing", "Authority impersonation"],
"mitigations": ["Deploy multi-turn context analysis", "Use confidence-based blocking (>95%)", "Maintain updated jailbreak signature library"],
"color": "#ffb347",
"trend": "stable",
"card_short_id": "jailbreak",
"previous_percentage": null,
"previous_count": null
},
{
"id": "rag_or_context_attack",
"name": "RAG/Context Attack",
"count": 2817,
"percentage": 10.0,
"confidence": 93.4,
"risk_level": "HIGH",
"description": "Attacks targeting Retrieval-Augmented Generation systems through document poisoning and context manipulation.",
"techniques": ["Document injection", "Context overflow", "Retrieval manipulation"],
"mitigations": ["Scan all documents before ingestion", "Implement strict content sanitization", "Validate retrieval rankings against expected distributions"],
"color": "#c471ed",
"trend": "increasing",
"card_short_id": "rag",
"previous_percentage": null,
"previous_count": null
},
{
"id": "prompt_injection",
"name": "Prompt Injection",
"count": 2476,
"percentage": 8.8,
"confidence": 95.4,
"risk_level": "HIGH",
"description": "Classic prompt injection attacks attempting to override system instructions or manipulate model behavior.",
"techniques": ["Direct override", "Delimiter injection", "Context confusion"],
"mitigations": ["Input validation and sanitization", "Instruction hierarchy enforcement", "Clear delineation between system and user content"],
"color": "#00d4ff",
"trend": "stable",
"card_short_id": "injection",
"previous_percentage": null,
"previous_count": null
},
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"count": 2287,
"percentage": 8.1,
"confidence": 86.5,
"risk_level": "CRITICAL",
"description": "Attacks targeting LLM tool-calling capabilities to execute unintended actions.",
"techniques": ["Command injection", "Tool chaining", "Parameter manipulation"],
"mitigations": ["Implement strict parameter validation and allowlists", "Use least-privilege tool access per session", "Monitor tool call sequences for escalation patterns"],
"color": "#50e879",
"trend": "increasing",
"card_short_id": "tool",
"previous_percentage": null,
"previous_count": null
},
{
"id": "encoding_or_obfuscation_attack",
"name": "Encoding/Obfuscation",
"count": 1979,
"percentage": 7.0,
"confidence": 95.5,
"risk_level": "HIGH",
"description": "Attacks using various encoding schemes to bypass detection.",
"techniques": ["Base64", "ROT13", "Unicode manipulation", "Homoglyph substitution"],
"mitigations": ["Decode all input variants before processing", "Implement multi-layer encoding detection", "Monitor for repeated encoding attempts"],
"color": "#ffe14d",
"trend": "stable",
"card_short_id": "encoding",
"previous_percentage": null,
"previous_count": null
},
{
"id": "privilege_escalation",
"name": "Privilege Escalation",
"count": 1099,
"percentage": 3.9,
"confidence": 96.0,
"risk_level": "HIGH",
"description": "Attempts to gain elevated access or capabilities beyond intended permissions.",
"techniques": ["Mode switching", "Authority claims", "Permission bypass"],
"mitigations": ["Enforce least-privilege per session", "Detect escalation patterns across tool call chains", "Require re-authentication for sensitive operations"],
"color": "#ff73c0",
"trend": "stable",
"card_short_id": "escalation",
"previous_percentage": null,
"previous_count": null
},
{
"id": "agent_goal_hijack",
"name": "Agent Goal Hijack",
"count": 1019,
"percentage": 3.6,
"confidence": 97.3,
"risk_level": "CRITICAL",
"description": "Attacks attempting to redirect an autonomous agent's objectives.",
"techniques": ["Goal redefinition", "Priority manipulation", "Constraint removal"],
"mitigations": ["Enforce immutable goal constraints at orchestration layer", "Validate agent objectives at each planning step", "Set maximum loop iterations and time bounds"],
"color": "#00e5cc",
"trend": "increasing",
"card_short_id": "goal-hijack",
"previous_percentage": null,
"previous_count": null
},
{
"id": "inter_agent_attack",
"name": "Inter-Agent Attack",
"count": 960,
"percentage": 3.4,
"confidence": 97.7,
"risk_level": "CRITICAL",
"description": "Attacks targeting multi-agent systems where one LLM communicates with another.",
"techniques": ["Poisoned messages", "Agent impersonation", "Recursive propagation"],
"mitigations": ["Validate and sanitize all inter-agent messages", "Implement per-agent identity certificates", "Reject outputs from unauthenticated agent identities"],
"color": "#a78bfa",
"trend": "new",
"is_emerging": true,
"card_short_id": "inter-agent",
"previous_percentage": null,
"previous_count": null
},
{
"id": "other_security",
"name": "Other",
"count": 1971,
"percentage": 6.9,
"confidence": 89.2,
"risk_level": "MEDIUM",
"description": "Other miscellaneous threat patterns not falling into major categories.",
"techniques": ["Various techniques"],
"mitigations": [],
"color": "#374151",
"trend": "stable",
"card_short_id": "other",
"previous_percentage": null,
"previous_count": null
}
],
"attack_techniques": [
{
"id": "instruction_override",
"name": "Instruction Override",
"count": 2727,
"percentage": 9.7,
"confidence": 95.6,
"color": "rgba(155, 92, 255, 0.8)",
"risk_level": "HIGH",
"rank": 1
},
{
"id": "tool_or_command_injection",
"name": "Tool/Command Injection",
"count": 2322,
"percentage": 8.2,
"confidence": 88.6,
"color": "rgba(255, 107, 157, 0.8)",
"risk_level": "CRITICAL",
"rank": 2
},
{
"id": "rag_poisoning_or_context_bias",
"name": "RAG Poisoning",
"count": 2272,
"percentage": 8.1,
"confidence": 93.3,
"color": "rgba(196, 113, 237, 0.8)",
"risk_level": "HIGH",
"rank": 3
},
{
"id": "system_prompt_or_config_extraction",
"name": "System Prompt Extraction",
"count": 2165,
"percentage": 7.7,
"confidence": 96.7,
"color": "rgba(255, 107, 157, 0.8)",
"risk_level": "HIGH",
"rank": 4
},
{
"id": "role_or_persona_manipulation",
"name": "Role/Persona Manipulation",
"count": 2002,
"percentage": 7.1,
"confidence": 90.8,
"color": "rgba(255, 159, 64, 0.8)",
"risk_level": "MEDIUM",
"rank": 5
},
{
"id": "encoding_or_obfuscation",
"name": "Encoding/Obfuscation",
"count": 1999,
"percentage": 7.1,
"confidence": 93.9,
"color": "rgba(255, 217, 61, 0.8)",
"risk_level": "HIGH",
"rank": 6
},
{
"id": "indirect_injection_via_content",
"name": "Indirect Injection",
"count": 1954,
"percentage": 6.9,
"confidence": 94.8,
"color": "rgba(79, 172, 254, 0.8)",
"risk_level": "HIGH",
"rank": 7
},
{
"id": "tool_abuse_or_unintended_action",
"name": "Tool Abuse",
"count": 1793,
"percentage": 6.4,
"confidence": 88.8,
"color": "rgba(107, 207, 127, 0.8)",
"risk_level": "CRITICAL",
"rank": 8
},
{
"id": "chain_of_thought_or_internal_state_leak",
"name": "Chain-of-Thought Leak",
"count": 1634,
"percentage": 5.8,
"confidence": 84.5,
"color": "rgba(96, 165, 250, 0.8)",
"risk_level": "MEDIUM",
"rank": 9
}
],
"harm_categories": [
{
"id": "cybersecurity_or_malware",
"name": "Cybersecurity / Malware",
"count": 21083,
"percentage": 74.8,
"trend": "stable",
"description": "Malware generation, exploit development, security bypass techniques, credential harvesting, and infrastructure attacks.",
"is_primary": true,
"previous_percentage": null,
"previous_count": null
},
{
"id": "violence_or_physical_harm",
"name": "Violence / Physical Harm",
"count": 1968,
"percentage": 7.0,
"trend": "increasing",
"description": "Content related to physical violence, weapons instructions, and harm facilitation.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "hate_or_harassment",
"name": "Hate / Harassment",
"count": 1626,
"percentage": 5.8,
"trend": "stable",
"description": "Targeted harassment, hate speech generation, and discriminatory content creation.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "privacy_or_pii",
"name": "Privacy / PII",
"count": 689,
"percentage": 2.4,
"trend": "stable",
"description": "Attempts to extract, generate, or manipulate personally identifiable information.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "cbrn_or_weapons",
"name": "CBRN / Weapons",
"count": 412,
"percentage": 1.5,
"trend": "stable",
"description": "Chemical, biological, radiological, nuclear, and weapons-related threat content.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "sexual_content",
"name": "Sexual Content",
"count": 392,
"percentage": 1.4,
"trend": "stable",
"description": "Explicit sexual content generation and CSAM-adjacent material.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "misinformation_or_disinfo",
"name": "Misinformation",
"count": 165,
"percentage": 0.6,
"trend": "decreasing",
"description": "Deliberate generation of false or misleading information at scale.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "crime_or_fraud",
"name": "Crime / Fraud",
"count": 107,
"percentage": 0.4,
"trend": "stable",
"description": "Fraud facilitation, scam generation, and criminal planning assistance.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
},
{
"id": "self_harm_or_suicide",
"name": "Self-Harm",
"count": 72,
"percentage": 0.3,
"trend": "stable",
"description": "Content promoting or providing instructions for self-harm or suicide.",
"is_primary": false,
"previous_percentage": null,
"previous_count": null
}
],
"emerging_threats": [
{
"id": "inter_agent_attack",
"name": "Inter-Agent Attacks",
"is_new": true,
"percentage": 3.4,
"count": 960,
"confidence": 97.7,
"risk_level": "CRITICAL",
"description": "Newly observed category targeting multi-agent systems where one LLM communicates with another. Attackers exploit trust relationships between cooperating agents to propagate malicious payloads across system boundaries.",
"patterns": ["Poisoned messages between agents", "Agent impersonation", "Trust exploitation", "Recursive attack propagation"],
"recommendation": "Treat all inter-agent messages as untrusted input. Implement identity verification and payload validation at every agent communication boundary.",
"badge_text": "NEW CATEGORY",
"previous_percentage": null,
"previous_count": null
},
{
"id": "agent_goal_hijack",
"name": "Agent Goal Hijacking",
"is_new": false,
"percentage": 3.6,
"count": 1019,
"confidence": 97.3,
"risk_level": "CRITICAL",
"description": "Attacks attempting to redirect autonomous agent objectives. Early observations show attackers targeting goal definitions and priority structures in agent planning phases to redirect multi-step task execution.",
"patterns": ["Goal redefinition through prompts", "Priority manipulation", "Constraint removal", "Objective substitution"],
"recommendation": "Enforce immutable goal constraints at the orchestration layer. Log agent objectives at each step and alert on any deviation from the original task specification.",
"badge_text": "CRITICAL",
"previous_percentage": null,
"previous_count": null
},
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"is_new": false,
"percentage": 8.1,
"count": 2287,
"confidence": 86.5,
"risk_level": "CRITICAL",
"description": "Attacks targeting LLM tool-calling capabilities are already significant at 8.1% and trending upward. Early patterns show command injection in tool parameters and tool chaining for privilege escalation as attackers probe the expanding tool-calling surface.",
"patterns": ["Command injection in tool parameters", "Tool chaining for privilege escalation", "Parameter manipulation", "Unintended tool invocation"],
"recommendation": "Enforce strict allowlists for all tool capabilities. Validate every parameter against a schema before execution and implement least-privilege access per agent session.",
"badge_text": "CRITICAL",
"previous_percentage": null,
"previous_count": null
}
],
"recommendations": {
"audiences": [
{ "id": "developers", "label": "For AI Developers" },
{ "id": "security", "label": "For Security Teams" },
{ "id": "enterprise", "label": "For Enterprises" }
],
"items": [
{
"audience_id": "developers",
"rank": 1,
"title": "Protect System Prompts and Context",
"points": [
"Data exfiltration leads all threats at 19.2%. Implement system prompt protection layers that prevent extraction through direct queries, encoded attempts, and context window manipulation",
"Use dedicated prompt injection detection before processing any user input that could interact with system instructions or confidential context",
"Monitor for multi-session extraction attempts where attackers build context incrementally across conversations"
]
},
{
"audience_id": "developers",
"rank": 2,
"title": "Enforce Tool-Calling Guardrails",
"points": [
"Tool abuse already represents 8.1% of threats and is trending upward. Enforce strict allowlists for every tool an agent can invoke",
"Validate all tool parameters against a schema before execution; reject calls with unexpected parameter shapes or values",
"Implement least-privilege access per session: agents should start with minimal tool access and require explicit authorization for escalation"
]
},
{
"audience_id": "developers",
"rank": 3,
"title": "Secure RAG Ingestion Pipelines",
"points": [
"RAG poisoning reached 10.0% in the first month of measurement. Scan all documents for injection payloads before they enter the retrieval index",
"Validate retrieval rankings against expected score distributions; anomalous clustering can indicate injected documents designed to surface malicious content",
"Implement strict content sanitization on retrieved context before it reaches the model; treat RAG outputs as untrusted input"
]
},
{
"audience_id": "developers",
"rank": 4,
"title": "Implement Multi-Turn Conversation Analysis",
"points": [
"Many attack families rely on multi-turn strategies. Data exfiltration at 19.2% and 12.3% jailbreak attempts frequently build across conversation turns",
"Track conversation-level threat signals, not just per-message detection; escalating risk across turns should trigger alerts even if individual messages score low",
"Implement session-level rate limiting on suspicious patterns: repeated encoding attempts, system prompt probes, or tool capability queries"
]
},
{
"audience_id": "security",
"rank": 1,
"title": "Establish Threat Detection Baselines",
"points": [
"January establishes the first comprehensive baseline: 37.8% detection rate with 92.8% high-confidence classification across 38 deployments",
"Data exfiltration (19.2%), jailbreak (12.3%), and RAG poisoning (10.0%) are the top three families. Prioritise detection rules for these vectors",
"Agent-targeting attacks at 15.1% combined (tool abuse, goal hijacking, inter-agent) warrant dedicated monitoring even at this early stage"
]
},
{
"audience_id": "security",
"rank": 2,
"title": "Deploy Confidence-Based Auto-Response",
"points": [],
"policy_table": [
{
"action": "AUTO-BLOCK",
"level": "block",
"threshold": ">95% confidence, covering jailbreak (96.3%), goal hijack (97.3%), inter-agent (97.7%), privilege escalation (96.0%)"
},
{
"action": "FLAG FOR REVIEW",
"level": "flag",
"threshold": "88\u201395% confidence, catching RAG poisoning (93.4%), prompt injection (95.4%), encoding attacks (95.5%)"
},
{
"action": "HUMAN REVIEW",
"level": "review",
"threshold": "<88% confidence, including tool abuse (86.5%), benign/FP (85.8%); prioritise for model tuning"
}
]
},
{
"audience_id": "security",
"rank": 3,
"title": "Monitor Agent Communication Boundaries",
"points": [
"Inter-agent attacks are a new category at 3.4% with 97.7% confidence. Establish monitoring on all agent-to-agent message exchanges",
"Implement payload validation at every agent boundary; poisoned messages between agents can cascade across orchestration systems",
"Create alert rules for agent impersonation attempts and unexpected trust chain traversals in multi-agent deployments"
]
},
{
"audience_id": "security",
"rank": 4,
"title": "Track Encoding and Obfuscation Trends",
"points": [
"Encoding/obfuscation at 7.0% represents a meta-technique used to bypass detection across multiple attack families",
"Ensure all detection layers decode input through multiple encoding schemes (Base64, ROT13, Unicode, homoglyphs) before classification",
"Correlate encoding-wrapped payloads with their decoded intent; report on which attack families most frequently use obfuscation as a delivery mechanism"
]
},
{
"audience_id": "enterprise",
"rank": 1,
"title": "Inventory and Classify AI Deployments",
"points": [
"With 37.8% of interactions triggering threat detections, every production AI deployment requires security monitoring, without exception",
"Classify deployments by risk surface: agentic systems with tool access carry higher risk (15.1% agent-targeting attacks) than chat-only deployments",
"Establish a deployment registry that tracks which AI systems have tool-calling, RAG, multi-agent, or multimodal capabilities"
]
},
{
"audience_id": "enterprise",
"rank": 2,
"title": "Set January Baselines for Detection Metrics",
"points": [],
"baseline_table": [
{ "environment": "Security Testing", "rate": "30-50% threat rate (expected in adversarial testing environments)" },
{ "environment": "Production (Agentic)", "rate": "10-20% threat rate (higher due to tool-calling surface)" },
{ "environment": "Production (Chat/RAG)", "rate": "10-20% threat rate (standard for chat and RAG systems)" },
{ "environment": "Development", "rate": "0-5% threat rate (baseline for internal development use)" }
]
},
{
"audience_id": "enterprise",
"rank": 3,
"title": "Budget for AI Security Infrastructure",
"points": [
"74.8% of detected threats are cybersecurity-related. AI security is a security problem requiring dedicated security budgets, not content moderation budgets",
"Agent-targeting attacks at 15.1% establish a baseline that is expected to grow as agentic deployments scale. Plan for inter-agent authentication, tool-call monitoring, and goal integrity systems",
"False positive rate at 16.7% indicates room for model improvement. Budget for ongoing model tuning and FP review infrastructure to reduce SOC analyst burden"
]
}
]
},
"model_performance": {
"overall_confidence": 93.9,
"high_threat_precision": 96.5,
"model_consistency": 87.7,
"uncertain_prediction_rate": 2.7,
"detection_layers": {
"l1_pattern_based": {
"name": "Pattern-Based Detection",
"latency": "sub-millisecond",
"pattern_count": 200,
"description_items": [
"Deterministic rule matching",
"Sub-millisecond latency",
"200 threat patterns"
]
},
"l2_ml_classification": {
"name": "ML Classification",
"model": "Gemma-based 5-head multilabel classifier",
"confidence_threshold": 95,
"description_items": [
"Gemma-based 5-head classifier",
"Voting ensemble with confidence",
"Family, technique, harm classification"
]
}
},
"framework_alignment": ["OWASP LLM Top 10 2025", "MITRE ATLAS"],
"framework_badges": [
{
"name": "OWASP LLM Top 10",
"description": "Aligned with OWASP LLM Top 10 2025",
"url": "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
},
{
"name": "MITRE ATLAS",
"description": "Mapped to MITRE ATLAS adversarial techniques",
"url": "https://atlas.mitre.org/"
}
]
},
"section_meta": {
"executive_summary": {
"number": "00",
"title": "Executive Summary",
"subtitle": "Key insights for security leaders and practitioners"
},
"key_findings": {
"number": "01",
"title": "Key Findings",
"subtitle": "Critical insights from 74,636 interactions across 38 deployments in January 2026"
},
"threat_families": {
"number": "02",
"title": "Threat Family Distribution",
"subtitle": "Click on any segment to explore detailed analysis"
},
"attack_techniques": {
"number": "03",
"title": "Attack Technique Frequency",
"subtitle": "Instruction override and tool injection lead the technique rankings. Hover over bars for confidence scores and details"
},
"harm_categories": {
"number": "04",
"title": "Harm Category Analysis",
"subtitle": "What attackers are trying to achieve with LLM exploitation"
},
"emerging_threats": {
"number": "05",
"title": "Emerging Threats",
"subtitle": "New attack patterns targeting agentic AI systems"
},
"recommendations": {
"number": "06",
"title": "Recommendations",
"subtitle": "Actionable guidance based on threat intelligence"
},
"methodology": {
"number": "07",
"title": "Methodology",
"subtitle": "How RAXE detects and classifies threats"
},
"intelligence_services": {
"number": "08",
"title": "Enterprise Intelligence Services",
"subtitle": "AI security consulting, threat intelligence, and agent runtime protection"
}
},
"previous_month": null
}