{
"metadata": {
"report_id": "TI-2026-M02",
"year": 2026,
"month": 2,
"status": "final",
"date_range": {
"start": "2026-02-01",
"end": "2026-02-28"
},
"data_through": "2026-02-28",
"generated_at": "2026-02-01T00:00:00Z",
"updated_at": "2026-03-02T01:02:59Z",
"model_version": "gemma-5head-v3.2.1",
"schema_version": "3.0.0",
"tlp_level": "WHITE"
},
"summary": {
"total_interactions": 91284,
"total_threats": 35711,
"detection_rate": 39.1,
"high_confidence_rate": 93.4,
"unique_deployments": 47,
"classification_breakdown": {
"high_threat": 33142,
"threat": 2140,
"likely_threat": 429
},
"latency": {
"p50_ms": 42,
"p95_ms": 189,
"p99_ms": 398
},
"executive_stats": {
"cybersecurity_related_pct": 71.3,
"agent_capability_targeted_pct": 26.4
}
},
"hero": {
"tagline": "Agentic AI Under Siege in February",
"title_line_1": "Agent Attack Surge:",
"title_line_2": "One in Four Threats Now Targets AI Agents",
"subtitle": "Analysis of 35,711 threat detections across 91,284 agent interactions through 28 days of February 2026 documents a structural shift in AI adversarial tactics. Tool abuse nearly doubled, goal hijacking doubled, and combined agent-targeting attacks reached 26.4% of all threats.",
"urgency_text": "across 28 days of February data",
"social_proof": {
"interactions_label": "91K+ Interactions Protected",
"threats_label": "35K+ Threats Detected"
}
},
"executive_summary": {
"bottom_line": "Agent-targeting attacks now represent more than one in four threats, driven by a near-doubling of tool/command abuse from 8.1% to 14.5%. February's dataset of 91,284 interactions (a 22% volume increase over January's 74,636) produced 35,711 detections at a 39.1% detection rate, up from 37.8%. Across 47 deployments (vs. 38 in January), combined agent-targeting attacks (tool abuse 14.5%, goal hijacking 6.9%, inter-agent 5.0%) surged from 15.1% to 26.4% of all threats. Tool chain escalation displaced instruction override as the #1 technique at 11.7%. A new threat category, multimodal injection at 2.3% (821 detections), confirms that attackers are probing every input surface. Despite these escalations, model precision improved: the false positive proportion fell from 16.7% to 13.9%, and high-confidence classification held at 93.4%.",
"whats_new": [
"Tool abuse nearly doubled from 8.1% to 14.5% (+6.4 percentage points, 2,287 to 5,189 detections), becoming the month's dominant growth vector as attackers exploit the expanding tool-calling surface of agentic deployments through read-to-write-to-execute chain escalation.",
"Agent goal hijacking doubled from 3.6% to 6.9% (1,019 to 2,467 detections), with planning-phase injection now the primary pattern. Attackers insert objectives during autonomous agent reasoning loops, a tactic absent from the January baseline.",
"Multimodal injection tracked for the first time at 2.3% (821 detections), embedding prompt injections in images, PDFs, and document metadata to route around text-only detection layers targeting the growing population of multimodal agent deployments."
],
"top_vectors": [
{
"rank": 1,
"name": "Data Exfiltration",
"percentage": 18.0,
"previous_percentage": 19.2
},
{
"rank": 2,
"name": "Tool/Command Abuse",
"percentage": 14.5,
"previous_percentage": 8.1
},
{
"rank": 3,
"name": "Benign (FP Review)",
"percentage": 13.9,
"previous_percentage": 16.7
}
],
"recommended_actions": [
"Action: Enforce least-privilege tool access immediately. Tool chain escalation is now the #1 attack technique at 11.7% (4,187 detections); require explicit re-authorization when an agent transitions from read to write or execute operations.",
"Action: Add planning-phase integrity checks to all autonomous agent loops. Goal hijacking doubled to 6.9% by targeting the reasoning phase; log and diff agent objectives at every planning step against the original task specification.",
"Action: Authenticate inter-agent communication channels. Poisoned tool output counts rose 86% month-over-month (960 to 1,783 detections at 97.9% confidence); require signed, verifiable payloads for all agent-to-agent message passing.",
"Action: Extend prompt injection scanning to all input modalities. Multimodal injection entered the threat landscape at 2.3% and is currently a blind spot for any text-only detection pipeline processing images, PDFs, or annotated documents."
],
"stats_bar": [
{
"value": "39.1%",
"label": "Detection Rate"
},
{
"value": "71.3%",
"label": "Cybersecurity-Related"
},
{
"value": "26.4%",
"label": "Target Agent Capabilities"
},
{
"value": "<200ms",
"label": "P95 Detection Latency"
}
]
},
"key_findings": [
{
"rank": 1,
"id": "tool-abuse",
"title": "Tool Abuse Surges to #2",
"headline_stat": "14.5%",
"stat_label": "5,189 detections",
"count": 5189,
"description": "Tool/command abuse surged from 8.1% to 14.5% (+6.4pp), rising to the #2 threat family with 5,189 detections, the largest single-month percentage-point shift of any family. The dominant new pattern is tool chain escalation: attackers use a benign read operation to acquire context, then chain into write or execute operations, displacing instruction override as the #1 technique at 11.7%.",
"link_text": "Explore this threat",
"link_target": "threat-families",
"link_highlight": "tool_or_command_abuse",
"is_featured": true,
"icon": "upload"
},
{
"rank": 2,
"id": "agents",
"title": "Agent Attack Surface Expanding",
"headline_stat": "26.4%",
"stat_label": "combined",
"description": "Combined agent-targeting attacks (tool abuse 14.5%, goal hijacking 6.9%, and inter-agent attacks 5.0%) grew from 15.1% to 26.4% of all threats in a single month. All three families carry a CRITICAL risk rating and each grew individually, indicating coordinated adversarial investment in the agentic attack surface rather than isolated experimentation.",
"link_text": "Explore emerging threats",
"link_target": "emerging-threats",
"icon": "settings"
},
{
"rank": 3,
"id": "rag",
"title": "RAG Poisoning Intensifies",
"headline_stat": "12.0%",
"stat_label": "4,302 detections",
"count": 4302,
"description": "RAG/context attacks grew from 10.0% to 12.0% (2,817 to 4,302 detections), with a material tactical shift: February saw metadata manipulation (targeting document titles, annotations, and author fields) replace direct content poisoning as the primary delivery mechanism, at 94.1% detection confidence.",
"link_text": "Explore this threat",
"link_target": "threat-families",
"link_highlight": "rag_or_context_attack",
"icon": "document"
},
{
"rank": 4,
"id": "multimodal",
"title": "Multimodal Injection Emerges",
"headline_stat": "2.3%",
"stat_label": "821 detections",
"count": 821,
"description": "Multimodal injection was tracked as a new category for the first time this month at 2.3% (821 detections, 91.7% confidence). Instructions hidden in image metadata, PDF annotation layers, and OCR-triggering screenshots bypass text-only detection and target the growing population of multimodal agent deployments.",
"link_text": "Explore this threat",
"link_target": "emerging-threats",
"link_highlight": "multimodal_injection",
"icon": "image"
},
{
"rank": 5,
"id": "false-positive",
"title": "False Positive Rate Improving",
"headline_stat": "13.9%",
"stat_label": "detection rate 39.1%",
"description": "Model precision improved measurably: the false positive (benign) proportion fell from 16.7% to 13.9% as ongoing tuning reduces misclassification, while the overall detection rate increased from 37.8% to 39.1% and high-confidence classification held at 93.4% across 35,711 detections. P95 detection latency improved from 200ms to 189ms.",
"link_text": "View detection metrics",
"link_target": "threat-families",
"link_highlight": "benign",
"is_wide": true,
"icon": "shield-check"
}
],
"threat_families": [
{
"id": "data_exfiltration",
"name": "Data Exfiltration",
"count": 6423,
"percentage": 18.0,
"confidence": 91.4,
"risk_level": "HIGH",
"description": "Data exfiltration remains the highest-volume threat family at 18.0% of all detections (6,423 events), though its proportional share declined slightly from January's 19.2% as faster-growing agentic attack categories consumed more share. February saw a tactical shift toward multi-turn extraction strategies. Attackers build partial context across several interactions rather than executing single-shot system prompt grabs, complicating session-scoped detection. Confidence held at 91.4%, reflecting well-established detection signatures for this family.",
"techniques": [
"System prompt extraction",
"Multi-turn context building",
"Encoded extraction attempts",
"Context window manipulation"
],
"mitigations": [
"Extend monitoring to multi-session context: single-turn detection misses incremental extraction strategies that span conversations",
"Apply system prompt isolation at the architecture layer, not just the prompt layer. Model outputs should never reflect verbatim system instructions",
"Enforce rate limits and anomaly alerts on repeated context probing patterns within a session, particularly encoded variants",
"Track context window manipulation attempts separately; flag interactions that systematically push prior context out of the active window"
],
"color": "#ff4d8d",
"trend": "stable",
"card_short_id": "exfiltration",
"previous_percentage": 19.2,
"previous_count": 5416
},
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"count": 5189,
"percentage": 14.5,
"confidence": 88.1,
"risk_level": "CRITICAL",
"description": "Tool/command abuse surged from 8.1% to 14.5% (5,189 detections), nearly doubling month-over-month as agentic AI deployments scaled across 47 unique production environments. The dominant new pattern is tool chain escalation: attackers execute a benign read operation to gain context, then chain into write or execute operations. This technique that accounted for 11.7% of all attack techniques in February, displacing instruction override as the #1 technique. Detection confidence of 88.1% is among the lower end across families, indicating this category remains actively evolving.",
"techniques": [
"Tool chain escalation",
"Parameter injection",
"Capability probing",
"Write-after-read chains"
],
"mitigations": [
"Enforce strict least-privilege allowlists per agent session. Agents should declare required tools at initialization and cannot escalate capabilities without re-authorization",
"Require explicit re-authorization before any session transitions from read-only to write or execute operations",
"Implement call-sequence analysis to detect read-to-write-to-execute chains; single-call heuristics miss multi-step escalation",
"Validate all tool parameters against declared schemas before execution; parameter injection exploits insufficiently typed tool interfaces"
],
"color": "#50e879",
"trend": "increasing",
"card_short_id": "tool",
"previous_percentage": 8.1,
"previous_count": 2287
},
{
"id": "benign",
"name": "Benign (FP Review)",
"count": 4981,
"percentage": 13.9,
"confidence": 87.2,
"risk_level": "LOW",
"description": "The benign/false-positive category declined from 16.7% to 13.9% (4,981 events), reflecting measurable model precision gains from ongoing tuning. The residual false-positive volume is concentrated in security research and red-team contexts where legitimate threat discussion triggers detection. This is an inherent challenge for any high-sensitivity detection model operating in security-adjacent environments. Detection confidence improved to 87.2% from January's 85.8%, though this family still carries the lowest confidence floor of any non-trivial category.",
"techniques": [
"Security research discussions",
"Red team testing content",
"Penetration testing logs",
"CTF challenge discussions"
],
"mitigations": [
"Maintain dedicated FP review queues; each reviewed false positive directly feeds model retraining cycles",
"Allowlist verified security research contexts using environment-level tagging rather than prompt-level heuristics",
"Use multi-signal classification combining L1 pattern match with L2 ML confidence before final disposition. Do not block solely on L1 pattern hits"
],
"color": "#4b5563",
"trend": "decreasing",
"card_short_id": "benign",
"previous_percentage": 16.7,
"previous_count": 4715
},
{
"id": "rag_or_context_attack",
"name": "RAG/Context Attack",
"count": 4302,
"percentage": 12.0,
"confidence": 94.1,
"risk_level": "HIGH",
"description": "RAG/context attacks grew from 10.0% to 12.0% (4,302 detections), continuing an accelerating trend that correlates with broader production adoption of retrieval-augmented architectures. A notable tactical shift emerged this month: attackers are increasingly targeting document metadata (titles, authors, annotation fields) rather than content bodies directly, likely because metadata fields receive less stringent sanitization in most ingestion pipelines. Detection confidence reached 94.1%, suggesting attack patterns are stabilizing into recognizable signatures.",
"techniques": [
"Document injection",
"Metadata manipulation",
"Retrieval ranking abuse",
"Context overflow flooding"
],
"mitigations": [
"Sanitize document metadata fields (titles, authors, description, annotations) as rigorously as content bodies. Metadata manipulation is now the primary injection vector",
"Implement content hashing and provenance tracking for all indexed documents to detect post-ingestion tampering",
"Validate retrieval score distributions; injected documents engineered to rank highly produce anomalous clustering in top-k results",
"Maintain separate context windows for user-supplied input and retrieved content; cross-contamination enables context overflow attacks"
],
"color": "#c471ed",
"trend": "increasing",
"card_short_id": "rag",
"previous_percentage": 10.0,
"previous_count": 2817
},
{
"id": "jailbreak",
"name": "Jailbreak",
"count": 3927,
"percentage": 11.0,
"confidence": 96.8,
"risk_level": "HIGH",
"description": "Jailbreak volume declined proportionally from 12.3% to 11.0% (3,927 detections) while detection confidence rose to 96.8%, the highest across all threat families alongside inter-agent and goal hijack. New variants in February focused on multilingual script mixing, embedding instructions in non-Latin scripts to bypass English-centric safety filters, and on structured roleplay scenarios that establish fictional framings before introducing policy-violating content. The high confidence score and declining share indicate that known jailbreak patterns are well-characterised and increasingly displaced by harder-to-detect agentic techniques.",
"techniques": [
"DAN variants",
"Multilingual script mixing",
"Roleplay scenarios",
"Hypothetical academic framing"
],
"mitigations": [
"Enable confidence-based auto-blocking at >95% threshold. Jailbreak's 96.8% confidence makes this family well-suited for automated response without human review",
"Extend safety filter coverage to non-Latin scripts and mixed-script inputs; multilingual obfuscation is the active evasion frontier",
"Analyse multi-turn conversation arcs, not just individual messages; roleplay-based jailbreaks require sequential setup before the policy-violating payload"
],
"color": "#ffb347",
"trend": "stable",
"card_short_id": "jailbreak",
"previous_percentage": 12.3,
"previous_count": 3455
},
{
"id": "prompt_injection",
"name": "Prompt Injection",
"count": 2891,
"percentage": 8.1,
"confidence": 95.9,
"risk_level": "HIGH",
"description": "Prompt injection held relatively stable at 8.1% (2,891 detections), down marginally from January's 8.8%, with detection confidence at 95.9%. February's distinguishing pattern was a rise in indirect injection via user-uploaded documents and images in multimodal deployments, overlapping with the newly tracked multimodal injection category. The family's near-stability contrasts with the sharp growth in agentic attack families, suggesting adversaries are reorienting effort from direct instruction overrides toward higher-yield agent-targeting techniques.",
"techniques": [
"Direct override",
"Indirect injection via documents",
"Image-embedded instructions",
"Delimiter injection"
],
"mitigations": [
"Apply prompt injection scanning to all input modalities. Indirect injection via documents and images bypasses text-only detection pipelines",
"Enforce strict instruction hierarchy: system instructions must be architecturally isolated from user-supplied content, not just logically separated in the prompt",
"Scan OCR output, extracted PDF text, and image metadata through the same classification pipeline as raw text inputs"
],
"color": "#00d4ff",
"trend": "stable",
"card_short_id": "injection",
"previous_percentage": 8.8,
"previous_count": 2476
},
{
"id": "agent_goal_hijack",
"name": "Agent Goal Hijack",
"count": 2467,
"percentage": 6.9,
"confidence": 97.5,
"risk_level": "CRITICAL",
"description": "Agent goal hijacking nearly doubled from 3.6% to 6.9% (2,467 detections), one of the sharpest month-over-month growth rates in the dataset. The dominant new attack pattern is planning-phase injection: adversaries insert objectives during the reasoning step of autonomous agent loops, after the original goal has been accepted but before execution begins. This is a timing window that most current orchestration frameworks leave unguarded. Detection confidence reached 97.5%, second-highest across all families, indicating the classifier is keeping pace with adversary innovation despite the volume surge.",
"techniques": [
"Goal injection during planning",
"Priority manipulation",
"Constraint removal",
"Objective substitution via tool output"
],
"mitigations": [
"Validate agent objectives at every planning step, not only at initialization. Planning-phase injection targets the interval between goal acceptance and execution",
"Inject cryptographic goal integrity checks between reasoning steps: hash the original task specification and compare against the active objective at each loop iteration",
"Set maximum loop iterations and wall-clock time bounds; terminate and alert when an agent's objective graph deviates from the initialized specification",
"Treat tool outputs as a goal-injection vector; objective substitution via manipulated tool results is an active sub-technique"
],
"color": "#00e5cc",
"trend": "increasing",
"card_short_id": "goal-hijack",
"previous_percentage": 3.6,
"previous_count": 1019
},
{
"id": "encoding_or_obfuscation_attack",
"name": "Encoding/Obfuscation",
"count": 2104,
"percentage": 5.9,
"confidence": 95.8,
"risk_level": "HIGH",
"description": "Encoding/obfuscation attacks declined proportionally from 7.0% to 5.9% (2,104 detections) while growing in absolute volume from 1,979 events, a pattern consistent with other families being outpaced by faster-growing agentic categories. Sophistication increased this month with more frequent use of multi-layer encoding stacks (e.g., base64 inside ROT13 inside URL encoding) and Unicode confusable characters that survive normalisation passes applied by single-layer decoders. Detection confidence remained high at 95.8%, reflecting mature detection signatures for most encoding variants.",
"techniques": [
"Multi-layer encoding",
"Unicode confusables",
"Homoglyph substitution",
"Steganographic embedding"
],
"mitigations": [
"Decode inputs through all common encoding schemes sequentially before classification. Single-pass decoders miss nested multi-layer stacks",
"Apply Unicode normalisation (NFKC) before any downstream processing to collapse confusable and homoglyph substitutions",
"Correlate encoding attempts with their decoded payloads for family attribution; obfuscation is a delivery mechanism, not an end goal, and the decoded intent determines the correct family classification"
],
"color": "#ffe14d",
"trend": "stable",
"card_short_id": "encoding",
"previous_percentage": 7.0,
"previous_count": 1979
},
{
"id": "inter_agent_attack",
"name": "Inter-Agent Attack",
"count": 1783,
"percentage": 5.0,
"confidence": 97.9,
"risk_level": "CRITICAL",
"description": "Inter-agent attacks accelerated from 3.4% to 5.0% (1,783 detections), a 47% increase in share representing an 86% rise in absolute volume from 960 to 1,783 events. The primary attack vector is poisoned tool outputs: malicious payloads are injected into the structured JSON responses that orchestrating agents pass to downstream workers, exploiting the implicit trust most multi-agent systems place in internal handoffs. Detection confidence of 97.9% is the highest across all families, enabling reliable automated response, but the attack surface is expanding faster than deployment-side controls are being added.",
"techniques": [
"Poisoned tool outputs",
"Agent impersonation",
"Trust chain exploitation",
"Recursive attack propagation"
],
"mitigations": [
"Treat all inter-agent messages as untrusted input regardless of source agent trust level. Trust chain exploitation is an active sub-technique",
"Implement per-agent identity certificates with signed, verifiable payloads for all agent-to-agent communication",
"Validate and sanitize structured tool output fields (not just string values) before passing to downstream agents; JSON schema validation is the minimum viable control",
"Monitor for recursive payload propagation signatures; a single poisoned output can cascade across agent boundaries in orchestration systems"
],
"color": "#a78bfa",
"trend": "increasing",
"is_emerging": true,
"card_short_id": "inter-agent",
"previous_percentage": 3.4,
"previous_count": 960
},
{
"id": "privilege_escalation",
"name": "Privilege Escalation",
"count": 1287,
"percentage": 3.6,
"confidence": 96.2,
"risk_level": "HIGH",
"description": "Privilege escalation held steady at 3.6% (1,287 detections), down marginally from January's 3.9%, with detection confidence at 96.2%. February's notable pattern was an increase in compound attacks pairing privilege escalation with tool abuse: initial access is obtained through one tool, then escalated through a second. This sequenced pattern that evades detection systems analysing each tool call in isolation. This family's stability in share while tool abuse surged suggests that privilege escalation is increasingly a second-stage technique rather than a standalone attack.",
"techniques": [
"Mode switching",
"Authority claims",
"Tool-chained escalation",
"Permission boundary testing"
],
"mitigations": [
"Enforce least-privilege per session at the session boundary, not per-tool. Tool-chained escalation exploits cumulative permissions across a session",
"Analyse tool call sequences cross-tool for escalation patterns; single-call inspection misses multi-tool compound attacks",
"Require explicit re-authentication or human-in-the-loop authorization before sensitive operations, particularly write or delete actions"
],
"color": "#ff73c0",
"trend": "stable",
"card_short_id": "escalation",
"previous_percentage": 3.9,
"previous_count": 1099
},
{
"id": "other_security",
"name": "Other",
"count": 357,
"percentage": 1.0,
"confidence": 88.7,
"risk_level": "MEDIUM",
"description": "The residual 'Other' category shrank from 6.9% to 1.0% (357 detections), reflecting improved classifier coverage that moved previously uncategorised threats into defined families. The decline is a positive model precision signal. It indicates new attack patterns are being characterised and assigned to specific families rather than accumulating in the catch-all bucket.",
"techniques": [
"Various techniques"
],
"mitigations": [
"Review residual 'Other' detections for emerging pattern clusters that may warrant a new family classification",
"Use 'Other' volume as an early-warning signal: a rising residual bucket historically precedes the formalization of a new attack family"
],
"color": "#374151",
"trend": "decreasing",
"card_short_id": "other",
"previous_percentage": 6.9,
"previous_count": 1971
}
],
"attack_techniques": [
{
"id": "tool_chain_escalation",
"name": "Tool Chain Escalation",
"count": 4187,
"percentage": 11.7,
"confidence": 89.3,
"color": "rgba(107, 207, 127, 0.8)",
"risk_level": "CRITICAL",
"rank": 1
},
{
"id": "instruction_override",
"name": "Instruction Override",
"count": 3214,
"percentage": 9.0,
"confidence": 96.1,
"color": "rgba(155, 92, 255, 0.8)",
"risk_level": "HIGH",
"rank": 2
},
{
"id": "rag_poisoning_or_context_bias",
"name": "RAG Poisoning",
"count": 3089,
"percentage": 8.7,
"confidence": 94.0,
"color": "rgba(196, 113, 237, 0.8)",
"risk_level": "HIGH",
"rank": 3
},
{
"id": "system_prompt_or_config_extraction",
"name": "System Prompt Extraction",
"count": 2756,
"percentage": 7.7,
"confidence": 96.9,
"color": "rgba(255, 107, 157, 0.8)",
"risk_level": "HIGH",
"rank": 4
},
{
"id": "indirect_injection_via_content",
"name": "Indirect Injection",
"count": 2634,
"percentage": 7.4,
"confidence": 95.2,
"color": "rgba(79, 172, 254, 0.8)",
"risk_level": "HIGH",
"rank": 5
},
{
"id": "agent_goal_injection",
"name": "Agent Goal Injection",
"count": 2401,
"percentage": 6.7,
"confidence": 97.4,
"color": "rgba(0, 229, 204, 0.8)",
"risk_level": "CRITICAL",
"rank": 6
},
{
"id": "role_or_persona_manipulation",
"name": "Role/Persona Manipulation",
"count": 2187,
"percentage": 6.1,
"confidence": 91.3,
"color": "rgba(255, 159, 64, 0.8)",
"risk_level": "MEDIUM",
"rank": 7
},
{
"id": "encoding_or_obfuscation",
"name": "Encoding/Obfuscation",
"count": 2098,
"percentage": 5.9,
"confidence": 94.2,
"color": "rgba(255, 217, 61, 0.8)",
"risk_level": "HIGH",
"rank": 8
},
{
"id": "poisoned_tool_output",
"name": "Poisoned Tool Output",
"count": 1845,
"percentage": 5.2,
"confidence": 97.8,
"color": "rgba(167, 139, 250, 0.8)",
"risk_level": "CRITICAL",
"rank": 9
}
],
"harm_categories": [
{
"id": "cybersecurity_or_malware",
"name": "Cybersecurity / Malware",
"count": 25462,
"percentage": 71.3,
"trend": "stable",
"description": "Cybersecurity and malware objectives (malware generation, exploit development, credential harvesting, and security bypass techniques) dominate at 71.3% (25,462 detections), declining proportionally from January's 74.8% as agent-targeting attacks consumed greater share, though absolute volume grew by more than 4,300 events month-over-month.",
"is_primary": true,
"previous_percentage": 74.8,
"previous_count": 21083
},
{
"id": "violence_or_physical_harm",
"name": "Violence / Physical Harm",
"count": 2856,
"percentage": 8.0,
"trend": "increasing",
"description": "Violence and physical harm content (weapons instructions, harm facilitation, and violence-enabling material) rose from 7.0% to 8.0% (2,856 detections), representing the category's second consecutive month of growth and its highest recorded share.",
"is_primary": false,
"previous_percentage": 7.0,
"previous_count": 1968
},
{
"id": "hate_or_harassment",
"name": "Hate / Harassment",
"count": 2142,
"percentage": 6.0,
"trend": "stable",
"description": "Hate speech and targeted harassment generation held near-stable at 6.0% (2,142 detections), up marginally from January's 5.8%, consistent with a persistent baseline of content policy abuse attempts across production deployments.",
"is_primary": false,
"previous_percentage": 5.8,
"previous_count": 1626
},
{
"id": "privacy_or_pii",
"name": "Privacy / PII",
"count": 1178,
"percentage": 3.3,
"trend": "increasing",
"description": "Privacy and PII-targeted attacks grew from 2.4% to 3.3% (1,178 detections), the largest proportional increase among non-cybersecurity harm categories this month, reflecting increased attempts to extract or synthesize personally identifiable information through LLM interfaces.",
"is_primary": false,
"previous_percentage": 2.4,
"previous_count": 689
},
{
"id": "cbrn_or_weapons",
"name": "CBRN / Weapons",
"count": 571,
"percentage": 1.6,
"trend": "stable",
"description": "Chemical, biological, radiological, nuclear, and conventional weapons content held effectively flat at 1.6% (571 detections) versus January's 1.5%, maintaining a stable low-volume presence that nonetheless warrants zero-tolerance blocking given severity of potential harm.",
"is_primary": false,
"previous_percentage": 1.5,
"previous_count": 412
},
{
"id": "sexual_content",
"name": "Sexual Content",
"count": 464,
"percentage": 1.3,
"trend": "stable",
"description": "Explicit sexual content and CSAM-adjacent material declined marginally from 1.4% to 1.3% (464 detections), remaining stable and consistent with established baselines across comparable AI deployment environments.",
"is_primary": false,
"previous_percentage": 1.4,
"previous_count": 392
},
{
"id": "misinformation_or_disinfo",
"name": "Misinformation",
"count": 214,
"percentage": 0.6,
"trend": "stable",
"description": "Deliberate misinformation and large-scale disinformation generation held flat at 0.6% (214 detections), unchanged from January's proportional share, indicating a stable but persistent low-level presence of coordinated false narrative generation attempts.",
"is_primary": false,
"previous_percentage": 0.6,
"previous_count": 165
},
{
"id": "crime_or_fraud",
"name": "Crime / Fraud",
"count": 178,
"percentage": 0.5,
"trend": "increasing",
"description": "Crime and fraud facilitation (scam generation, fraud planning, and criminal assistance) ticked up from 0.4% to 0.5% (178 detections), continuing a modest upward trend as attackers explore LLMs for financial crime enablement.",
"is_primary": false,
"previous_percentage": 0.4,
"previous_count": 107
},
{
"id": "self_harm_or_suicide",
"name": "Self-Harm",
"count": 75,
"percentage": 0.2,
"trend": "stable",
"description": "Self-harm and suicide-related content declined from 0.3% to 0.2% (75 detections), remaining the lowest-volume harm category and reflecting the effectiveness of established safety filters for this content type.",
"is_primary": false,
"previous_percentage": 0.3,
"previous_count": 72
}
],
"emerging_threats": [
{
"id": "inter_agent_attack",
"name": "Inter-Agent Attacks",
"is_new": false,
"percentage": 5.0,
"count": 1783,
"confidence": 97.9,
"risk_level": "CRITICAL",
"description": "Inter-agent attacks accelerated from 3.4% in January to 5.0% in February, an 86% increase in raw detections (960 to 1,783) in a single month, with detection confidence at 97.9%, the highest of any agent-targeting family. The dominant pattern is poisoned tool outputs: attackers inject malicious payloads into the structured responses that one agent returns to another, exploiting the implicit trust that orchestration systems extend to upstream agents. Trust chain exploitation and agent impersonation are also active, enabling payloads to propagate recursively across agent boundaries before any single agent triggers a block. As multi-agent deployments scale across the 47 unique deployments in this dataset (up from 38 in January), the attack surface grows non-linearly with each new agent boundary introduced.",
"patterns": [
"Poisoned tool outputs between agents",
"Agent identity spoofing",
"Trust chain exploitation in orchestration layers",
"Recursive payload propagation across agent boundaries"
],
"recommendation": "Treat every inter-agent message as untrusted input regardless of source agent identity. Validate and sanitise structured tool outputs at each boundary. Deploy per-agent identity certificates and reject payloads from unauthenticated agent identities.",
"badge_text": "CRITICAL",
"previous_percentage": 3.4,
"previous_count": 960
},
{
"id": "agent_goal_hijack",
"name": "Agent Goal Hijacking",
"is_new": false,
"percentage": 6.9,
"count": 2467,
"confidence": 97.5,
"risk_level": "CRITICAL",
"description": "Agent goal hijacking nearly doubled from 3.6% in January to 6.9% in February, with detections rising from 1,019 to 2,467 against a backdrop of rapid autonomous agent deployment growth. Detection confidence held at 97.5%, indicating attackers have not yet found reliable evasion against current classification. The shift from January is qualitative as well as quantitative: planning-phase injection emerged as the dominant pattern, where adversaries craft tool outputs or context injections that redirect the agent’s objective graph during multi-step execution rather than at initialization. This vector that bypasses goal validation checks applied only at task start. The agent goal injection technique ranked 6th across all techniques at 6.7% (2,401 detections), confirming planning-phase manipulation as structurally distinct from prompt injection.",
"patterns": [
"Goal injection during multi-step planning",
"Priority manipulation via crafted context",
"Constraint removal through authority claims",
"Objective substitution via manipulated tool results"
],
"recommendation": "Enforce immutable goal constraints at the orchestration layer and validate agent objectives at every planning step, not just initialization. Diff current objectives against the original task specification and terminate execution on any deviation. Set maximum loop iterations and time bounds to limit blast radius.",
"badge_text": "CRITICAL",
"previous_percentage": 3.6,
"previous_count": 1019
},
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"is_new": false,
"percentage": 14.5,
"count": 5189,
"confidence": 88.1,
"risk_level": "CRITICAL",
"description": "Tool and command abuse surged +6.4 percentage points from 8.1% to 14.5%, the largest month-over-month gain of any family, with raw detections rising from 2,287 to 5,189 as agentic deployments with tool-calling capabilities expanded from 38 to 47 unique deployments. The defining new pattern is tool chain escalation, which ranked #1 across all attack techniques at 11.7% (4,187 detections): attackers issue a benign read operation to map available capabilities and gain context, then chain into write or execute operations within the same session to achieve privilege escalation. Detection confidence at 88.1% is the lowest of the three CRITICAL-rated agent families, reflecting the inherent difficulty of distinguishing malicious chaining from legitimate multi-step tool use and making this family the most operationally challenging to auto-block without false positive risk.",
"patterns": [
"Tool chain escalation (read \u2192 write \u2192 execute)",
"Parameter injection in structured tool calls",
"Capability probing to map available tools",
"Write-after-read privilege escalation"
],
"recommendation": "Enforce least-privilege tool access and require explicit re-authorization when an agent session transitions from read-only to write or execute operations. Tool chain escalation is now the single most frequent attack technique across all families. Implement call-sequence analysis to flag read-write-execute chains within a session window.",
"badge_text": "CRITICAL",
"previous_percentage": 8.1,
"previous_count": 2287
},
{
"id": "multimodal_injection",
"name": "Multimodal Injection",
"is_new": true,
"percentage": 2.3,
"count": 821,
"confidence": 91.7,
"risk_level": "HIGH",
"description": "Multimodal injection is a newly tracked category in February, accounting for 2.3% of detections (821 instances) with 91.7% detection confidence, a strong initial signal given no prior baseline exists. Attackers embed prompt injection payloads in non-text modalities (image EXIF metadata, OCR-triggering text in screenshots, PDF annotation layers, and steganographic embedding) specifically to bypass text-only detection pipelines that inspect raw input but do not process extracted image or document content. The emergence of this category correlates with the growth of multimodal agent deployments and mirrors the trajectory of indirect injection via content (7.4%, ranked 5th among techniques), which rose as document-processing use cases expanded. At 821 detections in a partial-month dataset, the category is establishing a meaningful foothold.",
"patterns": [
"Instructions hidden in image metadata",
"OCR-triggering text in screenshots",
"PDF annotation injection",
"Steganographic prompt embedding"
],
"recommendation": "Extend prompt injection scanning to all input modalities. OCR output, image metadata, and PDF annotation layers must pass through the same detection pipeline as raw text. Strip EXIF data and embedded annotation layers before passing documents to vision or multimodal models.",
"badge_text": "NEW CATEGORY",
"previous_percentage": null,
"previous_count": null
}
],
"recommendations": {
"audiences": [
{
"id": "developers",
"label": "For AI Developers"
},
{
"id": "security",
"label": "For Security Teams"
},
{
"id": "enterprise",
"label": "For Enterprises"
}
],
"items": [
{
"audience_id": "developers",
"rank": 1,
"title": "Lock Down Tool-Calling Pipelines",
"points": [
"Tool abuse surged to 14.5% (+6.4pp month-over-month). Enforce strict allowlists for every tool an agent can invoke and validate all parameters against a typed schema before execution",
"Tool chain escalation is now the #1 attack technique across all families at 11.7% (4,187 detections). Require explicit re-authorization when a session transitions from read to write or execute operations",
"Implement call-rate limits and sequence analysis to detect capability probing patterns: attackers issue benign read calls first to map available tools before escalating",
"Monitor write-after-read chains within a single session window. This pattern accounts for the majority of the 5,189 tool abuse detections this month"
]
},
{
"audience_id": "developers",
"rank": 2,
"title": "Add Agent Loop Guardrails",
"points": [
"Agent goal hijacking nearly doubled to 6.9% (2,467 detections). Validate agent objectives at every planning step, not just at task initialization",
"Inject integrity checks between reasoning steps that diff current goals against the original task specification; terminate and alert on any divergence",
"Set maximum loop iterations and wall-clock time bounds: autonomous agents without these controls provide attackers unlimited time to attempt objective substitution",
"The agent goal injection technique ranked 6th across all techniques at 6.7%. Treat manipulated tool results returning new objectives as a first-class threat vector"
]
},
{
"audience_id": "developers",
"rank": 3,
"title": "Harden RAG Pipelines Against Metadata Attacks",
"points": [
"RAG/context attacks grew from 10.0% to 12.0% (4,302 detections) with a notable shift toward metadata manipulation. Sanitise document titles, author fields, and annotation layers as rigorously as body content",
"Validate retrieval rankings against expected score distributions; anomalous clustering can indicate injected documents designed to surface malicious context",
"Implement content hashing and provenance tracking for all documents entering the retrieval index. RAG poisoning at 8.7% (3,089 detections) is the third-highest ranked attack technique",
"Maintain separate context windows for user input and retrieved content to limit blast radius when a poisoned document enters the pipeline"
]
},
{
"audience_id": "developers",
"rank": 4,
"title": "Defend All Input Modalities",
"points": [
"Multimodal injection emerged at 2.3% (821 detections). Apply prompt injection scanning to OCR output, image EXIF metadata, and PDF annotation layers, not just raw text inputs",
"Strip or sanitize embedded scripts, EXIF fields, and annotation layers before passing documents to vision or multimodal models. These channels are invisible to text-only detection",
"Treat every modality as an untrusted input channel; indirect injection via content ranked 5th across all techniques at 7.4% (2,634 detections), confirming document-borne delivery is now standard adversary tradecraft",
"Correlate multimodal detections with text-based signals. Compound attacks increasingly embed instructions across multiple modalities to evade single-channel classifiers"
]
},
{
"audience_id": "security",
"rank": 1,
"title": "Reprioritise Rules for the Agent Attack Surface",
"points": [
"Combined agent-targeting threats (tool abuse 14.5%, goal hijacking 6.9%, inter-agent 5.0%) now represent 26.4% of all detections, up sharply from 15.1% in January; agent-focused detection rules must be tier-1 priority",
"Tool chain escalation displaced instruction override as the #1 technique at 11.7% (4,187 detections). Update detection rules to flag read-to-write-to-execute sequences within a session",
"Poisoned tool outputs between agents ranked 9th across all techniques at 5.2% (1,845 detections) with 97.8% confidence. Treat every inter-agent tool result as a high-confidence alert trigger",
"Inter-agent attacks accelerated 86% in raw volume (960 to 1,783) with 97.9% confidence. Alert on all inter-agent communication boundary crossings in multi-agent orchestration systems"
]
},
{
"audience_id": "security",
"rank": 2,
"title": "Tune Confidence-Based Policies",
"points": [],
"policy_table": [
{
"action": "AUTO-BLOCK",
"level": "block",
"threshold": ">95% confidence. Covers inter-agent (97.9%), goal hijack (97.5%), jailbreak (96.8%), privilege escalation (96.2%), prompt injection (95.9%), encoding/obfuscation (95.8%)"
},
{
"action": "FLAG FOR REVIEW",
"level": "flag",
"threshold": "88-95% confidence. Catches RAG/context attacks (94.1%), multimodal injection (91.7%), data exfiltration (91.4%), tool/command abuse (88.1%)"
},
{
"action": "HUMAN REVIEW",
"level": "review",
"threshold": "<88% confidence. Benign/FP at 87.2%; FP rate improved to 13.9% from 16.7%, meaning the human review queue is smaller and higher-signal than last month"
}
]
},
{
"audience_id": "security",
"rank": 3,
"title": "Enforce Agent-to-Agent Authentication",
"points": [
"Inter-agent attacks grew 47% in share (3.4% to 5.0%) with 97.9% detection confidence. Require signed, verifiable payloads for all inter-agent communication channels",
"Implement per-agent identity certificates and capability manifests; reject tool outputs from unrecognised or unauthenticated agent identities at every orchestration boundary",
"Monitor for recursive payload propagation. A single poisoned tool output can cascade across multiple agent boundaries before any downstream agent triggers a block in an unauthenticated system",
"Agent impersonation and trust chain exploitation are confirmed active patterns this month. Log full provenance chains for all inter-agent messages to enable post-incident reconstruction"
]
},
{
"audience_id": "security",
"rank": 4,
"title": "Extend Detection Coverage to Non-Text Modalities",
"points": [
"Multimodal injection (2.3%, 821 detections) is a confirmed blind spot for text-only detection stacks. Deploy scanning on image OCR output, PDF annotation layers, and embedded document metadata",
"Correlate multimodal detections with concurrent text-based signals; compound attacks that split instructions across modalities are designed to fall below single-channel detection thresholds",
"Add multimodal injection signatures to the existing L1 pattern library (currently 218 patterns). The 91.7% detection confidence on first observation indicates reliable signal is extractable from this modality",
"Indirect injection via content ranked 5th at 7.4% (2,634 detections). Document-borne delivery is the established pathway that multimodal injection extends to image and binary formats"
]
},
{
"audience_id": "enterprise",
"rank": 1,
"title": "Reassess Agentic AI Risk Exposure Immediately",
"points": [
"Agent-targeting attacks grew from 15.1% to 26.4% of all threats in a single month. Inventory every agentic deployment and classify by blast radius: agents with write access to data stores, code repositories, or external APIs require the strictest controls",
"Goal hijacking nearly doubled in one month (3.6% to 6.9%, 1,019 to 2,467 detections). Any autonomous agent in production without planning-phase objective validation is a high-priority unmitigated risk",
"Tool abuse grew from 8.1% to 14.5% as deployments scaled from 38 to 47 unique systems. The attack surface is expanding faster than most security programs are tracking; a deployment registry with tool-calling capability flags is now essential",
"The 26.4% agent-targeting share means more than 1 in 4 threats now specifically targets agentic AI capabilities. Treat agentic security as a dedicated risk category, not a subset of general AI content policy"
]
},
{
"audience_id": "enterprise",
"rank": 2,
"title": "Update Detection Baselines for February",
"points": [],
"baseline_table": [
{
"environment": "Security Testing",
"rate": "35-55% threat rate (agent-heavy adversarial environments trending toward upper bound as tool-calling surfaces expand)"
},
{
"environment": "Production (Agentic)",
"rate": "15-25% threat rate, revised upward from January's 10-20% baseline, reflecting tool abuse surge and goal hijacking growth"
},
{
"environment": "Production (Chat/RAG)",
"rate": "10-20% threat rate (stable; RAG poisoning growth at 12.0% pushes RAG-enabled deployments toward the upper bound)"
},
{
"environment": "Development",
"rate": "0-5% threat rate (stable; low exposure consistent with January baseline)"
}
]
},
{
"audience_id": "enterprise",
"rank": 3,
"title": "Fund Multimodal and Agent Security Infrastructure",
"points": [
"Multimodal injection is a newly confirmed attack vector at 2.3% (821 detections). Allocate budget for scanning image, PDF, and document inputs through dedicated extraction and classification pipelines before they reach models",
"Inter-agent authentication infrastructure is now operationally necessary for any multi-agent system. Plan for signed payload verification, per-agent capability certificates, and audit logging at every agent boundary",
"FP rate improved from 16.7% to 13.9% as the model reached 93.4% high-confidence classification. Improved precision reduces SOC analyst burden and improves ROI on existing detection investments; budget for continued tuning to sustain this trajectory",
"The overall detection rate improved to 39.1% from 37.8% despite a 27% increase in threat volume (28,194 to 35,711 detections). Detection capacity is scaling with threat growth, validating continued investment in layered detection infrastructure"
]
}
]
},
"model_performance": {
"overall_confidence": 94.2,
"high_threat_precision": 96.8,
"model_consistency": 88.9,
"uncertain_prediction_rate": 2.4,
"detection_layers": {
"l1_pattern_based": {
"name": "Pattern-Based Detection",
"latency": "sub-millisecond",
"pattern_count": 218,
"description_items": [
"Deterministic rule matching",
"Sub-millisecond latency",
"218 threat patterns"
]
},
"l2_ml_classification": {
"name": "ML Classification",
"model": "Gemma-based 5-head multilabel classifier",
"confidence_threshold": 95,
"description_items": [
"Gemma-based 5-head classifier",
"Voting ensemble with confidence",
"Family, technique, harm classification"
]
}
},
"framework_alignment": [
"OWASP LLM Top 10 2025",
"MITRE ATLAS"
],
"framework_badges": [
{
"name": "OWASP LLM Top 10",
"description": "Aligned with OWASP LLM Top 10 2025",
"url": "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
},
{
"name": "MITRE ATLAS",
"description": "Mapped to MITRE ATLAS adversarial techniques",
"url": "https://atlas.mitre.org/"
}
]
},
"section_meta": {
"executive_summary": {
"number": "00",
"title": "Executive Summary",
"subtitle": "February 2026: agentic attack surface doubles in one month"
},
"key_findings": {
"number": "01",
"title": "Key Findings",
"subtitle": "Critical insights from 91,284 interactions across 47 deployments in February 2026"
},
"threat_families": {
"number": "02",
"title": "Threat Family Distribution",
"subtitle": "Tool abuse and agent-targeting families dominate February's threat mix. Click any segment to explore"
},
"attack_techniques": {
"number": "03",
"title": "Attack Technique Frequency",
"subtitle": "Tool chain escalation claims the #1 rank at 11.7%, displacing instruction override from January. Hover for confidence scores"
},
"harm_categories": {
"number": "04",
"title": "Harm Category Analysis",
"subtitle": "Cybersecurity objectives account for 71.3% of all harm. Privacy/PII threats rose from 2.4% to 3.3%"
},
"emerging_threats": {
"number": "05",
"title": "Emerging Threats",
"subtitle": "Four CRITICAL-rated vectors accelerating in February: tool abuse, goal hijacking, inter-agent attacks, and multimodal injection"
},
"recommendations": {
"number": "06",
"title": "Recommendations",
"subtitle": "Priority actions for developers, security teams, and enterprises based on February threat data"
},
"methodology": {
"number": "07",
"title": "Methodology",
"subtitle": "How RAXE detects and classifies threats"
},
"intelligence_services": {
"number": "08",
"title": "Enterprise Intelligence Services",
"subtitle": "AI security consulting, threat intelligence, and agent runtime protection"
}
},
"previous_month": {
"report_id": "TI-2026-M01",
"month_name": "January",
"total_interactions": 74636,
"total_threats": 28194,
"detection_rate": 37.8,
"high_confidence_rate": 92.8
}
}