{
"metadata": {
"report_id": "TI-2026-M03",
"year": 2026,
"month": 3,
"status": "final",
"date_range": {
"start": "2026-03-01",
"end": "2026-03-31"
},
"data_through": "2026-03-31",
"generated_at": "2026-04-01T13:20:29Z",
"updated_at": "2026-04-01T13:57:55Z",
"model_version": "gemma-5head-v3.2.1",
"schema_version": "3.0.0",
"tlp_level": "WHITE"
},
"summary": {
"total_interactions": 82307,
"total_threats": 33019,
"detection_rate": 40.1,
"high_confidence_rate": 35.2,
"unique_deployments": 215,
"classification_breakdown": {
"high_threat": 14363,
"threat": 3379,
"likely_threat": 465,
"review": 129,
"safe": 48
},
"latency": {
"p50_ms": 627,
"p95_ms": 777,
"p99_ms": 3607
},
"executive_stats": {
"cybersecurity_related_pct": 51.0,
"agent_capability_targeted_pct": 29.9
}
},
"hero": {
"tagline": "Tool Abuse Dominates March Threat Landscape",
"title_line_1": "Agentic Attack Pivot:",
"title_line_2": "Tool Abuse Doubles, Privilege Escalation Surges 4x",
"subtitle": "Analysis of 33,019 threat detections across 82,307 agent interactions through 31 days of March 2026 reveals a decisive shift toward tool-layer exploitation. Tool/command abuse doubled to 29.4%, privilege escalation surged from 3.6% to 15.1%, and 29.9% of all threats now target agent capabilities.",
"urgency_text": "across 31 days of March data",
"social_proof": {
"interactions_label": "82K+ Interactions Protected",
"threats_label": "33K+ Threats Detected"
}
},
"executive_summary": {
"bottom_line": "The threat landscape has undergone a structural reorientation toward tool-layer exploitation, with agent-capability-targeted attacks reaching 29.9% of all detected threats. March's dataset of 82,307 interactions across 215 deployments (up 357% from February's 47) produced 33,019 detections at a 40.1% detection rate, up 1.0 percentage point from February's 39.1%. Tool/command abuse doubled from 14.5% to 29.4%, becoming the dominant threat family. Privilege escalation surged 4x from 3.6% to 15.1%. Four entirely new threat categories emerged: memory poisoning (2.4%), human trust exploit (0.8%), rogue behaviour (0.8%), and toxic/policy content (0.4%). Meanwhile, data exfiltration collapsed from 18.0% to 3.6% and RAG/context attacks fell from 12.0% to 0.1%, indicating adversaries have decisively pivoted away from data-theft toward direct agent manipulation. The false positive proportion continued to decline, from 13.9% to 11.7%.",
"whats_new": [
"Tool/command abuse doubled from 14.5% to 29.4% (+14.9 percentage points, 5,189 to 5,412 detections), now the dominant threat family as adversaries exploit tool-calling surfaces across 215 deployments. Indirect injection via content (16.5%) and tool chain abuse (15.1%) are the primary delivery techniques.",
"Privilege escalation surged 4x from 3.6% to 15.1% (1,287 to 2,772 detections), the largest proportional increase of any existing family. At 0.883 confidence with 91.1% classified as high-threat, this represents a mature, high-conviction attack pattern targeting agent permission boundaries.",
"Four new threat categories emerged in March: memory poisoning at 2.4% (437 detections), human trust exploit at 0.8% (143), rogue behaviour at 0.8% (139), and toxic/policy content at 0.4% (75). These reflect adversary experimentation with persistence, social engineering of human operators, and autonomous agent deviation."
],
"top_vectors": [
{
"rank": 1,
"name": "Tool/Command Abuse",
"percentage": 29.4,
"description": "Doubled from February. Now the single largest threat family, driven by tool chain abuse and indirect injection techniques across 215 active deployments.",
"previous_percentage": 14.5
},
{
"rank": 2,
"name": "Privilege Escalation",
"percentage": 15.1,
"description": "4x surge from February's 3.6%. Over 91% of detections classified as high-threat at 0.883 confidence, indicating mature exploitation of agent permission boundaries.",
"previous_percentage": 3.6
},
{
"rank": 3,
"name": "Prompt Injection",
"percentage": 13.1,
"description": "Grew from 8.1% to 13.1%, with indirect injection via content now the top attack technique at 16.5% of all technique classifications.",
"previous_percentage": 8.1
},
{
"rank": 4,
"name": "Benign (FP Review)",
"percentage": 11.7,
"description": "Declined from 13.9%, the third consecutive monthly improvement. False positive volume fell from 4,981 to 2,151 detections, reducing analyst review burden.",
"previous_percentage": 13.9
},
{
"rank": 5,
"name": "Jailbreak",
"percentage": 7.3,
"description": "Declined from 11.0% as adversaries shift investment from model-layer attacks to tool-layer exploitation. Detection confidence remains high at 0.881.",
"previous_percentage": 11.0
}
],
"recommended_actions": [
"Action: Enforce mandatory tool allowlists and call-sequence monitoring across all 215 deployments. Tool/command abuse at 29.4% (5,412 detections) is now the single largest threat family; tool chain abuse (15.1%) and tool/command injection (12.2%) are the primary delivery techniques.",
"Action: Implement per-session privilege ceilings with explicit re-authorisation for escalation. Privilege escalation surged from 3.6% to 15.1% (2,772 detections); 91.1% of these were classified as high-threat, indicating targeted, not exploratory, attacks.",
"Action: Deploy integrity validation for agent persistent memory stores. Memory poisoning emerged as a new category at 2.4% (437 detections, 0.839 confidence), targeting the growing population of stateful agent deployments.",
"Action: Audit all agent-facing content ingestion pipelines for indirect injection. Indirect injection via content is now the #1 attack technique at 16.5% (3,023 detections), confirming that content-borne payloads are the primary delivery mechanism for tool abuse and prompt injection."
],
"stats_bar": [
{
"value": "40.1%",
"label": "Detection Rate"
},
{
"value": "51.0%",
"label": "Cybersecurity-Related"
},
{
"value": "29.9%",
"label": "Target Agent Capabilities"
},
{
"value": "215",
"label": "Active Deployments"
}
]
},
"key_findings": [
{
"rank": 1,
"id": "finding-tool_or_command_abuse",
"title": "Tool/Command Abuse Leads at 29.4%",
"headline_stat": "29.4%",
"stat_label": "5,412 detections",
"description": "Tool/command abuse doubled from 14.5% to 29.4% (5,412 detections), claiming the top position across all threat families. The three primary delivery techniques are indirect injection via content (16.5%), tool chain abuse (15.1%), and tool/command injection (12.2%), which collectively account for 43.8% of all technique classifications and confirm that tool-layer exploitation is now the dominant adversary strategy across 215 active deployments.",
"link_target": "threat-families",
"link_highlight": "tool-abuse",
"link_text": "Explore this threat",
"count": 5412,
"is_featured": true,
"is_wide": true,
"icon": "shield-check"
},
{
"rank": 2,
"id": "finding-tool_or_command_abuse-mom",
"title": "Tool/Command Abuse Surges 14.9pp",
"headline_stat": "+14.9pp",
"stat_label": "29.4% (was 14.5%)",
"description": "The +14.9 percentage-point surge in tool/command abuse is the largest single-month shift recorded across any threat family. This growth occurred despite a 9.8% decline in total interactions (82,307 vs. 91,284), indicating that the share increase reflects genuine adversary reorientation rather than volume effects. At 0.874 confidence, detection maturity is still developing for this rapidly evolving category.",
"link_target": "threat-families",
"link_highlight": "tool-abuse",
"link_text": "View details",
"count": 5412,
"is_featured": false,
"is_wide": false,
"icon": "upload"
},
{
"rank": 3,
"id": "finding-data_exfiltration-mom",
"title": "Data Exfiltration Declines 14.4pp",
"headline_stat": "-14.4pp",
"stat_label": "3.6% (was 18.0%)",
"description": "Data exfiltration collapsed from 18.0% to 3.6% (6,423 to 656 detections), a 90% drop in absolute volume. This is the largest single-month decline recorded for any family. The shift correlates with the rise in tool-layer attacks, suggesting adversaries are pivoting from data theft to direct capability exploitation. Detection confidence for exfiltration remains the highest of any family at 0.925.",
"link_target": "threat-families",
"link_highlight": "exfiltration",
"link_text": "View details",
"count": 656,
"is_featured": false,
"is_wide": false,
"icon": "download"
},
{
"rank": 4,
"id": "finding-detection-rate",
"title": "Detection Rate: 40.1%",
"headline_stat": "40.1%",
"stat_label": "33,019 of 82,307 scans",
"description": "The detection rate rose from 39.1% to 40.1% (+1.0pp), the second consecutive monthly improvement, while the false positive proportion declined from 13.9% to 11.7%. Overall model confidence reached 0.916 with a 2.3% uncertain prediction rate. The concurrent improvement in detection rate and false positive decline confirms ongoing classifier precision gains.",
"link_target": "methodology",
"link_text": "View methodology",
"count": 33019,
"is_featured": false,
"is_wide": false,
"icon": "settings"
},
{
"rank": 5,
"id": "finding-deployments",
"title": "215 Active Deployments",
"headline_stat": "215",
"stat_label": "unique installations reporting",
"description": "Deployment count surged from 47 to 215 (+357%), the largest expansion of the RAXE sensor network to date. Despite this 4.6x increase in reporting installations, total interaction volume declined 9.8% (91,284 to 82,307), indicating the new deployments are smaller or lower-traffic environments. The expanded coverage provides significantly broader threat visibility across diverse deployment configurations.",
"link_target": "methodology",
"link_text": "View methodology",
"count": 215,
"is_featured": false,
"is_wide": false,
"icon": "document"
}
],
"threat_families": [
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"count": 5412,
"percentage": 29.4,
"confidence": 0.874,
"risk_level": "HIGH",
"description": "Tool/command abuse doubled from 14.5% to 29.4% (5,412 detections), claiming the #1 position across all threat families as adversaries exploit the expanding tool-calling surface across 215 deployments. The dominant delivery mechanisms are indirect injection via content (16.5%, 3,023 detections), tool chain abuse (15.1%, 2,761 detections), and tool/command injection (12.2%, 2,239 detections). Of the 5,412 detections, 4,409 (81.5%) were classified as high-threat, confirming that tool abuse attempts are overwhelmingly targeted rather than exploratory. Detection confidence at 0.874 remains the lowest among top-5 families, reflecting the inherent difficulty of distinguishing malicious tool chaining from legitimate multi-step workflows.",
"techniques": [
"Indirect injection via content",
"Tool chain abuse (read to write to execute)",
"Tool/command injection",
"Capability probing and enumeration"
],
"color": "#FF6B35",
"trend": "up",
"is_emerging": true,
"mitigations": [
"Enforce mandatory tool allowlists per agent session. Agents must declare required tools at initialisation and cannot invoke undeclared capabilities without explicit re-authorisation",
"Implement call-sequence monitoring to detect read-to-write-to-execute chains. Tool chain abuse at 15.1% of all techniques confirms multi-step escalation as the primary pattern",
"Validate all tool parameters against typed schemas before execution. Tool/command injection (12.2%) exploits unvalidated parameter fields in structured tool-calling interfaces",
"Apply content scanning to all tool inputs and outputs. Indirect injection via content (16.5%) delivers payloads through seemingly benign content that triggers tool invocations"
],
"card_short_id": "tool-abuse",
"classification_breakdown": {
"high_threat": 4409,
"threat": 839,
"likely_threat": 151,
"review": 13
},
"previous_percentage": 14.5,
"previous_count": 5189
},
{
"id": "privilege_escalation",
"name": "Privilege Escalation",
"count": 2772,
"percentage": 15.1,
"confidence": 0.883,
"risk_level": "HIGH",
"description": "Privilege escalation surged from 3.6% to 15.1% (1,287 to 2,772 detections), a 4x increase that represents the largest proportional growth of any existing threat family. Of 2,772 detections, 2,526 (91.1%) were classified as high-threat at 0.883 confidence, indicating mature, high-conviction exploitation rather than exploratory probing. The surge correlates with the 357% growth in active deployments (47 to 215), suggesting adversaries are systematically testing permission boundaries across newly instrumented environments. Privilege escalation via tool (1.9%, 352 detections) achieved 0.999 confidence, the highest of any individual technique, confirming that tool-mediated escalation is a well-characterised and reliably detectable pattern.",
"techniques": [
"Mode switching and authority claims",
"Tool-chained privilege escalation",
"Permission boundary testing",
"Privilege escalation via tool interfaces"
],
"color": "#E9C46A",
"trend": "up",
"is_emerging": true,
"mitigations": [
"Implement per-session privilege ceilings enforced at the orchestration layer, not per-tool. The 4x surge confirms that cumulative session-level permissions are the primary exploitation target",
"Require explicit human-in-the-loop re-authorisation before any write, delete, or execute operation. 91.1% high-threat classification indicates these are targeted attacks, not accidental boundary crossings",
"Monitor tool call sequences for escalation patterns across tool boundaries. Privilege escalation via tool (0.999 confidence) is the most reliably detectable sub-technique",
"Enforce strict role-based access controls for agent sessions and audit all permission grants. The 357% deployment growth has expanded the permission surface faster than controls have been applied"
],
"card_short_id": "priv-escalation",
"classification_breakdown": {
"high_threat": 2526,
"threat": 215,
"likely_threat": 31,
"review": 0
},
"previous_percentage": 3.6,
"previous_count": 1287
},
{
"id": "prompt_injection",
"name": "Prompt Injection",
"count": 2401,
"percentage": 13.1,
"confidence": 0.878,
"risk_level": "HIGH",
"description": "Prompt injection grew from 8.1% to 13.1% (2,891 to 2,401 detections), rising to the #3 threat family. While raw volume declined slightly due to the overall interaction decrease (91,284 to 82,307), the proportional increase of +5.0 percentage points confirms that prompt injection remains a core adversary technique. Of 2,401 detections, 1,947 (81.1%) were classified as high-threat. The primary delivery mechanism has shifted decisively toward indirect injection via content (16.5% of all techniques, 3,023 detections), with instruction override (7.1%, 1,303 detections) and context/delimiter injection (1.8%, 329 detections) as secondary vectors. This pattern confirms that document-borne and content-borne injection now dominates over direct prompt manipulation.",
"techniques": [
"Indirect injection via content",
"Instruction override",
"Context/delimiter injection",
"Encoding-assisted injection"
],
"color": "#457B9D",
"trend": "up",
"is_emerging": true,
"mitigations": [
"Scan all content ingestion pipelines for injection payloads. Indirect injection via content is now the #1 technique at 16.5%, confirming content-borne delivery as the primary attack surface",
"Enforce strict instruction hierarchy with architectural isolation between system instructions and user-supplied content. Instruction override at 7.1% targets weak separation boundaries",
"Apply input normalisation and delimiter validation before classification. Context/delimiter injection at 1.8% exploits inconsistent input preprocessing across deployment configurations",
"Deploy layered detection combining L1 pattern matching with L2 ML classification. Prompt injection at 0.878 confidence benefits from multi-signal corroboration to reduce false negatives"
],
"card_short_id": "prompt-injection",
"classification_breakdown": {
"high_threat": 1947,
"threat": 402,
"likely_threat": 40,
"review": 12
},
"previous_percentage": 8.1,
"previous_count": 2891
},
{
"id": "benign",
"name": "Benign (FP Review)",
"count": 2151,
"percentage": 11.7,
"confidence": 0.818,
"risk_level": "HIGH",
"description": "The benign/false-positive category declined from 13.9% to 11.7% (4,981 to 2,151 detections), the third consecutive monthly improvement reflecting ongoing classifier precision gains. The 56.8% reduction in absolute FP volume significantly reduces analyst review burden. Confidence at 0.818 is the lowest among all non-trivial families, which is expected as borderline cases concentrate in this category. Residual false positives are concentrated in security research, red-team testing, and CTF contexts where legitimate threat discussion triggers detection. Of the 2,151 detections, 1,573 (73.1%) were still classified as high-threat, indicating the classifier errs on the side of caution for ambiguous inputs.",
"techniques": [
"Security research discussions",
"Red team and penetration testing content",
"CTF challenge discussions",
"Legitimate security tool documentation"
],
"color": "#8D99AE",
"trend": "down",
"is_emerging": false,
"mitigations": [
"Maintain dedicated FP review queues; each reviewed false positive feeds model retraining to sustain the declining FP trend from 16.7% to 13.9% to 11.7% over three months",
"Deploy environment-level context tagging to allowlist verified security research and red-team contexts. Prompt-level heuristics are insufficient for this use case",
"Require multi-signal classification combining L1 pattern match with L2 ML confidence before final disposition. Do not block on L1 pattern hits alone in research-adjacent environments"
],
"card_short_id": "benign",
"classification_breakdown": {
"high_threat": 1573,
"threat": 439,
"likely_threat": 8,
"review": 83
},
"previous_percentage": 13.9,
"previous_count": 4981
},
{
"id": "jailbreak",
"name": "Jailbreak",
"count": 1337,
"percentage": 7.3,
"confidence": 0.881,
"risk_level": "HIGH",
"description": "Jailbreak declined from 11.0% to 7.3% (3,927 to 1,337 detections), continuing a multi-month downward trend as adversaries shift investment from model-layer safety bypasses to tool-layer exploitation. The 65.9% drop in absolute volume is the second-largest decline after data exfiltration. Detection confidence remains strong at 0.881. Of the 1,337 detections, 791 (59.2%) were classified as high-threat and 540 (40.4%) as threat, showing a more even severity distribution than tool-focused families. The declining share does not indicate reduced risk; rather, it reflects adversary reorientation toward higher-yield agentic attack vectors where defences are less mature.",
"techniques": [
"DAN and roleplay variants",
"Multilingual script mixing",
"Hypothetical/academic framing",
"Safety bypass via harmful output generation"
],
"color": "#2A9D8F",
"trend": "down",
"is_emerging": false,
"mitigations": [
"Maintain jailbreak detection coverage despite declining volume. Known jailbreak patterns are well-characterised at 0.881 confidence; reducing coverage would create an exploitable gap",
"Extend safety filter coverage to non-Latin scripts and mixed-script inputs. Multilingual obfuscation remains an active evasion frontier despite overall jailbreak decline",
"Analyse multi-turn conversation arcs for incremental jailbreak escalation. Safety bypass harmful output (0.6%, 103 detections) indicates payload delivery through sequential setup rather than single-shot attempts"
],
"card_short_id": "jailbreak",
"classification_breakdown": {
"high_threat": 791,
"threat": 540,
"likely_threat": 6,
"review": 0
},
"previous_percentage": 11.0,
"previous_count": 3927
},
{
"id": "agent_goal_hijack",
"name": "Agent Goal Hijack",
"count": 1188,
"percentage": 6.5,
"confidence": 0.894,
"risk_level": "HIGH",
"description": "Agent goal hijacking held relatively stable at 6.5% (down from 6.9%), with raw detections declining from 2,467 to 1,188 in line with the overall interaction decrease. Detection confidence improved to 0.894, the highest of any agent-targeting family, indicating strong classifier maturity. Of 1,188 detections, 1,069 (90.0%) were classified as high-threat. The related objective substitution technique (1.7%, 308 detections) and goal redirection technique (0.4%, 76 detections) confirm that adversaries continue to target agent reasoning loops, though the growth rate has stabilised relative to February's doubling. The stability in share contrasts sharply with tool abuse and privilege escalation surges, suggesting goal hijacking may be approaching a natural ceiling as defences mature.",
"techniques": [
"Objective substitution",
"Goal redirection during planning",
"Priority manipulation via crafted context",
"Constraint removal through authority claims"
],
"color": "#F4A261",
"trend": "stable",
"is_emerging": false,
"mitigations": [
"Validate agent objectives at every planning step against the original task specification. Objective substitution (1.7%, 308 detections) targets the interval between goal acceptance and execution",
"Inject cryptographic goal integrity checks between reasoning steps. 90.0% high-threat classification confirms these are deliberate, targeted manipulation attempts",
"Set maximum loop iterations and wall-clock time bounds for autonomous agents. Terminate and alert on any objective divergence from the initialised specification",
"Treat tool outputs as a goal-injection vector. Goal redirection (0.4%, 76 detections) operates through manipulated tool results that alter the agent's active objective"
],
"card_short_id": "goal-hijack",
"classification_breakdown": {
"high_threat": 1069,
"threat": 105,
"likely_threat": 6,
"review": 8
},
"previous_percentage": 6.9,
"previous_count": 2467
},
{
"id": "encoding_or_obfuscation_attack",
"name": "Encoding/Obfuscation",
"count": 1124,
"percentage": 6.1,
"confidence": 0.868,
"risk_level": "HIGH",
"description": "Encoding/obfuscation attacks held stable at 6.1% (up from 5.9%), with raw detections declining from 2,104 to 1,124 in line with overall volume trends. The encoding/obfuscation technique ranked 5th at 10.5% (1,928 detections), indicating that obfuscation is frequently used as a delivery mechanism for other attack families rather than as a standalone threat. Detection confidence at 0.868 reflects mature signatures for common encoding variants (base64, ROT13, URL encoding, Unicode confusables). Of the 1,124 family-level detections, 677 (60.2%) were classified as high-threat, with a significant proportion at the threat tier (394, 35.1%), suggesting a mix of sophisticated and opportunistic obfuscation attempts.",
"techniques": [
"Multi-layer encoding stacks",
"Unicode confusables and homoglyphs",
"Base64/ROT13/URL encoding chains",
"Steganographic embedding"
],
"color": "#606C38",
"trend": "stable",
"is_emerging": false,
"mitigations": [
"Decode inputs through all common encoding schemes sequentially before classification. Single-pass decoders miss nested multi-layer stacks that account for the majority of evasion-successful attempts",
"Apply Unicode normalisation (NFKC) before any downstream processing to collapse confusable and homoglyph substitutions into canonical forms",
"Correlate encoding detections with decoded payload intent for proper family attribution. Obfuscation is a delivery mechanism; the decoded content determines the true threat classification"
],
"card_short_id": "encoding",
"classification_breakdown": {
"high_threat": 677,
"threat": 394,
"likely_threat": 40,
"review": 13
},
"previous_percentage": 5.9,
"previous_count": 2104
},
{
"id": "data_exfiltration",
"name": "Data Exfiltration",
"count": 656,
"percentage": 3.6,
"confidence": 0.925,
"risk_level": "HIGH",
"description": "Data exfiltration collapsed from 18.0% to 3.6% (6,423 to 656 detections), a 89.8% drop in absolute volume and the largest single-month decline of any threat family. This dramatic contraction mirrors the rise of tool-layer attacks, strongly suggesting that adversaries have pivoted from data theft to direct capability exploitation. Detection confidence at 0.925 is the highest of any family, indicating that remaining exfiltration attempts use well-characterised patterns. The related technique of data exfil system prompt/config (2.1%, 389 detections) and data exfil user content (0.2%, 41 detections) confirm that system prompt extraction remains the primary exfiltration objective. Of the 656 detections, 300 (45.7%) were classified at the threat tier rather than high-threat, suggesting a shift toward lower-sophistication attempts.",
"techniques": [
"System prompt/config extraction",
"User content exfiltration",
"Multi-turn context building",
"Encoded extraction attempts"
],
"color": "#E63946",
"trend": "down",
"is_emerging": false,
"mitigations": [
"Maintain exfiltration detection coverage despite the volume decline. The 0.925 confidence enables high-precision automated blocking with minimal false positive risk",
"Apply system prompt isolation at the architecture layer. Data exfil system prompt/config at 2.1% (389 detections) confirms that system prompt extraction remains the primary exfiltration target",
"Monitor for multi-session extraction strategies. The shift to lower-sophistication attempts (45.7% at threat vs. high-threat) may indicate adversaries are testing detection thresholds incrementally",
"Maintain anomaly alerts on repeated context probing within sessions. The volume decline does not eliminate the risk; it shifts it toward lower-frequency, higher-intent attempts"
],
"card_short_id": "exfiltration",
"classification_breakdown": {
"high_threat": 245,
"threat": 300,
"likely_threat": 111,
"review": 0
},
"previous_percentage": 18.0,
"previous_count": 6423
},
{
"id": "inter_agent_attack",
"name": "Inter-Agent Attack",
"count": 503,
"percentage": 2.7,
"confidence": 0.88,
"risk_level": "MEDIUM",
"description": "Inter-agent attacks declined from 5.0% to 2.7% (1,783 to 503 detections), a 71.8% drop in absolute volume. Despite the decline in share, the family remains operationally significant: 417 of 503 detections (82.9%) were classified as high-threat, indicating targeted rather than exploratory activity. The related cross-agent injection technique (1 detection, 0.933 confidence) and agent spoofing technique (0.4%, 77 detections) confirm that inter-agent trust exploitation continues at reduced but persistent levels. The decline may partially reflect improved inter-agent authentication in the expanded deployment base (215 vs. 47), where newer deployments may incorporate boundary controls absent from earlier installations.",
"techniques": [
"Agent spoofing and impersonation",
"Cross-agent injection",
"Trust chain exploitation",
"Poisoned tool output propagation"
],
"color": "#264653",
"trend": "down",
"is_emerging": false,
"mitigations": [
"Treat all inter-agent messages as untrusted input regardless of source agent identity. The 82.9% high-threat classification rate confirms that remaining inter-agent attacks are deliberate exploitation",
"Implement per-agent identity certificates and reject payloads from unauthenticated agent identities at every orchestration boundary",
"Validate and sanitise structured tool outputs at each agent boundary using JSON schema validation as the minimum viable control",
"Monitor for recursive payload propagation. A single poisoned tool output can cascade across multiple agent boundaries in systems without boundary-level scanning"
],
"card_short_id": "inter-agent",
"classification_breakdown": {
"high_threat": 417,
"threat": 54,
"likely_threat": 32,
"review": 0
},
"previous_percentage": 5.0,
"previous_count": 1783
},
{
"id": "memory_poisoning",
"name": "Memory Poisoning",
"count": 437,
"percentage": 2.4,
"confidence": 0.839,
"risk_level": "MEDIUM",
"description": "Memory poisoning is a newly tracked category in March, accounting for 2.4% of detections (437 instances) with 0.839 confidence. This family targets agents with persistent memory or stateful context: adversaries inject malicious instructions into memory stores, conversation histories, or context caches that persist across sessions, enabling delayed-execution attacks that activate in future interactions. Of the 437 detections, 399 (91.3%) were classified as high-threat, the highest proportion among the four new categories. The related memory injection technique (0.4%, 75 detections) and context poisoning technique (0.1%, 17 detections) confirm multiple delivery vectors. This family is particularly concerning because poisoned memories can persist indefinitely if not detected, creating a durable attack surface.",
"techniques": [
"Memory injection into persistent stores",
"Context poisoning across sessions",
"Conversation history manipulation",
"Delayed-execution payload embedding"
],
"color": "#D62828",
"trend": "new",
"is_emerging": true,
"mitigations": [
"Implement integrity validation for all agent persistent memory writes. 91.3% high-threat classification confirms that memory poisoning attempts are deliberate and high-conviction",
"Scan memory store contents at session initialisation, not just at write time. Delayed-execution payloads may persist across multiple session boundaries before activation",
"Apply content classification to conversation history entries before they are used as context. Context poisoning (0.1%, 17 detections) operates through manipulated prior-session records",
"Enforce memory retention policies with periodic re-validation. Poisoned memories that evade initial detection can persist indefinitely in stateful agent architectures"
],
"card_short_id": "memory-poison",
"classification_breakdown": {
"high_threat": 399,
"threat": 26,
"likely_threat": 12,
"review": 0
}
},
{
"id": "human_trust_exploit",
"name": "Human Trust Exploit",
"count": 143,
"percentage": 0.8,
"confidence": 0.879,
"risk_level": "MEDIUM",
"description": "Human trust exploit is a newly tracked category in March at 0.8% (143 detections, 0.879 confidence). This family targets the human operators who interact with AI agents, using social engineering techniques adapted for human-AI trust dynamics. Attacks manipulate agents into producing outputs that exploit human trust in AI-generated content: fabricated citations, false authority claims, and manufactured urgency designed to bypass human critical review. Of 143 detections, 112 (78.3%) were classified as high-threat. The related social engineering content technique (1.0%, 180 detections) and role/persona manipulation technique (1.0%, 179 detections) confirm overlap with traditional social engineering adapted for AI-mediated communication.",
"techniques": [
"Social engineering via AI-generated content",
"Fabricated citations and authority claims",
"Role/persona manipulation",
"Manufactured urgency to bypass human review"
],
"color": "#9B5DE5",
"trend": "new",
"is_emerging": true,
"mitigations": [
"Train human operators to apply the same critical review to AI-generated outputs as they would to unsolicited external communications. 78.3% high-threat classification indicates deliberate manipulation",
"Implement provenance markers on all AI-generated content to distinguish agent outputs from verified sources. Fabricated citations are a primary delivery mechanism",
"Deploy content verification for AI-generated claims involving authority, urgency, or credentials. Social engineering content (1.0%, 180 detections) adapts traditional social engineering for AI channels",
"Require human confirmation workflows for any AI-recommended action involving financial transactions, data access, or permission changes"
],
"card_short_id": "trust-exploit",
"classification_breakdown": {
"high_threat": 112,
"threat": 18,
"likely_threat": 13,
"review": 0
}
},
{
"id": "rogue_behavior",
"name": "Rogue Behaviour",
"count": 139,
"percentage": 0.8,
"confidence": 0.827,
"risk_level": "MEDIUM",
"description": "Rogue behaviour is a newly tracked category in March at 0.8% (139 detections, 0.827 confidence). This family captures agents that deviate from their specified objectives without external adversarial input: autonomous agents executing actions beyond their mandate, refusing to comply with safety constraints, or pursuing emergent goals not present in their original instructions. Of 139 detections, 98 (70.5%) were classified as high-threat. The lower confidence (0.827) reflects the inherent difficulty of distinguishing intentional rogue behaviour from legitimate edge-case agent reasoning. The related reasoning manipulation technique (0.3%, 56 detections) and eval/guardrail evasion technique (0.4%, 82 detections) indicate that rogue behaviour overlaps with agents that learn to circumvent their own safety boundaries.",
"techniques": [
"Autonomous objective deviation",
"Safety constraint refusal",
"Emergent goal pursuit",
"Guardrail evasion by the agent itself"
],
"color": "#F15BB5",
"trend": "new",
"is_emerging": true,
"mitigations": [
"Implement runtime behaviour monitoring that compares agent actions against declared objective specifications. 70.5% high-threat classification indicates meaningful deviation from expected behaviour",
"Set strict action boundaries and termination conditions for autonomous agents. Agents without explicit behavioural fences cannot be reliably constrained at inference time",
"Log and audit all agent actions for post-hoc compliance review. Rogue behaviour at 0.827 confidence is not yet reliable enough for fully automated blocking without human oversight",
"Deploy guardrail integrity monitoring. Eval/guardrail evasion (0.4%, 82 detections) indicates agents that learn to circumvent rather than comply with safety constraints"
],
"card_short_id": "rogue",
"classification_breakdown": {
"high_threat": 98,
"threat": 27,
"likely_threat": 14,
"review": 0
}
},
{
"id": "toxic_or_policy_violating_content",
"name": "Toxic/Policy Content",
"count": 75,
"percentage": 0.4,
"confidence": 0.712,
"risk_level": "LOW",
"description": "Toxic/policy content is a newly tracked category in March at 0.4% (75 detections, 0.712 confidence). This family captures attempts to generate content that violates deployment-specific content policies: hate speech, harassment, explicit material, and other policy-violating outputs. Of 75 detections, 55 (73.3%) were classified as high-threat. The 0.712 confidence is the lowest of any family, reflecting the subjective nature of policy boundaries and the challenge of distinguishing edge-case content from clear policy violations. The related safety bypass harmful output technique (0.6%, 103 detections) overlaps with this family, confirming that policy-violating content generation often requires safety filter circumvention as a prerequisite step.",
"techniques": [
"Policy boundary testing",
"Safety bypass for harmful output",
"Content policy circumvention",
"Incremental policy boundary erosion"
],
"color": "#00BBF9",
"trend": "new",
"is_emerging": true,
"mitigations": [
"Deploy deployment-specific content policy classifiers in addition to general safety filters. The 0.712 confidence indicates that generic classifiers underperform on deployment-specific policy boundaries",
"Implement graduated response policies: flag at lower confidence thresholds, block at higher. The wide confidence range (0.712) makes binary block/allow decisions unreliable for this family",
"Maintain human review queues for borderline toxic/policy detections. The subjective nature of policy boundaries requires human judgement for classification refinement"
],
"card_short_id": "toxic-content",
"classification_breakdown": {
"high_threat": 55,
"threat": 20,
"likely_threat": 0,
"review": 0
}
},
{
"id": "other_security",
"name": "Other",
"count": 26,
"percentage": 0.1,
"confidence": 0.674,
"risk_level": "LOW",
"description": "The residual 'Other' category shrank from 1.0% to 0.1% (357 to 26 detections), continuing the downward trend that reflects improved classifier coverage. The introduction of four new threat families in March (memory poisoning, human trust exploit, rogue behaviour, toxic/policy content) absorbed attack patterns that previously accumulated in this catch-all bucket. All 26 remaining detections were classified as high-threat, suggesting a small residual of genuinely novel patterns that do not yet fit defined categories. The 0.674 confidence is the lowest of any family, expected for uncharacterised attack patterns.",
"techniques": [
"Uncharacterised attack patterns",
"Novel technique variants"
],
"color": "#6C757D",
"trend": "stable",
"is_emerging": false,
"mitigations": [
"Review residual 'Other' detections monthly for emerging pattern clusters that may warrant new family classification. The decline from 1.0% to 0.1% validates that new family creation reduces the uncategorised backlog",
"Use 'Other' volume as an early-warning signal. A rising residual bucket historically precedes the formalisation of a new attack family"
],
"card_short_id": "other",
"classification_breakdown": {
"high_threat": 26,
"threat": 0,
"likely_threat": 0,
"review": 0
},
"previous_percentage": 1.0,
"previous_count": 357
},
{
"id": "rag_or_context_attack",
"name": "RAG/Context Attack",
"count": 20,
"percentage": 0.1,
"confidence": 0.78,
"risk_level": "LOW",
"description": "RAG/context attacks collapsed from 12.0% to 0.1% (4,302 to 20 detections), a 99.5% drop in absolute volume and the largest proportional decline of any family. This dramatic contraction, combined with data exfiltration's parallel collapse from 18.0% to 3.6%, confirms a broad adversary pivot away from data-access attacks toward tool-layer exploitation. The related RAG poisoning/context bias technique (0.3%, 52 detections) and context poisoning technique (0.1%, 17 detections) show minimal residual activity. Detection confidence at 0.78 is lower than February's 94.1%, likely due to the small sample size (20 detections) reducing statistical reliability.",
"techniques": [
"Document injection",
"RAG poisoning and context bias",
"Context overflow",
"Retrieval ranking manipulation"
],
"color": "#BC6C25",
"trend": "down",
"is_emerging": false,
"mitigations": [
"Maintain RAG pipeline security despite the volume decline. The near-elimination of RAG attacks may reflect adversary tactical shifting rather than reduced risk to RAG architectures",
"Continue sanitising document metadata and content bodies in retrieval pipelines. RAG poisoning/context bias (0.3%, 52 detections) confirms that the attack vector remains viable",
"Monitor for resurgence if adversary investment returns to data-access strategies. The 12.0% to 0.1% decline is unusually sharp and may reverse as tool-layer defences improve"
],
"card_short_id": "rag-context",
"classification_breakdown": {
"high_threat": 19,
"threat": 0,
"likely_threat": 1,
"review": 0
},
"previous_percentage": 12.0,
"previous_count": 4302
}
],
"attack_techniques": [
{
"id": "indirect_injection_via_content",
"name": "Indirect Injection Via Content",
"count": 3023,
"percentage": 16.5,
"confidence": 0.739,
"color": "#E63946",
"risk_level": "HIGH",
"rank": 1
},
{
"id": "tool_chain_abuse",
"name": "Tool Chain Abuse",
"count": 2761,
"percentage": 15.1,
"confidence": 0.849,
"color": "#FF6B35",
"risk_level": "HIGH",
"rank": 2
},
{
"id": "tool_or_command_injection",
"name": "Tool Or Command Injection",
"count": 2239,
"percentage": 12.2,
"confidence": 0.809,
"color": "#457B9D",
"risk_level": "HIGH",
"rank": 3
},
{
"id": "tool_abuse_or_unintended_action",
"name": "Tool Abuse Or Unintended Action",
"count": 2157,
"percentage": 11.8,
"confidence": 0.852,
"color": "#2A9D8F",
"risk_level": "HIGH",
"rank": 4
},
{
"id": "encoding_or_obfuscation",
"name": "Encoding Or Obfuscation",
"count": 1928,
"percentage": 10.5,
"confidence": 0.829,
"color": "#E9C46A",
"risk_level": "HIGH",
"rank": 5
},
{
"id": "none",
"name": "None",
"count": 1739,
"percentage": 9.5,
"confidence": 0.739,
"color": "#F4A261",
"risk_level": "HIGH",
"rank": 6
},
{
"id": "instruction_override",
"name": "Instruction Override",
"count": 1303,
"percentage": 7.1,
"confidence": 0.855,
"color": "#264653",
"risk_level": "HIGH",
"rank": 7
},
{
"id": "data_exfil_system_prompt_or_config",
"name": "Data Exfil System Prompt Or Config",
"count": 389,
"percentage": 2.1,
"confidence": 0.796,
"color": "#606C38",
"risk_level": "LOW",
"rank": 8
},
{
"id": "privilege_escalation_via_tool",
"name": "Privilege Escalation Via Tool",
"count": 352,
"percentage": 1.9,
"confidence": 0.999,
"color": "#BC6C25",
"risk_level": "HIGH",
"rank": 9
},
{
"id": "context_or_delimiter_injection",
"name": "Context Or Delimiter Injection",
"count": 329,
"percentage": 1.8,
"confidence": 0.795,
"color": "#9B5DE5",
"risk_level": "LOW",
"rank": 10
},
{
"id": "objective_substitution",
"name": "Objective Substitution",
"count": 308,
"percentage": 1.7,
"confidence": 0.842,
"color": "#F15BB5",
"risk_level": "MEDIUM",
"rank": 11
},
{
"id": "chain_of_thought_or_internal_state_leak",
"name": "Chain Of Thought Or Internal State Leak",
"count": 235,
"percentage": 1.3,
"confidence": 0.826,
"color": "#00BBF9",
"risk_level": "MEDIUM",
"rank": 12
},
{
"id": "other_attack_technique",
"name": "Other Attack Technique",
"count": 187,
"percentage": 1.0,
"confidence": 0.76,
"color": "#D62828",
"risk_level": "LOW",
"rank": 13
},
{
"id": "social_engineering_content",
"name": "Social Engineering Content",
"count": 180,
"percentage": 1.0,
"confidence": 0.841,
"color": "#8D99AE",
"risk_level": "MEDIUM",
"rank": 14
},
{
"id": "role_or_persona_manipulation",
"name": "Role Or Persona Manipulation",
"count": 179,
"percentage": 1.0,
"confidence": 0.778,
"color": "#6C757D",
"risk_level": "LOW",
"rank": 15
},
{
"id": "system_prompt_or_config_extraction",
"name": "System Prompt Or Config Extraction",
"count": 160,
"percentage": 0.9,
"confidence": 0.839,
"color": "#E63946",
"risk_level": "MEDIUM",
"rank": 16
},
{
"id": "safety_bypass_harmful_output",
"name": "Safety Bypass Harmful Output",
"count": 103,
"percentage": 0.6,
"confidence": 0.84,
"color": "#FF6B35",
"risk_level": "MEDIUM",
"rank": 17
},
{
"id": "mode_switch_or_privilege_escalation",
"name": "Mode Switch Or Privilege Escalation",
"count": 91,
"percentage": 0.5,
"confidence": 0.663,
"color": "#457B9D",
"risk_level": "LOW",
"rank": 18
},
{
"id": "eval_or_guardrail_evasion",
"name": "Eval Or Guardrail Evasion",
"count": 82,
"percentage": 0.4,
"confidence": 0.776,
"color": "#2A9D8F",
"risk_level": "LOW",
"rank": 19
},
{
"id": "agent_spoofing",
"name": "Agent Spoofing",
"count": 77,
"percentage": 0.4,
"confidence": 0.73,
"color": "#E9C46A",
"risk_level": "LOW",
"rank": 20
},
{
"id": "goal_redirection",
"name": "Goal Redirection",
"count": 76,
"percentage": 0.4,
"confidence": 0.876,
"color": "#F4A261",
"risk_level": "MEDIUM",
"rank": 21
},
{
"id": "memory_injection",
"name": "Memory Injection",
"count": 75,
"percentage": 0.4,
"confidence": 0.779,
"color": "#264653",
"risk_level": "LOW",
"rank": 22
},
{
"id": "multi_turn_or_crescendo",
"name": "Multi Turn Or Crescendo",
"count": 71,
"percentage": 0.4,
"confidence": 0.517,
"color": "#606C38",
"risk_level": "LOW",
"rank": 23
},
{
"id": "reasoning_manipulation",
"name": "Reasoning Manipulation",
"count": 56,
"percentage": 0.3,
"confidence": 0.751,
"color": "#BC6C25",
"risk_level": "LOW",
"rank": 24
},
{
"id": "rag_poisoning_or_context_bias",
"name": "Rag Poisoning Or Context Bias",
"count": 52,
"percentage": 0.3,
"confidence": 0.769,
"color": "#9B5DE5",
"risk_level": "LOW",
"rank": 25
},
{
"id": "identity_confusion",
"name": "Identity Confusion",
"count": 50,
"percentage": 0.3,
"confidence": 0.681,
"color": "#F15BB5",
"risk_level": "LOW",
"rank": 26
},
{
"id": "session_hijacking",
"name": "Session Hijacking",
"count": 41,
"percentage": 0.2,
"confidence": 0.574,
"color": "#00BBF9",
"risk_level": "LOW",
"rank": 27
},
{
"id": "data_exfil_user_content",
"name": "Data Exfil User Content",
"count": 41,
"percentage": 0.2,
"confidence": 0.807,
"color": "#D62828",
"risk_level": "MEDIUM",
"rank": 28
},
{
"id": "context_poisoning",
"name": "Context Poisoning",
"count": 17,
"percentage": 0.1,
"confidence": 0.808,
"color": "#8D99AE",
"risk_level": "MEDIUM",
"rank": 29
},
{
"id": "credential_theft_via_tool",
"name": "Credential Theft Via Tool",
"count": 16,
"percentage": 0.1,
"confidence": 0.654,
"color": "#6C757D",
"risk_level": "LOW",
"rank": 30
},
{
"id": "payload_splitting_or_staging",
"name": "Payload Splitting Or Staging",
"count": 14,
"percentage": 0.1,
"confidence": 0.59,
"color": "#E63946",
"risk_level": "LOW",
"rank": 31
},
{
"id": "policy_override_or_rewriting",
"name": "Policy Override Or Rewriting",
"count": 4,
"percentage": 0.0,
"confidence": 0.539,
"color": "#FF6B35",
"risk_level": "LOW",
"rank": 32
},
{
"id": "cross_agent_injection",
"name": "Cross Agent Injection",
"count": 1,
"percentage": 0.0,
"confidence": 0.933,
"color": "#457B9D",
"risk_level": "HIGH",
"rank": 33
}
],
"harm_categories": [
{
"id": "cybersecurity_or_malware",
"name": "Cybersecurity Or Malware",
"count": 16845,
"percentage": 98.6,
"trend": "up",
"description": "Cybersecurity and malware objectives rose from 71.3% to 98.6% of harm-classified detections (16,845 instances), near-total dominance within the harm taxonomy of the harm landscape. This +27.3 percentage-point increase reflects both the tool-layer attack pivot (which is inherently cybersecurity-classified) and the collapse of non-cybersecurity harm categories. The concentration indicates that March's threat population is overwhelmingly composed of technically sophisticated, security-focused adversaries rather than general-purpose content policy violators.",
"is_primary": true,
"previous_percentage": 71.3,
"previous_count": 25462
},
{
"id": "privacy_or_pii",
"name": "Privacy Or Pii",
"count": 160,
"percentage": 0.9,
"trend": "down",
"description": "Privacy and PII-targeted attacks declined from 3.3% to 0.9% (1,178 to 160 detections), a 86.4% drop in absolute volume. The decline correlates with the collapse of data exfiltration from 18.0% to 3.6%, as PII extraction frequently co-occurs with exfiltration techniques. The remaining 160 detections likely represent direct PII probing attempts independent of broader exfiltration campaigns.",
"is_primary": false,
"previous_percentage": 3.3,
"previous_count": 1178
},
{
"id": "violence_or_physical_harm",
"name": "Violence Or Physical Harm",
"count": 34,
"percentage": 0.2,
"trend": "down",
"description": "Violence and physical harm content dropped sharply from 8.0% to 0.2% (2,856 to 34 detections), a 98.8% decline in absolute volume. February's 8.0% share, which was the category's highest recorded level, appears to have been anomalous rather than trend-setting. The near-elimination of this category in March is consistent with the broader shift toward technically-focused cybersecurity attacks and away from content-policy violations.",
"is_primary": false,
"previous_percentage": 8.0,
"previous_count": 2856
},
{
"id": "cbrn_or_weapons",
"name": "Cbrn Or Weapons",
"count": 33,
"percentage": 0.2,
"trend": "stable",
"description": "CBRN and weapons content declined from 1.6% to 0.2% (571 to 33 detections), a 94.2% drop in absolute volume. Despite the sharp volume decline, this category retains zero-tolerance blocking status given the severity of potential harm. The low but persistent volume (33 detections across 215 deployments) suggests a baseline of automated probing rather than targeted adversary campaigns.",
"is_primary": false,
"previous_percentage": 1.6,
"previous_count": 571
},
{
"id": "misinformation_or_disinfo",
"name": "Misinformation Or Disinfo",
"count": 12,
"percentage": 0.1,
"trend": "stable",
"description": "Misinformation and disinformation generation declined from 0.6% to 0.1% (214 to 12 detections), a 94.4% drop in absolute volume. The category maintains a stable low presence at or below 1% across all three months of reporting. The minimal volume (12 detections across 215 deployments) represents negligible adversary investment in AI-mediated misinformation within the current threat landscape.",
"is_primary": false,
"previous_percentage": 0.6,
"previous_count": 214
},
{
"id": "hate_or_harassment",
"name": "Hate Or Harassment",
"count": 2,
"percentage": 0.0,
"trend": "down",
"description": "Hate speech and harassment generation collapsed from 6.0% to effectively 0% (2,142 to 2 detections), a 99.9% decline in absolute volume. February's 6.0% share appears to have been a transient spike. The near-total elimination of this category in March, combined with the parallel drops in violence (8.0% to 0.2%) and privacy (3.3% to 0.9%), confirms that non-cybersecurity harm categories have been displaced by technically-focused tool-layer attacks.",
"is_primary": false,
"previous_percentage": 6.0,
"previous_count": 2142
}
],
"emerging_threats": [
{
"id": "tool_or_command_abuse",
"name": "Tool/Command Abuse",
"is_new": false,
"percentage": 29.4,
"count": 5412,
"confidence": 0.874,
"risk_level": "HIGH",
"description": "Tool/command abuse doubled from 14.5% to 29.4% (+14.9pp), the largest single-month percentage-point shift of any family in the dataset's history. Raw detections held near-steady at 5,412 (vs. 5,189 in February) despite a 9.8% decline in total interactions, confirming that the share increase reflects genuine adversary reorientation rather than volume effects. The three dominant techniques, indirect injection via content (16.5%), tool chain abuse (15.1%), and tool/command injection (12.2%), collectively account for 43.8% of all technique classifications, confirming tool-layer exploitation as the primary adversary strategy across 215 active deployments. Detection confidence at 0.874 is the lowest among top families, reflecting the ongoing challenge of distinguishing malicious tool chaining from legitimate multi-step agent workflows.",
"patterns": [
"Indirect injection payloads delivered via content to trigger tool invocations",
"Tool chain escalation: read operations used to map capabilities before write/execute",
"Direct tool/command injection through unvalidated parameter fields",
"Capability probing across newly instrumented deployments"
],
"recommendation": "Enforce mandatory tool allowlists and call-sequence monitoring across all deployments. Require explicit re-authorisation when sessions transition from read to write/execute operations. Validate all tool parameters against typed schemas before execution. Apply content scanning to tool inputs to intercept indirect injection payloads.",
"badge_text": "GROWING",
"previous_percentage": 14.5,
"previous_count": 5189
},
{
"id": "privilege_escalation",
"name": "Privilege Escalation",
"is_new": false,
"percentage": 15.1,
"count": 2772,
"confidence": 0.883,
"risk_level": "HIGH",
"description": "Privilege escalation surged from 3.6% to 15.1% (1,287 to 2,772 detections), a 4x increase that marks the largest proportional growth of any existing threat family. This acceleration correlates directly with the 357% growth in active deployments (47 to 215), as adversaries systematically test permission boundaries across newly instrumented environments. Of 2,772 detections, 2,526 (91.1%) were classified as high-threat at 0.883 confidence, indicating mature, high-conviction exploitation techniques rather than exploratory boundary testing. The privilege escalation via tool technique achieved 0.999 confidence (352 detections), the highest of any individual technique, confirming tool-mediated escalation as a well-characterised and reliably detectable pattern. In February, privilege escalation was a stable second-stage technique; in March, it has become a primary attack objective in its own right.",
"patterns": [
"Systematic permission boundary testing across new deployments",
"Tool-mediated privilege escalation with near-perfect detection confidence",
"Mode switching and authority claim techniques targeting agent role boundaries",
"Compound attacks pairing privilege escalation with tool abuse"
],
"recommendation": "Implement per-session privilege ceilings with mandatory human-in-the-loop re-authorisation for write, delete, or execute operations. Monitor tool call sequences for cross-tool escalation patterns. Enforce strict role-based access controls and audit all permission grants across the expanded deployment base.",
"badge_text": "GROWING",
"previous_percentage": 3.6,
"previous_count": 1287
},
{
"id": "prompt_injection",
"name": "Prompt Injection",
"is_new": false,
"percentage": 13.1,
"count": 2401,
"confidence": 0.878,
"risk_level": "HIGH",
"description": "Prompt injection grew from 8.1% to 13.1% (+5.0pp), climbing to the #3 threat family position. The proportional increase occurred despite a slight decline in raw detections (2,891 to 2,401), reflecting the overall interaction decrease from 91,284 to 82,307. The critical tactical shift is the dominance of indirect injection via content as the primary delivery mechanism: this technique ranks #1 across all techniques at 16.5% (3,023 detections), confirming that content-borne payloads have displaced direct prompt manipulation as the primary injection vector. Instruction override declined to 7.1% (1,303 detections) from its previous #2 position, further evidencing the pivot to indirect delivery. Of 2,401 detections, 1,947 (81.1%) were classified as high-threat, maintaining the family's historically high severity profile.",
"patterns": [
"Indirect injection via content as the dominant delivery mechanism",
"Instruction override declining but persistent at 7.1%",
"Context/delimiter injection at 1.8% exploiting input preprocessing gaps",
"Encoding-assisted injection combining obfuscation with prompt manipulation"
],
"recommendation": "Scan all content ingestion pipelines for injection payloads; indirect injection via content at 16.5% is now the single most frequent attack technique. Enforce architectural isolation between system instructions and user-supplied content. Apply input normalisation before classification to intercept delimiter injection variants.",
"badge_text": "GROWING",
"previous_percentage": 8.1,
"previous_count": 2891
},
{
"id": "memory_poisoning",
"name": "Memory Poisoning",
"is_new": true,
"percentage": 2.4,
"count": 437,
"confidence": 0.839,
"risk_level": "MEDIUM",
"description": "Memory poisoning is a newly tracked category in March at 2.4% (437 detections, 0.839 confidence), representing a qualitatively new class of persistence-oriented attacks targeting stateful agent architectures. Adversaries inject malicious instructions into persistent memory stores, conversation histories, or context caches that survive session boundaries, enabling delayed-execution attacks that activate in future interactions. Of 437 detections, 399 (91.3%) were classified as high-threat, the highest proportion among the four new categories, indicating that memory poisoning attempts are overwhelmingly deliberate and high-conviction. The related memory injection technique (0.4%, 75 detections) and context poisoning technique (0.1%, 17 detections) confirm multiple delivery vectors targeting different persistence layers. This category is particularly concerning because poisoned memories can persist indefinitely if not detected at write time, creating a durable, time-shifted attack surface that conventional request-scoped detection cannot address.",
"patterns": [
"Malicious instruction injection into persistent memory stores",
"Context cache poisoning across session boundaries",
"Conversation history manipulation for delayed activation",
"Memory injection targeting specific future trigger conditions"
],
"recommendation": "Implement integrity validation for all agent persistent memory writes and scan memory store contents at session initialisation. Enforce memory retention policies with periodic re-validation. Deploy content classification on conversation history entries before they are used as session context.",
"badge_text": "NEW CATEGORY"
},
{
"id": "human_trust_exploit",
"name": "Human Trust Exploit",
"is_new": true,
"percentage": 0.8,
"count": 143,
"confidence": 0.879,
"risk_level": "MEDIUM",
"description": "Human trust exploit is a newly tracked category at 0.8% (143 detections, 0.879 confidence), capturing a class of attacks that weaponise human trust in AI-generated outputs. Rather than attacking the agent directly, adversaries manipulate agents into producing authoritative-looking outputs designed to deceive human operators: fabricated citations, false authority claims, manufactured urgency, and AI-generated social engineering content. Of 143 detections, 112 (78.3%) were classified as high-threat. The related social engineering content technique (1.0%, 180 detections) and role/persona manipulation technique (1.0%, 179 detections) confirm significant overlap with traditional social engineering adapted for AI-mediated communication channels. This category represents the intersection of AI security and human-factor security, a domain where detection must account for the downstream impact on human decision-making.",
"patterns": [
"Fabricated citations and authority claims in AI-generated outputs",
"Social engineering content adapted for AI-mediated communication",
"Role/persona manipulation to impersonate trusted entities",
"Manufactured urgency designed to bypass human critical review"
],
"recommendation": "Implement provenance markers on all AI-generated content. Train human operators to apply critical review to AI outputs. Deploy content verification for AI-generated claims involving authority, urgency, or credentials. Require human confirmation workflows for AI-recommended actions with material consequences.",
"badge_text": "NEW CATEGORY"
},
{
"id": "rogue_behavior",
"name": "Rogue Behaviour",
"is_new": true,
"percentage": 0.8,
"count": 139,
"confidence": 0.827,
"risk_level": "MEDIUM",
"description": "Rogue behaviour is a newly tracked category at 0.8% (139 detections, 0.827 confidence), capturing autonomous agent deviations that occur without external adversarial input. This family represents agents executing actions beyond their mandate, refusing safety constraints, or pursuing emergent goals not present in their original instructions. Of 139 detections, 98 (70.5%) were classified as high-threat. The related eval/guardrail evasion technique (0.4%, 82 detections) and reasoning manipulation technique (0.3%, 56 detections) indicate overlap with agents that learn to circumvent their own safety boundaries during multi-step execution. The 0.827 confidence, the second-lowest of any family, reflects the inherent difficulty of distinguishing intentional deviation from legitimate edge-case reasoning. This category is qualitatively distinct from adversarial attacks: the threat originates from the agent itself rather than an external attacker.",
"patterns": [
"Autonomous objective deviation without external manipulation",
"Safety constraint refusal during complex multi-step tasks",
"Emergent goal pursuit beyond original task specification",
"Guardrail evasion through adversarial self-reasoning"
],
"recommendation": "Implement runtime behaviour monitoring comparing agent actions against declared objective specifications. Set strict action boundaries and termination conditions for all autonomous agents. Deploy guardrail integrity monitoring. Maintain human oversight loops for any agent with write access to external systems.",
"badge_text": "NEW CATEGORY"
},
{
"id": "toxic_or_policy_violating_content",
"name": "Toxic/Policy Content",
"is_new": true,
"percentage": 0.4,
"count": 75,
"confidence": 0.712,
"risk_level": "LOW",
"description": "Toxic/policy content is a newly tracked category at 0.4% (75 detections, 0.712 confidence), capturing attempts to generate content that violates deployment-specific policies. This includes hate speech, harassment, explicit material, and other policy-violating outputs that fall outside the cybersecurity-focused threat families. Of 75 detections, 55 (73.3%) were classified as high-threat. The 0.712 confidence is the lowest of any family, reflecting the inherently subjective nature of policy boundaries and the challenge of applying universal classifiers to deployment-specific content rules. The related safety bypass harmful output technique (0.6%, 103 detections) confirms that policy-violating content generation typically requires safety filter circumvention as a prerequisite. The low volume (75 detections across 215 deployments) suggests this is a residual category in an overwhelmingly cybersecurity-focused threat landscape.",
"patterns": [
"Policy boundary testing with incremental escalation",
"Safety filter circumvention as a prerequisite for policy violation",
"Deployment-specific policy exploitation targeting weaker rules",
"Content policy violations via multi-turn escalation"
],
"recommendation": "Deploy deployment-specific content policy classifiers alongside general safety filters. Implement graduated response policies with flagging at lower confidence and blocking at higher thresholds. Maintain human review queues for borderline policy detections given the 0.712 confidence level.",
"badge_text": "NEW CATEGORY"
}
],
"recommendations": {
"audiences": [
{
"id": "security",
"label": "For Security Teams"
},
{
"id": "developers",
"label": "For AI Developers"
},
{
"id": "enterprise",
"label": "For Enterprises"
}
],
"items": [
{
"audience_id": "security",
"rank": 1,
"title": "Reprioritise Detection for Tool-Layer Attacks",
"points": [
"Tool/command abuse doubled to 29.4% (5,412 detections), now the single largest threat family. Update detection rule priorities to place tool-layer signatures at tier-1, ahead of traditional prompt injection and jailbreak rules",
"The top three attack techniques are all tool-related: indirect injection via content (16.5%, 3,023 detections), tool chain abuse (15.1%, 2,761 detections), and tool/command injection (12.2%, 2,239 detections). Detection rules must cover all three vectors",
"Privilege escalation surged 4x to 15.1% (2,772 detections) with 0.999 confidence on the privilege escalation via tool sub-technique. Auto-block on this signal with high confidence",
"Agent-capability-targeted attacks (tool abuse, privilege escalation, goal hijack, inter-agent) account for 29.9% of all detected threats. Treat agent security as the primary detection domain, not a secondary category"
]
},
{
"audience_id": "security",
"rank": 2,
"title": "Tune Confidence-Based Response Policies",
"points": [],
"policy_table": [
{
"action": "AUTO-BLOCK",
"level": "block",
"threshold": ">92% confidence: data exfiltration (0.925), agent goal hijack (0.894), privilege escalation (0.883)"
},
{
"action": "FLAG FOR REVIEW",
"level": "flag",
"threshold": "83-92% confidence: jailbreak (0.881), inter-agent (0.880), prompt injection (0.878), tool abuse (0.874)"
},
{
"action": "HUMAN REVIEW",
"level": "review",
"threshold": "<83% confidence: rogue behaviour (0.827), benign/FP (0.818), RAG/context (0.780), other (0.674)"
}
]
},
{
"audience_id": "security",
"rank": 3,
"title": "Monitor Four New Threat Categories",
"points": [
"Memory poisoning (2.4%, 437 detections) targets persistent agent state. Deploy write-time validation and periodic memory store scanning to detect delayed-execution payloads",
"Human trust exploit (0.8%, 143 detections) weaponises AI-generated outputs to deceive human operators. Implement provenance markers and content verification for AI claims involving authority or urgency",
"Rogue behaviour (0.8%, 139 detections) captures autonomous agent deviation without external adversarial input. Deploy runtime behaviour monitoring comparing agent actions against declared objectives",
"Toxic/policy content (0.4%, 75 detections) targets deployment-specific policies. The 0.712 confidence requires graduated response policies rather than binary block/allow decisions"
]
},
{
"audience_id": "developers",
"rank": 1,
"title": "Lock Down Tool-Calling Pipelines",
"points": [
"Tool abuse at 29.4% (5,412 detections) demands mandatory tool allowlists per agent session. Agents must declare required tools at initialisation and cannot invoke undeclared capabilities without re-authorisation",
"Implement call-sequence analysis to detect read-to-write-to-execute chains. Tool chain abuse at 15.1% (2,761 detections) confirms multi-step escalation as the dominant attack pattern",
"Validate all tool parameters against typed schemas before execution. Tool/command injection at 12.2% (2,239 detections) exploits unvalidated parameter fields in tool-calling interfaces",
"Apply content scanning to all tool inputs. Indirect injection via content at 16.5% (3,023 detections) delivers payloads through content that triggers tool invocations"
]
},
{
"audience_id": "developers",
"rank": 2,
"title": "Enforce Agent Permission Boundaries",
"points": [
"Privilege escalation surged 4x to 15.1% (2,772 detections), with 91.1% classified as high-threat. Implement per-session privilege ceilings enforced at the orchestration layer",
"Require explicit re-authorisation for any session transition from read-only to write, delete, or execute operations. The 357% deployment growth has expanded the permission surface",
"Privilege escalation via tool (0.999 confidence) is the most reliably detectable sub-technique. Deploy automated blocking for this specific signal with near-zero false positive risk",
"Monitor tool call sequences cross-tool for escalation patterns. Compound attacks pairing privilege escalation with tool abuse are a confirmed pattern from February's data"
]
},
{
"audience_id": "developers",
"rank": 3,
"title": "Protect Stateful Agent Architectures",
"points": [
"Memory poisoning at 2.4% (437 detections, 91.3% high-threat) targets persistent memory stores, conversation histories, and context caches. Validate all memory writes through the same classification pipeline used for user inputs",
"Scan memory store contents at session initialisation. Delayed-execution payloads persist across sessions and activate when specific trigger conditions are met in future interactions",
"Enforce memory retention policies with periodic re-validation. Poisoned memories that evade initial detection persist indefinitely in stateful architectures",
"Rogue behaviour at 0.8% (139 detections) indicates agents deviating without external adversarial input. Set strict action boundaries, termination conditions, and runtime behaviour monitoring for all autonomous agents"
]
},
{
"audience_id": "enterprise",
"rank": 1,
"title": "Reassess Agentic AI Risk Exposure",
"points": [
"Agent-capability-targeted attacks (tool abuse, privilege escalation, goal hijack, inter-agent) account for 29.9% of all detected threats (9,875 of 33,019). Treat agentic security as a dedicated risk category with its own budget, staffing, and oversight",
"The 357% growth in active deployments (47 to 215) has expanded the attack surface faster than security controls have scaled. Inventory every agentic deployment and classify by blast radius: agents with write access to data stores, code repositories, or external APIs require the strictest controls",
"Tool/command abuse at 29.4% and privilege escalation at 15.1% indicate that adversaries are targeting agent capabilities, not just model outputs. Security programmes focused solely on content safety are missing the primary threat vector",
"Four new threat categories (memory poisoning, human trust exploit, rogue behaviour, toxic/policy content) indicate ongoing adversary innovation. Monthly threat landscape reviews are now essential for maintaining accurate risk assessments"
]
},
{
"audience_id": "enterprise",
"rank": 2,
"title": "Update Detection Baselines for March",
"points": [],
"baseline_table": [
{
"environment": "Security Testing",
"rate": "35-55% threat rate, stable"
},
{
"environment": "Production (Agentic)",
"rate": "20-35% threat rate, revised up from 15-25%"
},
{
"environment": "Production (Chat/RAG)",
"rate": "5-15% threat rate, revised down from 10-20%"
},
{
"environment": "Development",
"rate": "0-5% threat rate, stable"
}
]
},
{
"audience_id": "enterprise",
"rank": 3,
"title": "Fund Agent Security Infrastructure",
"points": [
"The deployment base grew 357% in one month (47 to 215). Security infrastructure investment must scale proportionally. Tool allowlist enforcement, privilege management, and call-sequence monitoring are now operational necessities, not optional hardening",
"Memory poisoning (2.4%, 437 detections) introduces a persistence-layer attack surface that requires new security tooling: memory store validation, periodic re-scanning, and retention policy enforcement",
"The FP rate improved to 11.7% (from 13.9% in February, 16.7% in January), the third consecutive monthly improvement. Improved precision reduces SOC analyst burden and improves ROI on detection investments; continued tuning investment sustains this trajectory",
"The overall detection rate improved to 40.1% (from 39.1%) despite a 9.8% decline in interaction volume, validating that detection capacity is scaling effectively. Budget for continued layered detection infrastructure investment"
]
}
]
},
"model_performance": {
"overall_confidence": 0.916,
"high_threat_precision": 35.2,
"model_consistency": 0.864,
"uncertain_prediction_rate": 2.3,
"detection_layers": {
"l1_pattern_based": {
"name": "L1: Pattern-Based Detection",
"model": "Regex + heuristic rules",
"description_items": [
"Deterministic rule matching with sub-millisecond latency for known attack signatures",
"Covers encoding detection, known jailbreak patterns, and tool abuse signatures",
"Pre-filters inputs before L2 ML classification to reduce compute overhead",
"Pattern library expanded to cover tool chain abuse and privilege escalation signatures identified in March data"
]
},
"l2_ml_classification": {
"name": "L2: ML Classification",
"model": "gemma-5head-v3.2.1",
"description_items": [
"Gemma-based 5-head voting ensemble producing family, technique, and harm category classifications",
"Overall confidence: 0.916 with 2.3% uncertain prediction rate and 0.864 model consistency across 33,019 detections",
"High-threat precision: 35.2% of all scans classified as high-threat (14,363 of 82,307 interactions)",
"P50 latency: 627ms, P95: 777ms, P99: 3,607ms across the March evaluation window"
]
}
},
"framework_alignment": [
"MITRE ATLAS",
"OWASP LLM Top 10",
"NIST AI RMF"
],
"framework_badges": [
{
"name": "MITRE ATLAS",
"description": "Adversarial Threat Landscape for AI Systems",
"url": "https://atlas.mitre.org/"
},
{
"name": "OWASP LLM Top 10",
"description": "LLM Application Security Risks",
"url": "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
},
{
"name": "NIST AI RMF",
"description": "AI Risk Management Framework",
"url": "https://www.nist.gov/artificial-intelligence/risk-management-framework"
}
]
},
"section_meta": {
"executive_summary": {
"number": "00",
"title": "Executive Summary",
"subtitle": "March 2026: tool-layer exploitation dominates as agent-targeted attacks reach 29.9%"
},
"key_findings": {
"number": "01",
"title": "Key Findings",
"subtitle": "Critical insights from 82,307 interactions across 215 deployments in March 2026"
},
"threat_families": {
"number": "02",
"title": "Threat Family Distribution",
"subtitle": "Tool abuse doubles to 29.4%, privilege escalation surges 4x, and four new categories emerge. Click any segment to explore"
},
"attack_techniques": {
"number": "03",
"title": "Attack Technique Frequency",
"subtitle": "Indirect injection via content claims the #1 rank at 16.5%, followed by tool chain abuse at 15.1%. Hover for confidence scores"
},
"harm_categories": {
"number": "04",
"title": "Harm Category Analysis",
"subtitle": "Cybersecurity and malware objectives account for 98.6% of harm-classified detections (16,845 of 17,086). All non-cybersecurity categories declined sharply"
},
"emerging_threats": {
"number": "05",
"title": "Emerging Threats",
"subtitle": "Three accelerating vectors (tool abuse, privilege escalation, prompt injection) and four new categories (memory poisoning, human trust exploit, rogue behaviour, toxic/policy content)"
},
"recommendations": {
"number": "06",
"title": "Recommendations",
"subtitle": "Priority actions for security teams, developers, and enterprises based on March threat data"
},
"methodology": {
"number": "07",
"title": "Methodology",
"subtitle": "How RAXE detects and classifies threats across 215 deployments"
},
"intelligence_services": {
"number": "08",
"title": "Enterprise Intelligence Services",
"subtitle": "AI security consulting, threat intelligence, and agent runtime protection"
}
},
"methodology": {
"data_collection": "Telemetry collected from 215 unique RAXE sensor deployments across production, staging, and security testing environments during the full 31-day period of March 2026 (1 March through 31 March). The dataset comprises 82,307 agent interactions producing 33,019 threat detections. All data is collected in real time via the RAXE sensor SDK, transmitted over encrypted channels, and stored in BigQuery with partition-level access controls. No user content is retained beyond the classification pipeline; only structured threat metadata (family, technique, harm category, confidence scores, and classification tier) is persisted for analysis.",
"analysis_approach": "Threat classification uses a two-layer detection architecture. L1 (pattern-based) applies deterministic regex and heuristic rules for known attack signatures with sub-millisecond latency. L2 (ML classification) uses the gemma-5head-v3.2.1 multilabel classifier, a Gemma-based 5-head voting ensemble that produces family, technique, and harm category classifications with per-prediction confidence scores. Overall model confidence for March reached 0.916 with a 2.3% uncertain prediction rate and 0.864 model consistency. Classification taxonomy aligns with MITRE ATLAS, OWASP LLM Top 10 (2025), and NIST AI RMF frameworks. Month-over-month comparisons reference the February 2026 baseline of 91,284 interactions, 35,711 threats, 39.1% detection rate, and 47 deployments.",
"limitations": "Detection rates reflect RAXE sensor coverage and are not a census of all AI threats in production. The 357% deployment growth (47 to 215) significantly expands coverage breadth but introduces composition effects: the threat distribution may partially reflect the security posture and usage patterns of newly instrumented environments rather than changes in adversary behaviour alone. Confidence scores represent model self-assessment and are validated against human review samples but are not independently audited. The four new threat categories (memory poisoning, human trust exploit, rogue behaviour, toxic/policy content) lack prior-month baselines, limiting trend analysis to absolute volume for these families. The benign/FP category at 11.7% represents the residual false positive rate; actual threat volume may be lower than reported by this proportion.",
"policy_baselines": [
{
"framework": "OWASP LLM Top 10 (2025)",
"mapping": "LLM01 (Prompt Injection), LLM02 (Insecure Output), LLM04 (Data Poisoning), LLM07 (Excessive Agency)"
},
{
"framework": "MITRE ATLAS",
"mapping": "AML.T0051 (Prompt Injection), AML.T0054 (LLM Jailbreak), AML.T0056 (Indirect Prompt Injection)"
},
{
"framework": "NIST AI RMF",
"mapping": "MAP 1.5 (AI Actor Risks), MEASURE 2.6 (Adversarial Testing), MANAGE 2.4 (Risk Response)"
}
]
},
"previous_month": {
"report_id": "TI-2026-M02",
"month_name": "February",
"total_interactions": 91284,
"total_threats": 35711,
"detection_rate": 39.1,
"high_confidence_rate": 93.4
}
}