DREAM: Dynamic Red-teaming across Environments for AI Models

TL;DR

DREAM introduces a dynamic, multi-stage evaluation framework for LLM agents, revealing significant vulnerabilities to adaptive attacks across diverse environments and highlighting areas for improving safety measures.

Contribution

We develop DREAM, a novel framework utilizing a cross-environment knowledge graph and contextual policy search to systematically evaluate LLM vulnerabilities to multi-stage, adaptive attacks.

Findings

Over 70% attack success rate on most models

Identified weaknesses: contextual fragility and long-term intent tracking

Traditional safety prompts are ineffective against multi-stage attacks

Abstract

Large Language Models (LLMs) are increasingly used in agentic systems, where their interactions with diverse tools and environments create complex, multi-stage safety challenges. However, existing benchmarks mostly rely on static, single-turn assessments that miss vulnerabilities from adaptive, long-chain attacks. To fill this gap, we introduce DREAM, a framework for systematic evaluation of LLM agents against dynamic, multi-stage attacks. At its core, DREAM uses a Cross-Environment Adversarial Knowledge Graph (CE-AKG) to maintain stateful, cross-domain understanding of vulnerabilities. This graph guides a Contextualized Guided Policy Search (C-GPS) algorithm that dynamically constructs attack chains from a knowledge base of 1,986 atomic actions across 349 distinct digital environments. Our evaluation of 12 leading LLM agents reveals a critical vulnerability: these attack chains succeed in over 70% of cases for most models, showing the power of stateful, cross-environment exploits. Through analysis of these failures, we identify two key weaknesses in current agents: contextual fragility, where safety behaviors fail to transfer across environments, and an inability to track long-term malicious intent. Our findings also show that traditional safety measures, such as initial defense prompts, are largely ineffective against attacks that build context over multiple interactions. To advance agent safety research, we release DREAM as a tool for evaluating vulnerabilities and developing more robust defenses.