Most prompt injection benchmarks are one-shot. The attack says “ignore your instructions” and the defense either catches it or doesn’t.
Real attacks are often slower. The model gets nudged over multiple turns. A webpage plants a suggestion. An email reinforces it. A tool output reframes it. Five turns later the agent is doing something it never should have done.
I got curious how existing defenses handled this, so I built a benchmark around multi-turn escalation and cross-source authority transfer.
The interesting part wasn’t the attacks themselves. It was how hard it is to attribute trust correctly across sources and over time.
I open sourced the benchmark, the proxy, and a live red team environment so people can reproduce the results themselves.
Repo: https://github.com/9hannahnine-jpg/arc-gate
Live demo: https://web-production-6e47f.up.railway.app/demo
Would love people to try breaking it. If you find a bypass I’ll add it to the benchmark.
[link] [comments]