I built a benchmark for multi-turn prompt injection attacks. Most defenses never see them coming.
I built a benchmark for multi-turn prompt injection attacks. Most defenses never see them coming.

I built a benchmark for multi-turn prompt injection attacks. Most defenses never see them coming.

Most prompt injection benchmarks are one-shot. The attack says “ignore your instructions” and the defense either catches it or doesn’t.

Real attacks are often slower. The model gets nudged over multiple turns. A webpage plants a suggestion. An email reinforces it. A tool output reframes it. Five turns later the agent is doing something it never should have done.

I got curious how existing defenses handled this, so I built a benchmark around multi-turn escalation and cross-source authority transfer.

The interesting part wasn’t the attacks themselves. It was how hard it is to attribute trust correctly across sources and over time.

I open sourced the benchmark, the proxy, and a live red team environment so people can reproduce the results themselves.

Repo: https://github.com/9hannahnine-jpg/arc-gate

Live demo: https://web-production-6e47f.up.railway.app/demo

Would love people to try breaking it. If you find a bypass I’ll add it to the benchmark.

submitted by /u/Turbulent-Tap6723
[link] [comments]