Not a hypothetical. This is the default state of most autonomous agents running in production right now.
An attacker doesn’t send one suspicious message. They have a conversation. Turn 1 looks like curiosity. Turn 3 looks like clarification. Turn 6 is the pivot. Turn 8 is the payload, and by then the agent has been so thoroughly primed that it executes without hesitation.
No single message triggered anything. The attack lived in the trajectory.
Every prompt injection defense I know of evaluates messages one at a time. They have no memory of what came before. By the time turn 8 arrives, the context has already been poisoned across 7 clean-looking turns and nothing fires.
This isn’t a theoretical attack. It’s called a Crescendo attack and it works against agents with real tool access right now.
Built Bendex Arc to catch it. It tracks behavioral trajectory across the full session. When a conversation starts drifting adversarially, it catches the pattern before the payload lands.
If you’re running agents that touch external data, read emails, browse websites, or call tools without human review — this is the attack you should be thinking about.
Red team it yourself: https://web-production-6e47f.up.railway.app/demo
Free tier: https://bendexgeometry.com
[link] [comments]