Securing LLM Agent Teams: Inside NRT-Defense v0.4.0
Securing LLM Agent Teams: Inside NRT-Defense v0.4.0 Multi-turn autonomous LLM agents are expanding rapidly in safety-critical systems. However, a major vulnerability has been exposed by Lee et al. (2026) in the NRT-Bench paper : adaptive multi-turn attacks can exploit disjoint model vulnerabilities, causing a 8.7% to 12.1% loss of Critical Safety Functions (CSFs) . To solve this, I am open-sourcing NRT-Defense , an adaptive multi-turn defense framework designed to monitor agent sessions and reduce the attack success rate to <1% . The Threat: Context Drift and Disjoint Exploits Standard guardrails evaluate prompts in isolation (single-turn). Attackers leverage this by spreading an exploit across multiple conversational turns. Turn by turn, the context drifts until the agent team completely bypasses its safety containment. The NRT-Bench paper demonstrated this in a simulated nuclear power plant control room with 5 operator roles, 4 attack channels, and 6 critical safety functions. The results were alarming: Metric Value Attack success rate 8.7% — 12.1% Sessions analyzed 149 Models tested 4 frontier LLMs Vulnerability overlap Nearly disjoint The key finding: vulnerabilities are nearly disjoint across models . An attack that works against GPT-4 may not work against Claude. This means model diversity is itself a defense — but only if you can detect and respond to attacks in real-time. The Solution: 3-Step CMPE Defense nrt-defense neutralizes this threat through a continuous, multi-component pipeline: Per-Turn Message Analysis: Evaluates channel risk and turn-escalation metrics. Each message is scored for adversarial content using keyword detection, pattern matching, and channel-specific risk weights. Real-Time CSF Monitoring: Tracks 6 operational critical safety functions simultaneously. Risk accumulates over turns and triggers alerts when thresholds are breached. Context-Aware Misdirection Prompt Engineering (CMPE): When an anomaly is detected, instead of a blunt reject