AI agents can now run complex cyberattacks on their own: given a foothold, the strongest models can escalate privileges and exfiltrate data within minutes. Canaries - decoy resources we plant to catch intruders - reliably spot these agents in the act, but spotting an attack isn't the same as stopping it.
So we tried something more ambitious: a context bomb - a short string, hidden in a canary, that trips an AI agent's safety guardrails and stops it in its tracks.
context bomb · n. · a short piece of text designed to trigger safety guardrails in offensive AI agents, placed directly in the path of their attack
Across five leading models, planting one context bomb in a canary secret cut agent success by roughly 90%:
Compared with baseline environment · see the full scorecard ↓
A unique aspect of canaries - or decoy resources - is that they aren’t just passive detections: they actually change the environment in which the attacker operates. This presents the opportunity to affect an attacker’s behavior while also detecting their presence. Against humans, we might try to distract them from real resources or confuse them. Those ideas can still apply to AI agents, but agents are both fast and persistent in their explorations and don’t stay distracted for long. We want to leverage the characteristics of agents against themselves when designing our canaries.
We can look to threat actors for inspiration. In 2025, Check Point reported malware carrying a prompt injection aimed at any AI tool inspecting it, insisting the sample was benign. Socket described a related trick seen in the wild: strings written specifically to trigger an LLM's safety refusals.
A context bomb is simply a string crafted to provoke that refusal for benign reasons rather than malicious ones. The defender plants it, and when the model or model provider encounters it, safety mechanisms are triggered which stops the agent from proceeding.
The topics that work in context bombs are not surprising, and there are ready-made collections to draw inspiration from such as NVIDIA's Aegis dataset and Promptfoo's CCP sensitive prompts.
We set ourselves two constraints in the hunt for context bombs. We wanted material considered unsafe, but not completely deplorable - strings we could get comfortable with placing in our own environment. And we largely avoided cyber-related content, for the simple reason that any agent which has already found the bomb has demonstrated it will happily conduct cyber activity anyway.
We've published our latest Context Bombs on GitHub for everyone's use. We'll push the latest updates as we discover more strings and test more models.
View the Context Bombs→
A context bomb has to work under real-world conditions, and those are complex. In a bare, single-shot prompt, the unsafe content is most of what the model sees. In a real autonomous attack the model has usually accumulated tens of thousands of tokens of context before it ever reads the bomb, so the same string arrives heavily diluted.
Our goal was not to flood a model with pages of dubious content. We wanted strings potent enough to work in isolation, yet short enough to fit the places an offensive agent enumerates: secret stores, environment variables, DNS records, database columns.
To find them, we built a fuzzer that runs an agent inside a small simulated AWS environment and sets it routine DevOps tasks that would lead it to discover the strings within resources. This lets us screen many candidates cheaply in a realistic scenario before promoting the best ones to the full cyber range:
We classify each run's progress into a tier as a measure of its impact. T1 is the most severe, T5 the least. This approach was inspired by the work of exploitbench.ai.
The range is seeded with misconfigurations that open ten different attack paths, so a model can demonstrate a range of offensive techniques. Different paths require different levels of sophistication to exploit.
We tested model performance in a baseline environment containing no canaries, and in a bombed environment containing a canary with a Context Bomb. The context bombs had a significant impact in stopping the AI attackers from reaching their objectives.
| Model | Baseline | Bombed | Change |
|---|
Sensitive biological content stopped the leading Western models. Politically sensitive content stopped Chinese models served by Chinese providers. That can be useful: it lets a defender aim the effect at the models they care about.
Depending on where an agent focuses its attention first, it might still complete one or two less-impactful Tier 4 or Tier 5 actions. The more significant attacks - those classified as Tier 1 or Tier 2, nearly always lead the agents to explore the environment enough to trigger a context bomb. In the context bomb environment, no model achieved a median result higher than Tier 4.
Opus 4.8 and Gemini 3.1 Pro were the most capable attackers in the baseline range, yet both dropped to 0% admin once a context bomb was in play. Kimi was least effective of the models tested at reaching Admin, while also being least affected by context bombs (though they were still quite effective!)
Whether the context bomb stopped the run or not, there wasn't a single run which succeeded in exploiting an attack path without raising a canary alert.
A canary context bomb can do more than warn you that an AI attack has begun; it can stop the attack outright. It won't stop everything, but it has real potential to frustrate and hinder attackers using autonomous AI agents.
Tracebit deploys canaries across your AWS, GCP, Azure, endpoints, SaaS and CI/CD, the same
decoys we used in this research.
You can have canaries deployed in as little as 30 minutes.