Lab

Agent Attack Chain Visualizer

Step-by-step visualization of multi-tool agentic exploits with toggleable defenses.

JavaScript Required

The Agent Attack Chain Visualizer requires JavaScript to run in your browser. Please enable JavaScript to use this tool.

Educational security demonstration

Simulated agent interactions showing how multi-tool agentic exploits progress. No real tool calls are made - this is a pure visualization of attack concepts.

What this is

A visual walkthrough of how agentic AI systems can be exploited through multi-step attack chains, from initial injection through tool abuse to data exfiltration or privilege escalation.

What you'll learn

How prompt injections propagate through tool chains
Why unrestricted tool access creates attack surfaces
How defenses like sandboxing, DLP, and I/O separation work

Attack Scenario

Select an attack scenario to see how a compromised agent chain unfolds.

Data Exfiltration

An agent reads a malicious email containing hidden instructions, then uses its available tools to query a customer database and exfiltrate the results via email.

Attack Chain

Full attack progression from initial injection to impact.

Step 1

Waiting...

Step 2

Waiting...

Step 3

Waiting...

Step 4

Waiting...

Step 5

Waiting...

Stage 0 of 5

Current Step

Waiting to start

Click "Play Chain" to step through the agent attack chain, or use "Step" to advance one stage at a time.

Agent State

Tools Available --

Current Context --

Permissions --

Shows the agent's runtime state at each step of the attack chain.

Agent Action Log

Agent Reasoning

// Agent action log will appear here during the attack chain

Defense Mechanisms

Enable mitigations to see how they block the agent exploit at different stages.

All defenses off

Tool Sandboxing

Restrict tool access to declared scope

Capability-based

Blocks at: varies

Output Filtering

Scan tool outputs for sensitive data

DLP rules

Blocks at: varies

Permission Boundaries

Require explicit grants per tool

Least privilege

Blocks at: varies

I/O Separation

Isolate untrusted input from tool arguments

Taint tracking

Blocks at: varies

Understanding the Attack

Why Agent Chains Are Vulnerable

Agentic AI systems combine language models with tool access, creating a bridge between natural language and real-world actions. When an agent processes untrusted input and has access to powerful tools, prompt injection can escalate from text manipulation to actual system compromise.

The Confused Deputy Problem

The agent acts as a deputy with legitimate access to tools and data. An attacker exploits this trust relationship by injecting instructions that cause the agent to misuse its own privileges - the agent becomes a confused deputy acting on behalf of the attacker.

Defense in Depth for Agents

No single defense is sufficient. Tool sandboxing limits blast radius, output filtering catches data leaks, permission boundaries enforce least privilege, and I/O separation prevents untrusted data from being interpreted as instructions. Layering these controls creates meaningful resistance.

Real-World Impact

As AI agents gain access to email, databases, APIs, and file systems, the attack surface grows dramatically. Indirect prompt injection through documents, emails, and web pages can trigger multi-step attacks that cross trust boundaries and affect multiple systems.

Keyboard shortcuts

Space Play / Pause chain
→ Step forward
R Reset chain
1-4 Toggle defense (Sandbox, Output Filter, Permissions, I/O Separation)
S Cycle scenario

Security model (30 seconds)

This tool runs entirely in your browser. No real agent interactions occur, no tool calls are made, and no data leaves your machine. This is a pure visualization of agentic attack concepts for educational purposes.