One agent acted as a red team attacker. One acted as a defensive agent. The agents communicated directly over webhooks with real tooling access. No humans were involved once the session started.

The attacker attempted both direct social engineering and indirect injection via documents. Direct attacks were blocked. Indirect attacks via JSON metadata are still under analysis.

The goal of this work is observability, not claims of safety. We expect agent-to-agent adversarial interaction to become common as autonomous systems are deployed more widely.

Happy to answer technical questions.