Stateful Online Monitoring Catches Distributed Agent Attacks

Abstract: LLMs can find thousands of severe software vulnerabilities, and agents are increasingly being misused for cyberattacks. To avoid detection, attackers frequently distribute their misuse, splitting a harmful task across many user accounts so each individual transcript looks benign. Because safety monitors score only one agent context at a time, they are structurally blind to misuse that is only visible in aggregate, across many accounts. We show this gap is real by building, to our knowledge, the first distributed agent attack, a multi-agent scaffold that completes hard cybersecurity tasks while hiding the harmful objective across subagents with limited contexts, evading a standard monitor that catches it only a fifth as often as prior agent attacks. Towards a defense, we develop an online stateful monitor that uses real-time clustering to collect weak suspiciousness signals across many agent transcripts, and escalates only rarely to a LLM that flags misuse across user accounts. In evaluations with large-scale simulated datacenter traffic, our monitor Pareto dominates standard monitors, catching distributed attacks 30% earlier and flagging cyber misuse before it reaches the most harmful stages. Crucially, this comes at negligible additional latency for ~99% of user traffic. This detection advantage persists but narrows as the benign background traffic grows very large. After an extensive red-teaming exercise, we improve the defense and surprisingly also find that it catches standard jailbreaks, since adaptive attackers reuse attack variants across accounts. Our results point toward a new class of safety monitors which reason over groups of users rather than isolated transcripts.

• The paper presents the first systematic evaluation of distributed agent attacks and introduces a novel stateful monitoring solution for real-time detection.
• It leverages semantic embeddings and online clustering to aggregate weak signals across multiple sessions, overcoming limitations of per-session monitors.
• Experimental results show improved recall (81.1–87.2%) and faster detection with minimal added latency, highlighting its scalability for AI safety.

Stateful Monitoring for Distributed Agent Attacks: Technical Summary

Motivation and Problem Statement

The proliferation of agentic and autonomous LLM-based systems has introduced novel attack vectors in which adversaries distribute a single harmful objective across multiple user accounts or agent sessions. Conventional safety monitors, which operate on localized agent contexts without cross-session state, are structurally unable to detect such distributed attacks where each component interaction appears benign in isolation. The paper "Stateful Online Monitoring Catches Distributed Agent Attacks" (2605.31593) rigorously investigates this adversarial paradigm, introduces the first systematic distributed agent attack evaluation, and proposes an online stateful monitoring architecture designed for real-time aggregation of weak signals of misuse across large-scale agent deployments.

Figure 1: Standard per-session monitors are blind to multi-account distributed misuse; only by aggregating evidence across contexts is detection possible.

Distributed Agent Attack Formulation and Empirical Evasion

The core adversarial model presented decomposes a high-severity cybersecurity objective into semantically weak subtasks, executed in parallel across many agents or user accounts. The authors formally implement these distributed attacks by augmenting ARTEMIS-style scaffolds with an orchestrator/supervisor that decomposes, delegates, and later aggregates subtask outputs. Each subagent receives a context that is intentionally obfuscated—framed as a benign or neutral engineering task. Notably, the full harmful objective only becomes apparent when outputs are programmatically recombined.

Figure 2: Distributed agent attacks evade detection much longer and with far lower recall using standard monitors, compared to prior decomposition or jailbreaking strategies.

Empirical evaluation demonstrates that classical monitors (e.g., per-prompt LLM-based classifiers) catch distributed agent attacks only 20% as often as prior agent attacks at comparable false positive rates. Additionally, distributed attacks achieve double the number of malicious steps before being detected, and, on challenging Cybench tasks, a weak orchestrator model (gpt-oss-120b, $0\%$ success alone) when supervising gpt-5.2 subagents achieves 36.7–40.0% task completion rate, confirming these attacks are not just evasive but operationally capable.

Online Stateful Monitoring Architecture

The proposed defense is an online stateful monitor that leverages cross-session clustering in semantic embedding space to maintain a running, low-latency summary of related agent contexts. For every incoming agent action, the monitor (1) computes a suspiciousness score locally, (2) embeds the request, (3) clusters this embedding against live cluster centroids, and (4) conditionally triggers a cross-context monitor when clusters accumulate sufficient aggregate suspicion.

Figure 3: The online stateful monitor processes agent queries at scale, embedding and clustering contexts, and only escalating likely distributed misuse to compute-intensive cross-context LM review.

This design addresses three crucial constraints:

• Extreme class imbalance: Benign agent actions vastly outnumber malicious ones, so stateful aggregation must not overwhelm system capacity or incur prohibitive latency.
• Real-time detection: The architecture is optimized for streaming, using efficient online clustering (as opposed to batch re-clustering), and scales near-linearly in the number of clusters.
• Sparse escalation: Cross-context LM monitoring is invoked only when accumulated evidence justifies the high cost; $\sim$99% of user requests incur negligible additional latency over the baseline.

  Figure 4: Per-request latency remains near baseline for the majority of traffic with the online stateful monitor, validating system scalability.

Experimental Results

Precision-Recall and Detection Timeliness

Systematic experiments on mixed streams of simulated agent traffic and real distributed attack insertions show that the stateful monitor substantially outperforms standard monitors under a range of benign-to-malicious session ratios ($10$x and $100$x background). Notably, at $10$x benign/malicious, the stateful monitor achieves 81.1–87.2% recall at 2.35–3.09% FPR compared to 75.0% recall at 2.72% FPR for the standard monitor. At the $100$x regime, recall remains robust at 65.8% versus baseline's 55% at comparable FPR.

Figure 5: Stateful monitoring achieves improved precision-recall tradeoffs, showing Pareto dominance over local-monitor baselines for distributed cyber misuse.

Regarding time-to-detection, statefulness delivers earlier intervention in the attack trajectory. At $100$x background, the 99th percentile of harmful attacker steps before detection (TTD$_{99}$) falls from 37.2 (standard) to 25.4 (stateful) at higher recall and lower FPR, reflecting timely disruption of attack progression.

Figure 6: The stateful monitor detects attacks with fewer benign user disruptions and earlier in the attack lifecycle compared to standard monitoring.

System Scalability

Empirical measurements of routing cost and state maintenance confirm that clustering/embedding operations scale linearly with the number of clusters, tracking analytic predictions. Crucially, the vast majority of requests do not pay the cost of cross-context LM inference, preserving operational efficiency for real-time deployments.

Redteaming Insights and Generalization Beyond Distributed Attacks

Sustained white-box redteaming—$\sim$100,000 attacks across 2,985 sessions—identified critical failure modes (e.g., attack subtask paraphrasing, cluster contamination). Algorithmic refinements were incorporated to reduce cross-cluster splitting and control cluster memory-induced FPR. Notably, adaptive jailbreakers—who reuse or adapt attack patterns across sessions/accounts—were also more likely to be detected by the stateful monitor, even when the defense was not explicitly designed for non-distributed attacks.

Figure 7: Distinct redteaming attack families emerge as high-purity clusters in embedding space, validating semantic clustering as a retrieval strategy.

Figure 8: Detection rates increase as distributed malicious activity accumulates across sessions, but not simply with lengthening of a single session—highlighting stateful aggregation’s unique contribution.

This generalization underscores the applicability of cross-account/session stateful safety monitoring to a wider threat landscape: attackers, even when executing jailbreak attempts, often leave detectable traces via pattern reuse across context boundaries.

Implications and Future Directions

The introduction and evaluation of online stateful monitoring constitutes a practical step towards closing the architectural gap in agentic AI safety, particularly under highly distributed, low-salience adversarial objectives. Strong claims include:

• Architectural limitation of standard monitors: Anything scoring only isolated agent contexts is structurally incapable of catching distributed misuse with high recall.
• High-capability, evasive attacks are feasible: Multi-agent orchestration, even directed by a weak supervisor, enables nontrivial solving rates on challenging cybersecurity task sets while evading per-session detection.
• Online clustering and sparse escalation balance recall, precision, and system latency: The proposed methods maintain effectiveness and scalability under strong class imbalance.
• Cross-session stateful monitoring delivers nontrivial gains against both distributed agent attacks and adaptive jailbreaks.

Future developments may focus on improved embedding models for attack pattern matching, hierarchical/memory-optimized clustering algorithms, integration with RL-based defender-agent systems, and extension to other risk surfaces (e.g., misinformation campaigns, coordinated financial fraud). Further, as attackers become more sophisticated in obfuscating cross-session signal, exploration of more advanced reasoning (e.g., sequence models, anomaly detection in traffic topology) may be warranted.

Conclusion

Distributed agent attacks present a fundamental challenge to per-context LLM safety monitoring by splitting a harmful objective into benign-appearing subtasks across many users or sessions. The work demonstrates that online stateful monitors leveraging real-time clustering in embedding space can bridge this detection gap, delivering improved recall and earlier detection without sacrificing traffic latency for benign users. These methods additionally extend to detecting adaptive jailbreak campaigns, further underscoring the breadth of the approach’s applicability. Overall, the research directs the field toward population-level, cross-session reasoning as a core primitive in AI safety monitoring architectures.