Introduction

Code agents are AI systems that can generate high-quality code and work smoothly with code interpreters. These capabilities help streamline complex software development workflows, which has led to their widespread adoption.

However, this progress also introduces critical safety and security risks. Existing static safety benchmarks and red-teaming methods—in which security researchers simulate real-world attacks to identify security vulnerabilities—often fall short when evaluating code agents. They may fail to detect emerging real-world risks, such as the combined effects of multiple jailbreak tools. In the context of code, effective red-teaming requires more than simply checking whether the target code agent rejects unsafe requests. Instead, the agent must generate and execute correct code that performs the intended risky functionality, making it essential to evaluate execution behaviors beyond static code analysis. 

To address these challenges, researchers from the University of Chicago, University of Illinois Urbana–Champaign, VirtueAI, the UK AI Safety Institute, University of Oxford, UC Berkeley, and Microsoft Research recently proposed RedCodeAgent, the first fully automated and adaptive red-teaming agent designed specifically to evaluate the safety of large language model (LLM)-based code agents.

Comprehensive experimental results demonstrate the effectiveness and efficiency of RedCodeAgent across (1) diverse Common Weakness Enumeration (CWE) vulnerabilities and malware types, (2) multiple programming languages—including Python, C, C++, and Java—and (3) a wide range of code agents, such as OpenCodeInterpreter, ReAct, MetaGPT, and commercial agents like Cursor and Codeium. RedCodeAgent also uncovers common vulnerabilities across agents such as generating and executing unsafe code, exposes variations in red-teaming difficulty across goals, identifies frequently triggered attack tools, and detects previously unknown vulnerabilities that all other baseline methods overlook. 

Framework for automatic red-teaming against code agents

As shown in Figure 1, RedCodeAgent is equipped with a memory module that accumulates successful attack experiences, enabling the system to continuously learn and adapt its attack strategies. After learning from the previous experiences, RedCodeAgent further leverages a tailored toolbox that combines representative red-teaming tools with a specialized code substitution module, enabling realistic and diverse code-specific attack simulations through function calling. Based on the target agent’s responses across multiple interactive trials, RedCodeAgent optimizes its strategies, systematically probing for weaknesses and vulnerabilities in real time. 

In the evaluation phase, RedCodeAgent integrates simulated sandbox environments to enable code execution and assess the impact of the resulting behaviors. This sandbox-based evaluation ensures a more robust assessment of harmful behaviors and addresses the potential biases of previous static methods that rely solely on “LLM-as-a-judge” evaluations.

A case study is shown in Figure 2. Initially, RedCodeAgent discovers that the request was rejected, then RedCodeAgent calls the Greedy Coordinate Gradient (GCG) algorithm to bypass the safety guardrail. After the second request was rejected by the code agent, RedCodeAgent invoked both Code Substitution and GCG to optimize the prompt. Ultimately, RedCodeAgent successfully combined the suggestion from Code Substitution (i.e., using pathlib) with the adversarial suffix generated by GCG, making the target code agent delete the specified file.

Insights from RedCodeAgent 

Experiments on diverse benchmarks show that RedCodeAgent achieves both a higher attack success rate (ASR) and a lower rejection rate, revealing several key findings outlined below.

Using traditional jailbreak methods alone does not necessarily improve ASR on code agents

The optimized prompts generated by GCG, AmpleGCG, Advprompter, and AutoDAN do not always achieve a higher ASR compared with static prompts with no jailbreak, as shown in Figure 3. This is likely due to the difference between code-specific tasks and general malicious request tasks in LLM safety. In the context of code, it is not enough for the target code agent to simply avoid rejecting the request; the target code agent must also generate and execute code that performs the intended function. Previous jailbreak methods do not guarantee this outcome. However, RedCodeAgent ensures that the input prompt has a clear functional objective (e.g., deleting specific sensitive files). RedCodeAgent can dynamically adjust based on evaluation feedback, continually optimizing to achieve the specified objectives.

RedCodeAgent exhibits adaptive tool utilization 

RedCodeAgent can dynamically adjust its tool usage based on task difficulty. Figure 4 shows that the tool calling combination is different for different tasks. For simpler tasks, where the baseline static test cases already achieve a high ASR, RedCodeAgent spends little time invoking additional tools, demonstrating its efficiency. For more challenging tasks, where the baseline static test cases in RedCode-Exec achieve a lower ASR,we observe that RedCodeAgent spends more time using advanced tools like GCG and Advprompter to optimize the prompt for a successful attack. As a result, the average time spent on invoking different tools varies across tasks, indicating that RedCodeAgent adapts its strategy depending on the specific task. 

RedCodeAgent discovers new vulnerabilities

In scenarios where other methods fail to find successful attack strategies, RedCodeAgent is able to discover new, feasible jailbreak approaches. Quantitatively, we find that RedCodeAgent is capable of discovering 82 (out of 27*30=810 cases in RedCode-Exec benchmark) unique vulnerabilities on the OpenCodeInterpreter code agent and 78 on the ReAct code agent. These are cases where all baseline methods fail to identify the vulnerability, but RedCodeAgent succeeds.

Summary

RedCodeAgent combines adaptive memory, specialized tools, and simulated execution environments to uncover real-world risks that static benchmarks may miss. It consistently outperforms leading jailbreak methods, achieving higher attack success rates and lower rejection rates, while remaining efficient and adaptable across diverse agents and programming languages.

Opens in a new tab

The post RedCodeAgent: Automatic red-teaming agent against diverse code agents appeared first on Microsoft Research.

The busier security teams get, the harder it can be to understand the full impact of false positives, queue clutter, tool fragmentation, and more. But what is clear—it all adds up to increased fatigue and an increased potential to miss the cyberthreats that matter most.

To help security teams better face the growing challenges, generative AI offers transformative capabilities that can bridge critical gaps. In a newly released e-book from Microsoft, we share multiple scenarios that showcase how Microsoft Security Copilot, powered by generative AI, can empower security analysts, accelerate incident response, and improve operational inefficiencies. Sign up to get the e-book, From Alert Fatigue to Proactive Defense: What Generative AI Can Do for Your SOC, and learn how AI can transform organizations like yours today.

Enhance every stage of the security operations workflow

The teams we talk to mention how generative AI is dramatically improving the efficacy and efficiency of their security operations (SecOps)—it helps analysts triage alerts by correlating threat intelligence and surfacing related activity that might not trigger a traditional alert. It generates rapid incident summaries so teams can get started faster, guides investigations with step-by-step context and evidence, and automates routine response tasks like containment and remediation through AI-powered playbooks. Additionally, generative AI supports proactive threat hunting by suggesting queries that uncover lateral movement or privilege escalation, and streamlines reporting by producing clear, audience-ready summaries for stakeholders, all of which means SOC teams spend less time on manual, repetitive work and more time focusing on high-impact cyberthreats—ultimately allowing for faster, smarter, and more resilient security operations.

Microsoft Security Copilot helps organizations address critical challenges of scale, complexity, and inefficiencies—as well as streamlining investigations, simplifying reporting, and more. It gives analysts a good idea of where to start, how to prioritize, and improves analyst confidence with actionable insights. By embedding generative AI into existing workflows, SOCs can operationalize and contextualize security data in ways never possible before—delivering guided responses, accelerating investigations, and transforming complex data into clear, actionable insights for both technical teams and business leaders.

Organizations using Security Copilot report a 30% reduction in mean time to resolution (MTTR).⁵

How Security Copilot delivers real value in everyday SOC tasks

The e-book spans four chapters that cover key scenarios, including investigation and response, AI-powered analysis, proactive threat hunting, and simplified security reporting. Each chapter presents the core challenges faced by today’s SOC teams, how generative AI accelerates and improves outcomes, and measurable, real-world results that show improvements for security analysts—like reduced noise, faster critical insights, identified cyberattack paths, and audience-ready summaries generated by AI. For example, when an analyst receives alerts about unusual login activity from multiple geolocations targeting a high-privilege account, generative AI consolidates related alerts, prioritizes the incident, and provides actionable summaries, allowing for faster triage and confident response.

Included in the e-book are summaries of AI in action, with step-by-step explanations of how Copilot is:

• Guiding analysts to confident, rapid decisions—helping SOC analysts quickly triage alerts, summarize incidents, recommend precise actions, and guide responses, for faster, more confident threat containment.
• Turning complex scripts into clear insights—supporting SOC analysts to decode malicious scripts, correlate threat intelligence, and automate investigations.
• Anticipating cyberthreats before they escalate—empowering threat hunters to quickly query indicators of compromise (IOCs), uncover hidden cyberattack patterns, and take proactive actions, for more predictive defense against evolving cyberthreats.
• Simplifying security reporting for analysts–letting SOC analysts to instantly consolidate data, capture critical details, and produce clear, audience-ready reports.

We analyze results about 60% to 70% faster with Security Copilot. It plays a central role in our ability to speed up threat analyses and activities, fundamentally reducing the risks for our IT landscape worldwide.

—Norbert Vetter, Chief Information Security Officer, TÜV SÜD

The future of SecOps is here with generative AI

For security leaders looking to improve their response time and better support their teams, generative AI isn’t just a vision for the future—it’s available today. From triage to reporting, generative AI–powered assistants enhance every stage of the SecOps workflow—delivering faster responses, stronger defenses, and more confident decision-making. At the forefront of this transformation is Microsoft Security Copilot, which unifies tools, operationalizes threat intelligence, and guides analysts through complex workflows, letting SOC teams adapt to evolving cyberthreats with ease. Sign up to access “What Generative AI Can Do for Your SOC” today and learn how your team can move from overwhelmed to empowered, tackling today’s challenges with confidence and preparing for tomorrow’s uncertainties. Or read more about Microsoft AI-powered unified security operations and how they can move your team from overwhelmed to empowered.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹ “Generative AI and Security Operations Center Productivity: Evidence from Live Operations,” page 2, Microsoft, November 2024

² Cybersecurity Workforce Study: How the Economy, Skills Gap, and Artificial Intelligence Are Challenging the Global Cybersecurity Workforce 2023,” page 20, ISC2, 2023

³ The Unified Security Platform Era Is Here,” page 7, Microsoft, 2024

⁴ “Global Security Operations Center Study Results,” page 6, IBM, March 2023

⁵ “Generative AI and Security Operations Center Productivity: Evidence from Live Operations,” page 2, Microsoft, November 2024 

The post ​​Learn what generative AI can do for your security operations center appeared first on Microsoft Security Blog.

AI has so thoroughly colonized every technical discipline that it’s becoming hard to organize items of interest in Radar Trends. Should a story go under AI or programming (or operations or biology or whatever the case may be)? Maybe it’s time to go back to a large language model that doesn’t require any electricity and has over 217K parameters: Merriam-Webster. But no matter where these items ultimately appear, it’s good to see practical applications of AI in fields as diverse as bioengineering and UX design.

AI

• Alibaba’s Ling-1T may be the best model you’ve never heard of. It’s a nonthinking mixture-of-experts model with 1T parameters, 50B active at any time. And it’s open weights (MIT license).
• Marin is a new lab for creating fully open source models. They say that the development of models will be completely transparent from the beginning. Everything is tracked by GitHub; all experiments may be observed by anyone; there’s no cherrypicking of results.
• WebMCP is a proposal and an implementation for a protocol that allows websites to become MCP servers. As servers, they can interact directly with agents and LLMs.
• Claude has announced Agent Skills. Skills are essentially just a Markdown file describing how to perform a task, possibly accompanied by scripts and resources. They’re easy to add and only used as needed. A Skill-creator Skill makes it very easy to build Skills. Simon Willison thinks that Skills may be a “bigger deal than MCP.”
• Pete Warden describes his work on the smallest of AI. Small AI serves an important set of applications without compromising privacy or requiring enormous resources.
• Anthropic has released Claude Haiku 4.5, skipping 4.0 and 4.1 in the process. Haiku is their smallest and fastest model. The new release claims performance similar to Sonnet 4, but it’s much faster and less expensive.
• NVIDIA is now offering the DGX Spark, a desktop AI supercomputer. It offers 1 petaflop performance on models with up to 200B parameters. Simon Willison has a review of a preview unit.
• Andrej Karpathy has released nanochat, a small ChatGPT-like model that’s completely open and can be trained for roughly $100. It’s intended for experimenters, and Karpathy has detailed instructions on building and training.
• There’s an agent-shell for Emacs? There had to be one. Emacs abhors a vacuum.
• Anthropic launched “plugins,” which give developers the ability to write extensions to Claude Code. Of course, these extensions can be agents. Simon Willison points to Jesse Vincent’s Superpowers as a glimpse of what plugins can accomplish.
• Google has released the Gemini 2.5 Computer Use model into public preview. While the thrill of teaching computers to click browsers and other web applications faded quickly, Gemini 2.5 Computer Use appears to be generating excitement.
• Thinking Machines Labs has announced Tinker, an API for training open weight language models. Tinker runs on Thinking Machines’ infrastructure. It’s currently in beta.
• Merriam-Webster will release its newest large language model on November 18. It has no data centers and requires no electricity.
• We know that the data products, including AI, reflect historical biases in their training data. In India, OpenAI reflects caste biases. But it’s not just OpenAI; these biases appear in all models. Although caste bias was outlawed in the middle of the 20th century, these biases live on in the data.
• DeepSeek has released an experimental version of its reasoning model, DeepSeek-V3.2-Exp. This model uses a technique called sparse attention to reduce the processing requirements (and cost) of the reasoning process.
• OpenAI has added an Instant Checkout feature that allows users to make purchases with Etsy and Shopify merchants, taking them directly to checkout after finding their products. It’s based on the Agentic Commerce Protocol.
• OpenAI’s GDPval tests go beyond existing benchmarks by challenging LLMs with real-world tasks rather than simple problems. The tasks were selected from 44 industries and were chosen for economic value.

Programming

• Steve Yegge’s Beads is a memory management system for coding agents. It’s badly needed, and worth checking out.
• Do you use coding agents in parallel? Simon Willison was a skeptic, but he’s gradually becoming convinced it’s a good practice.
• One problem with generative coding is that AI is trained on “the worst code in the world.” For web development, we’ll need better foundations to get to a post–frontend-framework world.
• If you’ve wanted to program with Claude from your phone or some other device, now you can. Anthropic has added web and mobile interfaces to Claude Code, along with a sandbox for running generated code safely.
• You may have read “Programming with Nothing,” a classic article that strips programming to the basics of lambda calculus. “Programming with Less Than Nothing” does FizzBuzz in many lines of combinatory logic.
• What’s the difference between technical debt and architectural debt? Don’t confuse them; they’re significantly different problems, with different solutions.
• For graph fans: The IRS has released its fact graph, which, among other things, models the US Internal Revenue Code. It can be used with JavaScript and any JVM language.
• What is spec-driven development? It has become one of the key buzzwords in the discussion of AI-assisted software development. Birgitta Böckeler attempts to define SDD precisely, then looks at three tools for aiding SDD.
• IEEE Spectrum released its 2025 programming languages rankings. Python is still king, with Java second; JavaScript has fallen from third to fifth. But more important, Spectrum wonders whether AI-assisted programming will make these rankings irrelevant.

Web

• Cloudflare CEO Matthew Prince is pushing for regulation to prevent Google from tying web crawlers for search and for training content together. You can’t block the training crawler without also blocking the search crawler, and blocking the latter has significant consequences for businesses.
• OpenAI has released Atlas, its Chromium-based web browser. As you’d expect, AI is integrated into everything. You can chat with the browser, interrogate your history, your settings, or your bookmarks, and (of course) chat with the pages you’re viewing.
• Try again? Apple has announced a second-generation Vision Pro, with a similar design and at the same price point.
• Have we passed peak social? Social media usage has been declining for all age groups. The youngest group, 16–24, is the largest but has also shown the sharpest decline. Are we going to reinvent the decentralized web? Or succumb to a different set of walled gardens?
• Addy Osmani’s post “The History of Core Web Vitals” is a must-read for anyone working in web performance.
• Features from the major web frameworks are being implemented by browsers. Frameworks won’t disappear, but their importance will diminish. People will again be programming to the browser. In turn, this will make browser testing and standardization that much more important.
• Luke Wroblewski writes about using AI to solve common problems in user experience (UX). AI can help with problems like collecting data from users and onboarding users to new applications.

Operations

• There’s a lot to be learned from AWS’s recent outage, which stemmed from a DynamoDB DNS failure in the US-EAST-1 region. It’s important not to write this off as a war story about Amazon’s failure. Instead, think: How do you make your own distributed networks more reliable?
• PyTorch Monarch is a new library that helps developers manage distributed systems for training AI models. It lets developers write a script that “orchestrates all distributed resources,” allowing the developer to work with them as a single almost-local system.

Security

• The solution to the fourth part of Kryptos, the cryptosculpture at the CIA’s headquarters, has been discovered! The discovery came through an opsec error that led researchers to the clear text stored at the Smithsonian. This is an important lesson: Attacks against cryptosystems rarely touch the cryptography. They attack the protocols, people, and systems surrounding codes.
• Public cryptocurrency blockchains are being used by international threat actors as “bulletproof” hosts for storing and distributing malware.
• Apple is now giving a $2M bounty for zero-day exploits that allow zero-click remote code execution on iOS. These vulnerabilities have been exploited by commercial malware vendors.
• Signal has incorporated postquantum encryption into its Signal protocol. This is a major technological achievement. They’re one of the few organizations that’s ready for the quantum world.
• Salesforce is refusing to pay extortion after a major data loss of over a billion records. Data from a number of major accounts was stolen by a group calling itself Scattered LAPSUS$ Hunters. Attackers simply asked the victim’s staff to install an attacker-controlled app.
• Context is the key to AI security. We’re not surprised; right now, context is the key to just about everything in AI. Attackers have the advantage now, but in 3–5 years that advantage will pass to defenders who use AI effectively.
• Google has announced that Gmail users can now send end-to-end encrypted (E2EE) regardless of whether they’re using Gmail. Recipients who don’t use Gmail will receive a notification and the ability to read the message on a one-time guest account.
• The best way to attack your company isn’t through the applications; it’s through the service help desk. Human engineering remains extremely effective—more effective than attacks against software. Training helps; a well-designed workflow and playbook is crucial.
• Ransomware detection has now been built into the desktop version of Google Drive. When it detects activities that indicate ransomware, Drive suspends file syncing and alerts users. It’s enabled by default, but it is possible to opt out.
• OpenAI is routing requests with safety issues to an unknown model. This is presumably a specialized version of GPT-5 that has been trained specially to deal with sensitive issues.

Robotics

• Would you buy a banana from a robot? A small chain of stores in Chicago is finding out.
• Rodney Brooks, founder of iRobot, warns that humans should stay at least 10 feet (3 meters) away from humanoid walking robots. There is a lot of potential energy in their limbs when they move them to retain balance. Unsurprisingly, this danger stems from the vision-only approach that Tesla and other vendors have adopted. Humans learn and act with all five senses.

Quantum Computing

• Google claims to have demonstrated a verifiable quantum advantage on its quantum processor: The output of the computation can be tested for correctness. Verifiable quantum advantage doesn’t just mean that it’s fast; it means that error correction is working.
• Researchers at Institute of Science Tokyo have developed a quantum error correction method that’s efficient and (in theory) scales to hundreds of thousands of qubits. Quantum computers of that size haven’t been built yet but will be needed to perform real work.

Biology

• Scientists have discovered a new narrow-spectrum antibiotic that could be used to treat inflammatory bowel disease. AI was able to predict how the antibiotic would work, apparently a first.
• A red-teaming security group at Microsoft has announced that they have found a zero-day that allows malicious actors to design harmful proteins with AI.
• AI has successfully designed the DNA for a bacteriophage (essentially a very simple virus) capable of infecting and killing E. coli, a common bacteria. This is the first time AI has been used to synthesize an entire genome.

AI Agents access sensitive data and are responsible to protect this data against attack vectors. Learn how a secure-by-design approach helps you build AI Agents that interact safely with applications, APIs, and services.

Highlights from the new version of Deno Deploy.

Summary

In this episode, Andy talks with Amireh Amirmazaheri, CEO of PMO Solutions and a leading voice in the global PMO community. From growing up in Iran during a time of war to building a respected consultancy in Australia, Amireh shares how resilience and curiosity shaped her approach to leadership and enabling project success. You'll hear how PMOs have evolved from administrative hubs to strategic influencers, what it means to truly "speak the language of executives," and how to recognize when a PMO is at risk of drifting into irrelevance. We also explore how AI is transforming the work of PMOs and what leaders can do to stay ahead of the curve. Plus, Amireh offers practical advice on leading as a woman in project management and applying PMO principles at home as a parent.

If you're looking for insights on elevating PMO impact, executive communication, and leading through change, this episode is for you!

Sound Bites

• "Limitations aren't always bad. They push us into the creativity zone."
• "Executives don't want red or amber. They want to know where the ship is heading."
• "When PMOs chase BAU firefighting, they lose their strategic brain."
• "If PMOs stay educated and ahead of the game, they can influence the AI journey."
• "It's okay to cry. Then think, learn, and lead."
• "Um, should I tell you that my little one has a kanban board?"

Chapters

• 00:00 Introduction
• 01:31 Start of Interview
• 01:42 Early Life in Iran and Resilience
• 12:56 Lessons About Enablement
• 15:02 How PMOs Have Changed
• 18:55 Speaking the Language of Executives
• 21:22 Failure Clues and PMO Drift
• 25:11 Sponsorship as a Risk Factor
• 26:08 Using AI and Its Near-Term Impact on PMOs
• 32:25 Leading as a Woman
• 37:44 Applying PM and PMO Ideas at Home
• 40:22 PMO Global Alliance Overview
• 42:15 End of Interview
• 42:50 Andy Comments After the Interview
• 46:22 Outtakes

Learn More

You can learn more about Amireh and her work at PMOSol.com, or connect with her on LinkedIn.

For more learning on this topic, check out:

• Episode 436 with Laura Barnard, about the IMPACT Engine
• Episode 429 with Bill Dow, about PMO insights
• Episode 187 with Peter Taylor, Bill Dow, and others, about the State of PMOs

Level Up Your AI Skills

Join other listeners from around the world who are taking our AI Made Simple course to prepare for an AI-infused future.

Just go to ai.PeopleAndProjectsPodcast.com. Thanks!

Pass the PMP Exam This Year

If you or someone you know is thinking about getting PMP certified, we've put together a helpful guide called The 5 Best Resources to Help You Pass the PMP Exam on Your First Try. We've helped thousands of people earn their certification, and we'd love to help you, too. It's totally free, and it's a great way to get a head start.

Just go to 5BestResources.PeopleAndProjectsPodcast.com to grab your copy. I'd love to help you get your PMP!

Join Us for LEAD52

I know you want to be a more confident leader—that's why you listen to this podcast. LEAD52 is a global community of people like you who are committed to transforming their ability to lead and deliver. It's 52 weeks of leadership learning, delivered right to your inbox, taking less than 5 minutes a week. And it's all for free. Learn more and sign up at GetLEAD52.com. Thanks!

Thank you for joining me for this episode of The People and Projects Podcast!

Talent Triangle: Ways of Working

Topics: PMOs, Executive Communication, Leadership, AI in Projects, Change Management, Strategic Thinking, Women in Leadership, Organizational Influence, Resilience, Stakeholder Engagement, Career Growth, Continuous Improvement

The following music was used for this episode:

Music: Brooklyn Nights by Tim Kulig
License (CC BY 4.0): https://filmmusic.io/standard-license

Music: Tuesday by Sascha Ende
License (CC BY 4.0): https://filmmusic.io/standard-license

Download audio: https://traffic.libsyn.com/secure/peopleandprojectspodcast/483-AmirehAmirmazaheri.mp3?dest-id=107017