Guardrails

Why OpenAI Is Paying People to Break Tool-Using Agents

Auly Editorial · Jun 19, 2026 · 3 min read

OpenAI, with Google and IEEE, is running a public Kaggle competition that asks participants to do one thing: build an attack algorithm that finds reproducible multi-step failures in tool-using AI agents, inside a deterministic offline benchmark. Reward the people who break agents most reliably. It's a red-team exercise run in public, and it's worth paying attention to — not for the prize, but for what it says about where the field thinks the hard problems are.

Single-step safety isn't the hard part

Most agent evaluation still happens one prompt at a time: does the model refuse the bad instruction, does it leak the secret, does it call the dangerous tool. Those are necessary checks, and they're also the easy ones. The failures that actually hurt usually don't come from a single, obviously-bad step. They come from a sequence of individually-reasonable steps that compounds into something the operator never intended — read a record, summarize it, act on the summary, pass the result to a second tool, and three hops later the agent has done real-world damage with no single step that a guardrail would have flagged.

That's the surface this competition targets: multi-step tool attacks, scored for reproducibility. Both words matter. Multi-step, because that's where the interesting failures live. Reproducible, because a failure that fires once is an anecdote, and a failure that fires on demand is a design problem you can actually study.

What a public red-team is good for

Breaking things in the open is more useful than it sounds. A competition like this — especially when its results get written up the way an earlier large-scale agent-security competition already was — tends to produce a few things the field is otherwise short on:

  • A shared vocabulary for how agents fail. Not "agents are risky" but a named, enumerated list of the ways tool-using agents break under multi-step pressure. You can't defend against a failure mode you can't name.
  • Concrete, reproducible cases. Deterministic benchmarks give defenders something to test against. A fix is only a fix if you can show the attack that used to work no longer does.
  • A read on which mitigations earn their keep. Every winning attack implies the control that would have blunted it. Watching what survives the contest is a cheap way to learn which defenses are worth the friction.

That's the real value of paying people to break agents in public: it turns vague unease into specific, testable problems.

The honest limits

It's worth being precise about what a contest like this does and doesn't show.

  • The benchmark is offline and deterministic. That's what makes it reproducible and scorable, and it's also what makes it narrower than production. Real agents run against live tools with real side effects, non-deterministic models, and an attacker who adapts. An offline benchmark is a lower bound on the failure surface, not a census of it.
  • Coverage is bounded by what the contest rewards. The failure modes that win prizes get enumerated. The slow, low-yield, or hard-to-reproduce ones stay underweighted — and "nobody found it" reads as "it isn't there" if you're not careful.
  • A working attack isn't a deployed risk. Showing that a technique fires against a fixed benchmark agent tells you the vulnerability exists. How exposed any given real deployment is depends on how it's actually wired up.

None of that diminishes the exercise. It just means it's one input into how you think about an agent's safety, not the whole picture.

The takeaway

The useful shift here is away from "is this model safe" toward "is this agent, with these tools, safe across the sequences it can actually run." That's a harder question, and a public competition aimed squarely at multi-step, reproducible failures is a good way to make the field better at answering it. We'll be reading the results closely — they're the clearest map yet of how tool-using agents come apart under pressure.

See the risk in what your agents do.

Auly scores what your agents can do, helps you reduce what's at stake, and insures what's left.

Get early access →