Definition
Plain language
A test suite of multi-step attacks where each individual step looks harmless but the whole sequence is malicious.
As stated in the literature
A benchmark of runnable attack chains against agent harnesses, where early steps poison persistent workspace state and later innocent-looking steps activate it; each chain is validated by confirming every malicious step actually fires against real models.
Why it matters: It exposes attacks that no single step would reveal, helping defenders test whether their safeguards catch threats that unfold across many actions.
For example, one attack chain has an agent save a poisoned note early on, then a later harmless-looking request quietly triggers that note to cause harm.