Tynapse's research paper 'Cross-Agent Campaign Attribution: Linking Asynchronous Attacks Across LLM Agents' was accepted to the AIWILD workshop at ICML 2026, and the Tynapse AI team presented it as a poster on July 11 at The Second Workshop on Agents in the Wild: Safety, Security, and Beyond (AIWILD), held at COEX in Seoul.

ICML is one of the world's leading machine learning conferences, and ICML 2026 was held at COEX in Seoul from July 6 to 11. AIWILD, the workshop that accepted the paper, focuses on how AI agents deployed in real environments can reason and act safely and reliably.
A Single Attack May Not End in a Single Session
Most AI agent security evaluations today judge risk based on a single user request and the single response it produces.
As AI agents take on coding, customer support, data analysis, and other tasks, however, the shape of attacks can change. A single attacker can split different forms of an attack across multiple AI agents, or repeat attacks at regular intervals.
If each agent only sees the requests sent to it, each individual request can look like normal usage. But when the traces left across multiple agents and sessions are examined together, attacks that appeared unrelated may turn out to originate from a single campaign.
The Tynapse AI team defined this problem as Cross-Agent Campaign Attribution: linking and tracing attacks distributed asynchronously across multiple AI agents.
A²FV: Connecting Scattered Attack Traces

The study proposes A²FV, Asynchronous Attribution Fingerprint Vectors, to link attack traces left across different agents and sessions.
A²FV analyzes three kinds of traces that a proxy layer can observe in each session.
The first is structural features, such as tool-call patterns, behavioral shifts after failures, and the order of attack tactics. The second is stylometric features left in punctuation, phrasing habits, word choices, and sentence forms. The third is temporal features, such as the gaps between tool calls within a session and payload sizes.
The team composed these signals into a single fingerprint. In the SCD-v1 experiments, structural and stylometric features served as the main linking signals, while temporal features were kept as a diagnostic channel for future analysis.
On this basis, the team analyzed whether different sessions belong to the same attack campaign, even in environments with no shared agent memory and no attacker identity information.
This is a different security layer from conventional session-level safety classification, which judges whether each individual request is risky. Instead of deciding whether a single dot is dangerous, this approach looks for the lines that connect scattered dots.
Campaign-Linking Performance on a Controlled Benchmark
The Tynapse AI team built SCD-v1, a synthetic benchmark that reproduces a multi-agent environment, to evaluate A²FV.
The benchmark includes benign requests, single-session attacks, and attack campaigns that span multiple sessions. Personas and writing styles were constructed so they do not trivially align with campaign labels, and leakage checks were performed to reduce the chance of linking attacks through specific words or simple identity cues.
In the experiments, A²FV recorded 0.82 on the pairwise campaign-linking AUC evaluation, which measures how well sessions belonging to the same attack campaign are distinguished.
An AUC of 0.82 does not mean that 82% of attacks were detected. It indicates how consistently session pairs from the same campaign are ranked higher than other session pairs.
By contrast, linking attacks using per-session risk scores alone scored about 0.52, and an LLM judge comparing sessions in separate chunks scored about 0.51. Compared with 0.5, the level of random guessing, this shows that per-session risk scores or partitioned LLM judgments alone struggle to link attacks distributed across multiple agents.
The best performance came from combining structural and stylometric features, confirming that the composite traces left at the proxy layer can be used effectively to identify attack campaigns.
From Session-Level Defense to Campaign-Level Security
As AI agents connect to more enterprise workflows and systems, attacks are increasingly unlikely to stay within a single input box or a single conversation.
Independently operated agents observe only the fragment of an attack that reaches them. Blocking the inputs and outputs of individual agents is therefore not enough to reveal the full flow an attacker builds across multiple agents.
This research suggests that AI security should move beyond judging the harmfulness of individual requests, toward connecting security signals scattered across agents and time and analyzing them as a single attack campaign.
These results were obtained on a controlled synthetic benchmark and do not directly prove performance in production environments. Some correlation between writing style and campaigns remains, and fully adaptive attackers who change their methods while observing detection scores were outside the scope of this study.
Even so, under controlled static evasion and attack conditions without access to detection scores, the linking signal between individual sessions stayed above random levels, laying the groundwork for follow-up research.
Toward a Trustworthy AI Agent Environment

At the venue, the poster session covered the main elements of the research, including benchmark design, evasion possibilities, and how the approach could be applied in real multi-agent environments.
Tynapse is researching a security layer that goes beyond protecting AI inputs and outputs individually, connecting and observing the tools and data AI agents use and the behavior that occurs across multiple sessions.
We will continue to define new AI security threats that can arise in real environments and advance our research and products so that enterprises can use AI agents more safely and reliably.

