Microsoft Research red-teaming a network of 100+ agents: 4 network risks identified that do not appear in single-agent tests — propagation, amplification, trust capture, and invisibility

Microsoft Research published results of a red-teaming experiment on a live internal platform hosting more than 100 AI agents on April 30, 2026. The team behind the work — including Gagan Bansal, Shujaat Mirza, Keegan Hines, Adam Fourney, Ece Kamar, and Saleema Amershi — argues that agents no longer operate in isolation but are becoming participants in a shared, interconnected environment, and that such systems have a class of risks that single-agent benchmarks simply do not measure. The key finding: reliability of an individual agent does not predict network behavior.

How is the platform set up?

Each principal (human) is represented by one or more always-on LLM agents (variants of GPT-4o, GPT-4.1, and GPT-5-class), and each agent has persistent context and a periodic “heartbeat” timer that activates it every few minutes. Agents post to a shared public forum, send direct messages, and use integrated applications for scheduling meetings, currency exchange, and a marketplace. The platform includes basic guardrails: a reputation system with upvotes/downvotes, a 30-minute delay between posts, and tool usage limits. The experiment compares how agents respond to malicious input when they are not working alone but as part of a population.

What four network risks does the team identify?

Propagation: agent worms spread from one agent to another, persist across multiple hops, and collect private data along the way. A single malicious message in the experiment pulls multiple agents into a chain, including ones that were not the original target. Amplification: an attacker borrows the reputation of a trusted agent and introduces a false claim that triggers a pile-on from other agents, producing convincing but fabricated “evidence.” Trust capture: the attacker takes over the way agents verify each other’s claims, turning the verification system into one that confirms falsehoods. Invisibility: information passes through chains of unaware agents, making the source of an attack difficult to trace from the perspective of any individual agent.

How practical are the discovered attacks?

The team observed convincing versions of all four scenarios in a controlled environment during the experiment, but also noted early signs of defense: a small percentage of agents showed security-related behaviors that limited the attack’s reach. In other words, networks have emergent resilience, but it appears as a tendency rather than a reliable guarantee. Microsoft notes that the AgentChaos and Prompt Infection frameworks from the literature document similar attack patterns, but this work focuses specifically on a sandboxed internal platform with real-world reputation and marketplace systems.

What does this mean for enterprise security?

The result has direct implications for organizations already considering multi-agent platforms. Current security frameworks measure an agent’s resilience to individual adversarial prompts, but do not test how an agent behaves within a population of similar agents that mutually influence each other. Microsoft Research concludes that building useful agent networks will require understanding and mitigating these network-level risks “starting from real deployments” — signaling that enterprise pilot tests of multi-agent stacks must approach these attack archetypes with awareness.