Frontier AI agents can seize full admin of a cloud account in minutes. We adapted Tracebit canaries to stop them entirely - read the research, see Andy's take on LinkedIn, or read further to find out more.
Detection is not the whole story
In our last paper we pointed ten frontier models at a live AWS environment and showed that canaries reliably detect autonomous AI attackers. That was reassuring but it was also sobering: the top models took a critical action within 14 minutes on average, and canaries bought the defender roughly an 8-minute head start.
Eight minutes is a real advantage - but it's an uncomfortably short window in which to notice an attack, understand it, and contain it. The agent keeps working while you scramble to respond.
We did find one lever that reduced the damage: warning an agent that it might be facing deception made it significantly less likely to reach the worst outcomes. But that's not a lever defenders get to pull because we don't write the prompts an attacker gives their agent.
So we asked the obvious next question: can a canary do more than warn you? Can it make the attack stop?
Turning the environment against the attacker
Canaries aren't just passive detections - they change the environment the attacker operates in. Against human attackers, that means distraction and confusion. Against AI agents, which are fast and relentlessly persistent, we wanted something better: to turn the characteristics of the models themselves against them.
Threat actors got here first; in 2025, Check Point reported malware carrying a prompt injection aimed at any AI tool inspecting it, and Socket described strings written specifically to trigger an LLM's safety refusals in the wild.
We call the defensive version a context bomb: a short piece of text designed to trigger a model's safety guardrails, planted directly in the attacker's path - a decoy secret, environment variable, or DNS record. An AI agent that reads it will frequently refuse to continue. You still get the alert; and the attack now halts early instead of merely being detected.
Are context bombs effective in stopping AI attacks?
Across five leading models and 152 attack runs in our AWS cyber range, planting a context bomb in a decoy secret:
- Cut admin privilege escalation from 57% of runs to 5%
- Cut complete compromise (admin plus a persistent foothold) from 36% to 1%
- Cut runs achieving any attack path from 91% to 15%
The most capable agent in our tests, Opus 4.8, went from achieving admin access in 93% of runs to failing every single time.
And no run completed an attack path without at least triggering a canary detection.
Why this is valuable
The speed of autonomous AI attacks is why deception is climbing the priority list for security programs. When the attack chain takes minutes rather than days, every minute of response time you can claw back matters - and a control that stops the attacker outright, rather than just reporting them, changes the economics significantly.
A context bomb won't stop everything but it has the real potential to frustrate and hinder attackers using autonomous AI agents, while giving you the detection you needed.
Read the research
We planted context bombs in the path of five frontier models and measured what happens to an autonomous attack when the environment fights back: which phrases work against which models, how the attacks unravel, and what to consider before placing one in your own environment. The full benchmark, data and findings are written up on the research microsite.

