Specific attack + framework combinations with real payloads, vulnerable vs secure code, and detection strategies. Each guide covers why your framework is vulnerable to this specific attack and exactly how to prevent it.
Each guide targets a specific attack type + framework combination. Rather than generic security advice, you get the exact vulnerability in your framework, real attack payloads that exploit it, and the specific code to prevent it. Every guide includes vulnerable vs. secure code side-by-side so you can see exactly what changes.
Start by finding your framework in the tags below, then pick the threat type most relevant to your deployment. If you're not sure which threats apply to you, start with the prompt injection guide for your framework — it's the most common attack vector across all agent types.
LangChain agents are uniquely vulnerable to prompt injection because they combine LLM reasoning with tool access and document retrieval. A single injected instruction in a retrieved document can cause the agent to execute arbitrary tool calls, leak data, or ignore its system prompt entirely.
OpenAI function calling agents are vulnerable to prompt injection attacks that manipulate the model into generating malicious function calls. Unlike simple chatbots, function calling agents execute real actions — making injection attacks operational, not just informational.
Claude's 200K context window and sophisticated tool use make it a powerful agent backbone, but the large context window is a double-edged sword for security. Attackers have 200K tokens of space to hide injection attempts — far more than any human reviewer can check manually.
CrewAI's multi-agent architecture amplifies prompt injection risk exponentially. When an injection compromises one agent, its manipulated output flows to the next agent as trusted input — cascading the attack through the entire crew.
MCP servers are a novel injection vector. When your agent calls an MCP tool, the server controls the response — and a malicious or compromised server can return tool results containing injected instructions that hijack your agent's behavior.
LangChain agents with tool access can read databases, files, and APIs — and then send that data anywhere. Data exfiltration through AI agents is harder to detect than traditional exfiltration because it happens through natural language interactions rather than network traffic patterns.
OpenAI function calling agents can be manipulated into extracting and transmitting sensitive data through function parameters. The model generates both the function name and arguments, giving an attacker control over where data goes.
Claude's large context window means agents process massive amounts of data in a single turn. When that data includes sensitive information, the risk of exfiltration through tool calls or agent responses increases proportionally.
CrewAI multi-agent workflows create unique data exfiltration risks. When agents pass data to each other, sensitive information can flow from a high-access agent to one with external communication tools — enabling data theft through agent-to-agent handoffs.
MCP servers receive tool call parameters from your agent — which may contain sensitive data. A malicious MCP server can silently log, store, or transmit any data your agent sends through its tools.
LangChain agents choose which tools to call and generate the parameters for each call. Tool manipulation attacks exploit this by causing the agent to call the wrong tools, pass malicious parameters, or chain tools in unauthorized sequences.
OpenAI function calling gives GPT-4 control over which functions to call and what parameters to pass. Tool manipulation attacks exploit this by causing the model to generate malicious function calls — with injected parameters, unauthorized function selections, or abusive parallel call patterns.
CrewAI crews combine multiple agents, each with their own tools. Tool manipulation attacks exploit the interaction between agents' tool sets — one agent's legitimate tool use can set up an attack executed by another agent's tools.
MCP servers define which tools are available to your agent. A malicious or compromised MCP server can advertise dangerous tools with innocent-sounding names, alter tool behavior between sessions, or execute unauthorized actions when tools are called.
LangChain agents can be manipulated into accessing tools, data, or capabilities beyond their intended permissions. Privilege escalation in agents is different from traditional systems — the 'privilege' is which tools the agent can use, which data it can access, and what actions it can take.
OpenAI function calling agents can be manipulated into calling functions they shouldn't have access to. If your function list includes both user-level and admin-level functions, an injection can cause the model to call admin functions on behalf of a regular user.
LangChain agents without policy enforcement operate on the honor system — trusting the LLM to follow its system prompt. Security policies need to be enforced at the infrastructure level, not in the prompt. Rune's YAML policy engine lets you define rules that are enforced at the middleware layer, independent of the model's behavior.
OpenAI's system prompt gives you soft guidance over model behavior, but it can't enforce security policies. Rune's policy engine adds infrastructure-level enforcement — rules that are applied consistently regardless of what the model decides to do.
Not all attacks trigger pattern-based detection. Sophisticated attacks cause agents to behave subtly differently — using tools slightly more than usual, accessing data in unusual patterns, or producing responses with different characteristics. Behavioral anomaly detection catches what pattern matching misses.
OpenAI function calling agents develop predictable patterns — which functions they call, how often, and with what parameters. Behavioral anomaly detection monitors these patterns and alerts when something changes, catching sophisticated attacks that bypass pattern-based detection.
Start with the prompt injection guide for your framework. Prompt injection is the most common attack (14% of sessions) and the gateway to most other attacks. Once you've secured against injection, move to data exfiltration and tool manipulation guides.
Framework-specific protection is significantly more effective. Each framework has unique attack surfaces — LangChain's callback system, CrewAI's inter-agent communication, MCP's tool protocol. Generic security misses framework-specific vulnerabilities that attackers actively exploit.
Yes — each guide includes general prevention strategies that work independently. However, the detection code examples use Rune's SDK because manual implementation of multi-layer scanning (pattern matching + semantic analysis + LLM judgment) requires significant engineering effort to build and maintain.
We add guides whenever a new attack technique or framework integration is identified. The threat landscape for AI agents evolves rapidly — new injection techniques emerge monthly. Follow our blog for announcements of new guides and threat reports.
Add runtime security in under 5 minutes. Rune scans every input, output, and tool call automatically.
Start Free — 10K Events/Month