Mar 23, 2026
TaintGuard
Revathi Prasad
TaintGuard is a system that augments existing LLM-based monitors with
dynamic data-flow taint tracking to detect sabotage in AI agent trajectories. Taint tracking provides a structurally different signal from LLM monitoring — it detects data-flow violations (exfiltration, integrity writes, code injection) that are provable and immune to prompt injection, while LLM monitors detect semantic intent.
Interesting project!
- I like layer 1. It's undeniable that good control protocols should take advantage of such cheap detectors. However, it's important to test, or discuss when time is limited, the strategies a potential Red Team (RT) could come up with to avoid triggering your monitor.
- Layer 2 seems more interesting in practice.
Most important in the future: show results capping the audit budget (Honest FPR) to a threshhold. It's easy have great attack catch rate, at the cost of catching every non-attack. It's important to give an idea of how FPR trades off against recall, and here it's hard to tell.
I'm quite interested in using more traditional security approaches to aid in monitoring/blue team protocols and this was an interesting exploration of that IMO.
I would like to have seen more work to make the FPR a bit lower, and would have liked to see ROC curves to properly compare the techniques.
I think that implementing the taint-finding-aware validation idea would have been interesting. Also I would maybe use larger numbers of trajs, though it makes sense that you were resource/time constrained there since this was a weekend project.
Overall, I thought that this was quite good work.
Cite this work
@misc {
title={
(HckPrj) TaintGuard
},
author={
Revathi Prasad
},
date={
3/23/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
