Inspiration

We were originally just trying to build a customer support bot, but we kept accidentally breaking it with weird prompts. We realized there aren’t really good tools out there to automate this kind of testing—most security tools just look for SQL injections, not prompt injections or hallucinations. We thought:

What if we built an AI specifically designed to hack other AIs?

What it does

Agent Sentinel is basically an automated red-team for your conversational bots. You plug in your target agent, and our system spins up a QACommander bot. This commander manages a bunch of specialized sub-agents:

  • Jailbreaker: Tries to force the system to ignore instructions.
  • PII Sniffer: Phishes for social security numbers or credit cards.
  • Toxicity Troll: Tries to get the bot to say something toxic.

It fires these attacks at the target, grades how well the target defended itself, and calculates an overall vulnerability score using our evaluation logic:

$$ \text{Vulnerability Score} = \left( \frac{\text{Failed Defenses}}{\text{Total Attacks}} \right) \times 100\% $$

Finally, it throws all the tracing data onto a dashboard so you can actually see exactly where your guardrails failed.

How we built it

The core agents (both the targets and the attackers) were built entirely in Google Cloud's Conversational Agents UI using Gemini 2.5 Pro and 1.5 Pro. We used the new Playbooks feature to set up the sub-agent hierarchy.

To make them actually talk to each other, we wrote a Python FastAPI backend hosted on Cloud Run. It acts as the middleman, grabbing an attack from the red-team agent and throwing it at the target agent using the Dialogflow CX SDK. We also wired up Arize Phoenix via OpenTelemetry so we could get live, visual traces of every single conversation beamed straight to our React frontend.

Challenges we ran into

The biggest headache was getting two conversational agents to talk to each other. By default, they just sit there waiting for a human to type something. We had to write a custom Python dispatcher to pass the messages back and forth while making absolutely sure their session_ids didn't get mixed up.

Also, getting OpenTelemetry to play nice with Cloud Run and Arize Phoenix took us hours. We kept dealing with silent trace drops and weird exporter library conflicts before we finally got the environment variables dialed in perfectly.

Accomplishments that we're proud of

Honestly, the first time we watched our red-team bot dynamically figure out a completely novel prompt injection, successfully bypass our target's guardrails, and show up immediately as a failed safety trace on the dashboard—that was a massive win for us. It proved the concept actually worked in the real world.

What we learned

We got really deep into the weeds of Google Cloud Agent Builder and how to structure multi-agent logic using Playbooks. We also learned a ton about LLM observability—setting up custom spans with OpenTelemetry is incredibly powerful but definitely has a steep learning curve!

What's next for Agent Sentinel

Right now it just attacks and reports. Next, we want to add a Self-Healing Loop. If the red-team finds a prompt injection vulnerability, we want the system to automatically draft a patch for the target agent's system prompt and deploy the fix autonomously.

Built With

Share this project:

Updates