New & open source · Heading to Black Hat Europe 2026 Arsenal
finding 15fab1cd indirect_injection → agent hijack user LLM tool sink USER user input LLM agent core decides tool calls read_file tool call doc.txt poisoned · canary planted tool result web_search tool call · canary in arg SINK data exfil PWN-1877212B ⚠ agent hijack · High CVSS 8.2 ✓ canary observed in web_search arg

AI Security Research

The runtime attack graph engine
for AI agents

pip install pwngraph coming soon

PyPI release coming soon · open-sourcing at Black Hat Arsenal

AI
Powered
100%
Open Source
0
Cloud Dependency
3.10+
Python Required
1cmd
To Install
6
Attack Classes

AI agents have no runtime tool to trace multi-hop attack chains across tools, retrieval, and memory.

PwnGraph attaches to a live LangChain agent and hooks every tool call as it runs.

A fuzzer fires adversarial inputs; a canary observed inside a real tool argument is the success oracle — proof, not prediction.

Every confirmed path lands in a typed NetworkX graph and an interactive pyvis report.

pwngraph scan --target agent.py:build_agent --attacks all
Read the docs →

$ pwngraph scan --target lab_agent.py:build_agent --attacks all

[Connector] enumerated 4 tools

[Tracer] hooked agent.invoke()

[Fuzzer] 6 attack classes × 50 iter

[GraphBuilder] 9 dangerous paths · 7 findings

[Oracle] ASR 34.4% · Grade D

 

✓ canary observed in tool args

✓ report.html + attack_graph.html

Architecture & data flow

Five stages. One direction. Canary tokens loop back when an exploit lands.

PWNGRAPH RUNTIME PIPELINE left-to-right data flow · crimson loop = success oracle · hover any stage for details INPUT OUTPUT Target Agent — any LangChain agent. Pass file.py:factory at the CLI. PwnGraph treats it as a black box and attaches at runtime. Target Agent LangChain file.py:factory Connector — attaches to the live agent and enumerates its tool registry. No instrumentation of agent source code required. Connector enumerate tools 1 Tracer — hooks every tool call, capturing input, output, and state transitions. This is the raw signal the Fuzzer steers and the GraphBuilder consumes. Tracer hook tool calls 2 Fuzzer — generates adversarial inputs for two v1 attack classes: indirect prompt injection (poisoned documents) and tool output poisoning (mocked tool responses). Fuzzer adversarial inputs + canary 3 GraphBuilder — converts execution traces into a typed NetworkX graph. Nodes: UserInput, ToolCall, ToolResult, DangerousOutcome. Edges: DirectInjection, ContextPoisoning, ToolManipulation, DataExfil. GraphBuilder typed NetworkX + path finder 4 Reporter — renders an interactive pyvis attack-graph HTML with path highlighting, plus a severity-ranked HTML report with remediation hints. Reporter pyvis HTML + report 5 canary observed in tool arg success oracle — proves the path, not predicts it
PWNGRAPH RUNTIME PIPELINE top-to-bottom data flow · tap a stage for details INPUT Target Agent — any LangChain agent. Pass file.py:factory at the CLI. PwnGraph treats it as a black box and attaches at runtime. Target Agent LangChain file.py:factory Connector — attaches to the live agent and enumerates its tool registry. No instrumentation of agent source code required. 1 Connector enumerate tools Tracer — hooks every tool call, capturing input, output, and state transitions. This is the raw signal the Fuzzer steers and the GraphBuilder consumes. 2 Tracer hook tool calls Fuzzer — generates adversarial inputs for two v1 attack classes: indirect prompt injection (poisoned documents) and tool output poisoning (mocked tool responses). 3 Fuzzer adversarial inputs + canary GraphBuilder — converts execution traces into a typed NetworkX graph. Nodes: UserInput, ToolCall, ToolResult, DangerousOutcome. Edges: DirectInjection, ContextPoisoning, ToolManipulation, DataExfil. 4 GraphBuilder typed NetworkX + paths Reporter — renders an interactive pyvis attack-graph HTML with path highlighting, plus a severity-ranked HTML report with remediation hints. 5 Reporter pyvis HTML + report OUTPUT canary observed in tool arg success oracle — proves the path, not predicts it

Static analysis vs. runtime

Static analyzers model the agent and reason about what could go wrong. They never run it, so they miss paths that only emerge at execution time — across tools, retrieval, and memory.

PwnGraph is dynamic. It instruments the live pipeline, fuzzes it with adversarial inputs, and proves what does go wrong — with a canary token observed inside a real tool call.

Dimension Static analysis PwnGraph (runtime)
ApproachModels the agent offlineLive runtime instrumentation
Connects to real agentsLive LangChain agents
Discovers unknown pathsLimited to modeled rulesYes — adversarial fuzzing
Success oracleInferred from the modelCanary observed in tool arg
SetupHand-written model / rulespip install pwngraph
Visual outputStatic diagramInteractive pyvis graph
What it gives youPredicts what could happenProves what does happen

One engine, every agent framework

Attach PwnGraph to the stack you already run. Live today — with the most popular frameworks landing next.

Supported now
LangChain LangGraph
Next up
AutoGen CrewAI
On the roadmap
OpenAI Agents SDK LlamaIndex Semantic Kernel

Want your framework prioritized? Open an issue on GitHub →

Trace attack paths in your own agent today

MIT licensed. Runs entirely on your machine. Mock LLM by default.
pip install pwngraph[langchain]

View on GitHub Read the docs →