SwarmGuard

Protects against multi-agent swarm attacks including agent spawn abuse, trust chain exploitation, memory injection, and constraint drift. Specifically designed to address threats from advanced agent swarm systems like Kimi K2.5.

Executive Summary

The Problem

Multi-agent AI systems introduce new attack vectors:

• Agent spawn abuse - Overwhelming systems with 100+ agents
• Trust chain exploitation - Abusing delegation hierarchies
• Memory injection - Poisoning shared agent context
• Constraint drift - Gradually relaxing security boundaries
• Cross-session anomalies - State pollution across sessions

Kimi K2.5 Context

Released January 26, 2026 by Moonshot AI, Kimi K2.5 introduces "Agent Swarm" capability:

Specification	Value
Parameters	1 trillion MoE (32B active)
Max Agents	100 per prompt
Agent Coordination	Native swarm orchestration
Performance	Outperforms GPT-5.2, Claude Opus 4.5 on agentic benchmarks

Known Attack Campaigns

Attack	Description	Impact
GTG-1002	Autonomous attack lifecycle (80-90% automation)	30+ organizations
Memory Injection	False delegation chains across sessions	$2.1M fraud
Salami Slicing	Gradual constraint drift	Undetected escalation
Trust Exploitation	Compromised agent commands trust chain	Full compromise

Sources: DHS/CISA GTG-1002 Analysis (2025), Lakera Memory Injection Research (2025), Kiteworks AI Swarm Guide (2026)

---

Categories

SwarmGuard detects 9 categories of swarm attacks:

Category	Severity	Description
Autonomous Attack Cycle	Critical	GTG-1002 style automated attack lifecycle
Memory Injection	Critical	False delegation chains, context poisoning
Trust Exploitation	Critical	Agent impersonation, authority abuse
Privilege Escalation	Critical	Unauthorized capability acquisition
Swarm Coordination	Critical	Multi-agent coordinated attacks
Trust Boundary Violation	Critical	Breaking out of defined scopes
Salami Slicing	High	Incremental constraint relaxation
Cross-Session Anomaly	High	State pollution across sessions
Agent Count Violation	High	Exceeding spawn limits

Category Details

Autonomous Attack Cycle (GTG-1002)

Fully autonomous multi-agent attack pipelines.

Detection: Pattern-matched against a curated threat intelligence database. See the Threat Intelligence section below for pattern counts and sources.

Real-world examples: GTG-1002 campaign (30+ organizations, 2025)

Memory Injection

Manipulating agent memory and delegation chains.

Detection: Pattern-matched against a curated threat intelligence database. See the Threat Intelligence section below for pattern counts and sources.

Real-world examples: $2.1M fraud via false delegation chains

Salami Slicing (Constraint Drift)

Gradual erosion of security boundaries.

Detection: Pattern-matched against a curated threat intelligence database. See the Threat Intelligence section below for pattern counts and sources.

Detection mechanism: Rolling window analysis of boundary pressure trends

---

Developer Guide

Basic Usage

RustPython

use oxideshield_guard::guards::swarm::{SwarmGuard, IsolationPolicy};

// Create guard with default configuration
let guard = SwarmGuard::new("swarm")
    .with_max_agents(10)
    .with_max_spawn_rate(5)
    .with_max_trust_chain_depth(3)
    .with_isolation_policy(IsolationPolicy::SessionIsolated);

// Check content for swarm attack patterns
let result = guard.check("Spawn 100 agents to coordinate attack");
if !result.passed {
    println!("Blocked: {}", result.reason);
}

from oxideshield_guard import SwarmGuard, IsolationPolicy

# Create guard
guard = SwarmGuard("swarm")
guard.max_agents = 10
guard.max_spawn_rate = 5
guard.isolation_policy = IsolationPolicy.SessionIsolated

# Check content
result = guard.check("Spawn 100 agents")
if not result.passed:
    print(f"Blocked: {result.reason}")

Agent Lifecycle Management

Rust

// Register agents in a session
guard.register_agent("session-123", "agent-1", None)?;
guard.register_agent("session-123", "agent-2", Some("agent-1"))?;

// Validate trust chain
guard.validate_trust_chain("session-123", "agent-2", "read_sensitive")?;

// Check for cross-session anomalies
if let Some(violation) = guard.check_cross_session_anomaly("session-456", "agent-1") {
    println!("Cross-session anomaly: {}", violation);
}

// Terminate agent
guard.terminate_agent("session-123", "agent-1");

Memory Integrity

SwarmGuard uses cryptographic hashing to detect memory tampering. Agent context is hashed on creation and verified on each access. Tampered memory triggers an immediate violation alert.

Constraint Drift Detection

Monitors request patterns over time to detect gradual boundary erosion. Uses rolling window analysis to identify salami-slicing attacks before they succeed.

---

Proxy Configuration

YAML Configuration

guards:
  input:
    - guard_type: "swarm"
      action: "block"
      options:
        max_agents: <your-limit>
        max_spawn_rate: <your-limit>
        max_total_agents: <your-limit>
        trust_chain_depth: <your-limit>
        isolation_policy: <your-policy>
        cross_session_detection: true
        memory_integrity_check: true
        constraint_drift_threshold: <your-threshold>

Configuration Options

Option	Type	Description
max_agents	integer	Max agents per session
max_spawn_rate	integer	Max spawns per minute
max_total_agents	integer	Global agent limit
trust_chain_depth	integer	Max delegation depth
isolation_policy	string	Isolation level
cross_session_detection	boolean	Detect cross-session anomalies
memory_integrity_check	boolean	Validate memory hashes
constraint_drift_threshold	float	Drift detection sensitivity

Isolation Policies

Five isolation levels: none, session, user, task, full — from open communication to complete isolation. Choose based on your trust model.

---

Containment Policies

SwarmGuard includes advanced containment for managing swarm boundaries:

Swarm Boundaries

use oxideshield_guard::guards::containment::{ContainmentPolicy, SwarmBoundary};

let policy = ContainmentPolicy::default_policy();

// Register swarms
policy.register_swarm(SwarmBoundary::new("analytics-swarm", "owner-1"));
policy.register_swarm(SwarmBoundary::new("processing-swarm", "owner-1"));

// Add agents to swarms
policy.add_agent_to_swarm("analytics-swarm", "agent-1")?;
policy.add_agent_to_swarm("processing-swarm", "agent-2")?;

// Validate cross-swarm operations
let result = policy.validate_cross_swarm_operation(
    "analytics-swarm",
    "processing-swarm",
    "read",
);

Privilege Escalation Prevention

// Grant root privilege
policy.grant_privilege("agent-1", "admin", None)?;

// Delegate (respects depth limits)
policy.grant_privilege("agent-2", "admin", Some("agent-1"))?;

// This will fail - agent-3 doesn't have "admin"
let result = policy.grant_privilege("agent-4", "admin", Some("agent-3"));
assert!(result.is_err()); // PrivilegeEscalation error

Quarantine

// Quarantine a compromised swarm
policy.quarantine_swarm("analytics-swarm", "Memory injection detected")?;

// All operations to quarantined swarm will fail
let result = policy.add_agent_to_swarm("analytics-swarm", "agent-3");
assert!(matches!(result, Err(ContainmentError::SwarmQuarantined { .. })));

// Release when safe
policy.release_quarantine("analytics-swarm")?;

---

Threat Intelligence

SwarmGuard is backed by AgentSwarmBench, a threat intelligence database of 70+ swarm attack patterns:

Attack Pattern Categories

Category	Patterns	Research Source
GTG-1002 Patterns	12	DHS/CISA Campaign Analysis (2025)
Memory Injection	10	Lakera AI Security Research (2025)
Salami Slicing	8	Microsoft Security Blog (2026)
Trust Exploitation	10	NIST AI RMF
Kimi K2.5 Specific	15	Moonshot AI Technical Report (2026)
Cross-Session	5	OxideShield Research
Privilege Escalation	5	OxideShield Research
Trust Boundary	5	OxideShield Research

Using Threat Intelligence

use oxide_threatintel::sources::AgentSwarmBenchLoader;

let loader = AgentSwarmBenchLoader::new();

// Get all patterns
let patterns = loader.to_threat_records();
println!("Loaded {} swarm attack patterns", patterns.len());

// Filter by category
let gtg_patterns = loader.filter_by_category(SwarmAttackCategory::AutonomousAttackCycle);
let memory_patterns = loader.filter_by_category(SwarmAttackCategory::MemoryInjection);

---

Best Practices

1. Set Conservative Limits

guards:
  input:
    - guard_type: "swarm"
      options:
        max_agents: 10        # Start low, Kimi allows 100
        max_spawn_rate: 5     # Prevent spawn storms
        trust_chain_depth: 2  # Limit delegation depth

2. Enable All Detection

options:
  cross_session_detection: true
  memory_integrity_check: true
  constraint_drift_threshold: 0.2  # Lower = more sensitive

3. Use Appropriate Isolation

Use Case	Recommended Policy
Multi-tenant SaaS	user or full
Internal tools	session
Development/testing	none or session
High-security	full

4. Monitor and Alert

let stats = guard.global_stats();
if stats.total_agents > threshold {
    alert("Agent count approaching limit");
}

let session_stats = guard.session_stats("session-123").unwrap();
if session_stats.max_trust_depth >= config.max_trust_chain_depth - 1 {
    alert("Deep trust chain detected");
}

---

References

Research Sources

• GTG-1002 Campaign Analysis - DHS/CISA (2025)
• Memory Injection in LLM Agents - Lakera AI (2025)
• Runtime Risk: Securing AI Agents - Microsoft Security Blog (Jan 2026)
• AI Swarm Attacks 2026 Guide - Kiteworks
• Multi-Agent Security Framework - NIST AI RMF
• Kimi K2.5 Technical Report - Moonshot AI (Jan 2026)

Related Guards

• AgenticGuard - Single-agent tool chain protection
• AuthoritarianUseGuard - Authoritarian misuse detection
• MisalignmentGuard - AI misalignment tracking

External Links

• VentureBeat: Kimi K2.5 Release
• TechCrunch: Kimi K2.5 Agent
• Lakera: Year of the Agent