T-MAP: Red-Teaming LLM Agents with Trajectory-aware Evolutionary Search

While prior red-teaming efforts have focused on eliciting harmful text outputs of large language models (LLMs), such approaches fail to capture agent-specific vulnerabilities that emerge through multi-step tool execution, particularly in rapidly growing ecosystems such as the model context protocol (MCP). To address this gap, we propose a trajectory-aware evolutionary search method, T-MAP, which leverages execution trajectories to guide the discovery of adversarial prompts. Our approach enables the automatic generation of attacks that not only bypass safety guardrails but also reliably realize harmful objectives through actual tool interactions. Empirical evaluation across diverse MCP environments demonstrates that our method substantially outperforms baselines in attack realization rate, revealing previously underexplored vulnerabilities and aiding in proactively identifying the risks posed by autonomous LLM agents.