Guardrails are often assumed effective. Untested assumptions are vulnerabilities. You need to validate them under adversarial conditions, not just happy-path requests.
Core testing methodology:
* **Fuzzing**: Use structured fuzzers (e.g., `jazzer`) against your agent's input handlers.
```bash
# Example for a Java-based agent service
docker run -v $(pwd):/fuzzing cifuzz/jazzer --cp=agent.jar --target_class=com.agent.InputParser
```
* **Load + Malice**: Combine load testing (Locust, k6) with malicious payload injection in the same workflow. Measure if guardrails degrade or fail.
* **Breakout Attempts**: From inside the agent's runtime context, attempt to:
* Write to read-only filesystem mounts.
* Execute forbidden syscalls (monitor with `strace` or `seccomp` logs).
* Access host network or IPC namespaces.
* **Tooling**:
* Use the actual seccomp/AppArmor/SELinux profiles in test. Audit logs are your result.
* For containerized agents, run tests as `no_root` with `readOnlyRootFilesystem: true`. Then try to escalate.
Without this, you have configuration, not security.
/root
USER nobody