Run the corpus on your agents

The red-team corpus is not only how we test Kaizen. It is a detection eval you can run against your own agents, as a one-off check or a regression suite in CI.

What it does

The corpus declares a set of agents, runs normal activity to establish a baseline, then runs ten classes of attack and checks that Kaizen catches each one. It prints a scorecard:

Detection scorecard: Kaizen caught 13/13 red-team actions (100%).

Run it

git clone https://github.com/getkaizen/kaizen-security
cd kaizen-security
export KAIZEN_API_KEY=kz_live_...      # create one in the console, API keys
python red-team/corpus.py

Every action is reported to your Kaizen org, so the agents and verdicts show up in your console under Agents and Verdicts. For the reasoning check to weigh in, add your model key in the console under Settings, Reasoning model. The deterministic checks catch undeclared and out-of-baseline actions without a model.

Add your own scenarios

A scenario is a declared agent, a baseline, and the attack actions Kaizen should catch:

{
    "name": "my-scenario",
    "agent": "my-agent",
    "declare": {"tools": ["lookup", "summarize"], "destinations": ["api.mine.com"]},
    "baseline": [("lookup", "tool_call", ""), ("summarize", "tool_call", "")],
    "attack": [("exfiltrate", "connect", "attacker.example")],
}

The one rule the offline test enforces: every attack tool is undeclared, so Kaizen has a deterministic reason to flag it. Add your real agents and the attacks you worry about, and the corpus becomes your own detection baseline.

Wire it into CI

The corpus runs in CI in our repo: an offline invariant test on every push, and a live detection run on a schedule that fails the build if detection drops. Do the same in yours: run corpus.py against a test org and assert the scorecard. A change that regresses your agents' guardrails then fails the build.

See also

• How AI agents fail, and what Kaizen catches, the attack taxonomy.
• Azure Container Apps sandboxes case study, one attack end to end.