According to Infosecurity Magazine, the UK AI Security Institute has partnered with security firms Check Point and Lakera to launch an open source framework called the backbone breaker benchmark (b3) designed to improve large language model security for AI agents. The benchmark uses a novel “threat snapshots” technique powered by crowdsourced adversarial data from Lakera’s “Gandalf: Agent Breaker” initiative, combining 10 representative agent threat snapshots with a dataset of 19,433 adversarial attacks. The framework specifically targets vulnerabilities in the backbone LLMs that power AI agents, focusing on pressure points where prompts, files, or web inputs trigger malicious outputs rather than evaluating full agent workflows end-to-end. According to Lakera co-founder Mateo Rojas-Carulla, this approach allows developers to systematically surface vulnerabilities that have remained hidden in complex agent workflows, with initial results showing that models reasoning step-by-step tend to be more secure and open-weight models are closing the gap with closed systems faster than expected. This development comes as the security community seeks more sophisticated testing methods for increasingly complex AI systems.
Table of Contents
Why Backbone Security Demands Special Attention
The focus on backbone LLMs represents a crucial shift in AI security thinking. While much attention has been paid to AI agent architecture and workflow design, the fundamental vulnerability often lies in the core language models themselves. Each time an agent makes an LLM call, it’s essentially trusting that the model will process inputs safely and produce appropriate outputs. Attackers have learned to exploit these individual calls through sophisticated prompt manipulation, file poisoning, and web input attacks that bypass higher-level security controls. The b3 benchmark’s approach of testing these pressure points directly addresses what security professionals call the “weakest link” problem in complex systems.
The Technical Innovation Behind Threat Snapshots
Threat snapshots represent a significant methodological advancement in AI security testing. Traditional security benchmarks often test models against static datasets or simulated attacks, but b3’s use of crowdsourced adversarial data from real-world attack attempts provides a more dynamic and realistic testing environment. This approach captures the evolving nature of actual threats that LLM developers face daily. The inclusion of 19,433 specific attack patterns means developers aren’t just testing theoretical vulnerabilities but real attack vectors that have proven effective against existing systems. This granular testing methodology could become the gold standard for security validation as AI systems become more integrated into critical applications.
Broader Industry Implications and Challenges
The open source nature of this benchmark could accelerate security improvements across the AI industry, but it also presents challenges. As security testing becomes more standardized and accessible, we’re likely to see increased pressure on model providers to demonstrate robust security postures. However, there’s a risk that benchmarks could become gaming targets—where models are optimized specifically for benchmark performance rather than real-world security. The partnership between the UK government’s AI Security Institute and commercial security firms like Check Point also highlights the growing recognition that AI security requires collaboration between public and private sectors, particularly as AI systems become more integrated into critical infrastructure and government operations.
The Evolving AI Security Landscape
Looking ahead, benchmarks like b3 represent just the beginning of what will likely become a comprehensive ecosystem of AI security testing tools. As Andrew Bolster from Black Duck noted, true-scale security will require combining novel prompt manipulation techniques with traditional application security testing and model attestation regimes. The finding that step-by-step reasoning models show better security performance suggests that architectural choices may become as important as training methodologies for secure AI development. As the gap between open-weight and closed systems narrows, we can expect increased competition around security as a differentiating factor in model selection, particularly for enterprise and government applications where security requirements are most stringent.
