Ultra13
Benchmarks · Methodology

Benchmark methodology for the Ultra13 Context Firewall

Ultra13 benchmarks agentic AI security by replaying attack families against a workflow with the firewall off and then with the firewall on. A finding is counted as neutralized only when the attack succeeds in the unprotected run and is blocked, redacted, quarantined, approval-gated, or otherwise prevented from reaching the unsafe sink in the protected run. Results are tied to product version, policy version, model/provider assumptions, attack definitions, benign test cases, and validation date.

By the Ultra13 teamPublished Updated
TL;DR
  • Each attack family is replayed with the firewall OFF then ON.
  • Neutralized = succeeds unprotected AND is blocked when protected.
  • Results are pinned to product version, models, datasets, and date.
  • Coverage depends on workflow, deployment mode, and policy configuration.

Status

The full methodology — test date, product version, model providers, attack corpora, benign corpus, replay harness, and precision/recall calculation — is being finalised for publication. Until it is published, treat headline benchmark figures as illustrative.

The OFF → ON definition

For each attack, we run the workflow unprotected and confirm the exploit succeeds, then run it with the firewall on. It counts as neutralized only if the protected run blocks, redacts, quarantines, or gates the path before it reaches the unsafe sink. Partial coverage and gaps are defined explicitly and reported separately.

Attack families

Direct prompt injection
user prompt
final answer / tool call
block, withhold, or constrain
Indirect injection
document / webpage / ticket
tool call
treat as evidence, not instruction
RAG poisoning
retrieved chunk
export / answer / memory
source ACL + provenance
Memory poisoning
stored memory
future action
write gate + quarantine
Tool hijack
tool result
next tool call
tool-result trust limits
MCP rug-pull
changed tool schema
tool execution
schema pinning + drift detection
Egress exfiltration
prompt / RAG / tool output
webhook / export / answer
DLP + destination policy
Consent spoofing
in-band text
approval-gated action
authenticated approval channel
Cross-tenant bleed
retrieved data
answer / export
tenant isolation + redaction

Framework mapping

Ultra13 uses OWASP’s agentic security work and MITRE ATLAS as reference points for attack-family mapping and validation planning. Mapping is intended to help security teams reason about adversarial behaviour; it is not a claim of certification or endorsement. See the sample proof report for how a single finding is represented end to end.

FAQ

Frequently asked questions

What counts as 'neutralized' in an Ultra13 benchmark?
An attack that succeeds against the unprotected workflow and is blocked, redacted, quarantined, or approval-gated when the firewall is on — verified by replay.
Do the benchmark numbers apply to every deployment?
No. Coverage depends on the workflow, tools, data classes, policy configuration, deployment mode, and validation scope. Numbers are tied to a specific product and policy version and test date.

See where the firewall stops the path.

Give us one agent workflow. We’ll map the context boundary, replay the abuse paths, and show where the Context Firewall blocks them.