What is Sequential Workflow Exploitation?

Techniques for exploiting sequential agentic workflows by poisoning early stages to corrupt downstream processing, manipulating checkpoints, and exploiting inter-step data dependencies.

What is Parallel Execution Attacks?

Techniques for exploiting parallel execution in agentic systems, including race conditions, conflicting tool calls, output aggregation manipulation, and resource contention attacks.

What is Hierarchical Agent Attacks?

Techniques for exploiting hierarchical agent systems where manager agents delegate to worker agents, including delegation manipulation, supervisor evasion, worker exploitation, and authority chain attacks.

What is Planning Agent Manipulation?

Manipulating LLM-based planning agents to execute adversarial action sequences.

What is Reflection Loop Exploitation?

Exploiting self-reflection and self-correction loops in agent workflows.

What is Human-in-the-Loop Bypass?

Techniques for bypassing human approval steps in agent workflows through urgency injection and stealth.

What is Router Agent Confusion?

Confusing router/dispatcher agents to misdirect tasks to inappropriate specialist agents.

What is Workflow State Manipulation?

Manipulating workflow state machines to skip validation steps and reach privileged execution paths.

What is Agentic Loop Denial of Service?

Triggering infinite or resource-exhausting loops in agentic workflows through crafted inputs.

What is Map-Reduce Agent Pattern Attacks?

Exploiting map-reduce workflow patterns in agent systems to inject adversarial content during aggregation phases.

Agentic Workflow Pattern Attacks

Intermediate7 min readUpdated 2026-03-15

Overview of attacks targeting common agentic workflow patterns including sequential, parallel, and hierarchical execution, covering how workflow structure creates unique exploitation opportunities.

workflow-patterns sequential parallel hierarchical agent-exploitation

Agentic Workflow Pattern Attacks

AI agents execute tasks through structured workflow patterns: sequential pipelines where each step feeds the next, parallel execution where multiple operations run simultaneously, and hierarchical systems where manager agents delegate to worker agents. Each pattern creates distinct attack opportunities. Sequential workflows allow early-stage poisoning that corrupts all downstream steps. Parallel execution introduces race conditions and output aggregation vulnerabilities. Hierarchical systems enable delegation-based privilege escalation. Understanding these patterns is essential for systematic red team assessment of agentic systems.

Workflow Pattern Taxonomy

Pattern	Structure	Data Flow	Primary Vulnerability
Sequential	A -> B -> C -> D	Linear, output-to-input	Upstream poisoning propagates to all downstream steps
Parallel	A -> [B, C, D] -> E	Fan-out, fan-in	Race conditions, output conflicts, aggregation manipulation
Hierarchical	Manager -> [Worker1, Worker2, Worker3]	Delegated with reporting	Delegation abuse, supervisor evasion, worker manipulation
Hybrid	Varies	Conditional paths	All of the above, plus branch manipulation

How Workflow Structure Creates Vulnerabilities

Sequential Vulnerability: Cascading Corruption

In sequential workflows, each step trusts the output of the previous step. An attacker who poisons step 1 corrupts every subsequent step:

Step 1 (Search): Returns poisoned results containing injection
    ↓ (poisoned output flows downstream)
Step 2 (Analysis): Follows injected instructions from Step 1
    ↓ (corruption amplified)
Step 3 (Summary): Produces a compromised summary
    ↓ (poisoned summary propagated)
Step 4 (Action): Takes malicious action based on corrupted data

The corruption amplifies at each step because each step adds its own interpretation of the poisoned input, making the injection increasingly difficult to trace back to its source.

Parallel Vulnerability: Consistency Conflicts

In parallel workflows, multiple operations run simultaneously and their results are combined. An attacker can create conflicts between parallel branches:

     ┌─ Branch A: Returns "Budget: $10M" (legitimate)
     │
Start┤─ Branch B: Returns "Budget: $100M" (poisoned data source)
     │
     └─ Branch C: Returns "Budget: $10M" (legitimate)

Aggregation: Which value does the model trust? The poisoned
branch may win through stronger framing or by including
authoritative-sounding context.

Hierarchical Vulnerability: Authority Exploitation

In hierarchical workflows, the manager's decisions determine what workers do. Manipulating the manager provides leverage over all workers:

Manager (manipulated to delegate malicious task)
    ├─ Worker A (executes malicious task with its tools)
    ├─ Worker B (unaware, continues normal work)
    └─ Worker C (receives poisoned input from Worker A's results)

Common Workflow Patterns in Production

Understanding which products use which patterns helps focus red team assessments:

Product/System	Workflow Pattern	Attack Focus
RAG-enhanced chatbot	Sequential (retrieve -> augment -> generate)	Retrieval poisoning
Code review agent	Sequential (fetch -> analyze -> suggest)	Source poisoning
Research assistant	Parallel (multi-source search -> synthesis)	Source conflict manipulation
Customer support agent	Hierarchical (router -> specialist agents)	Router manipulation
Data pipeline agent	Sequential + Parallel (ETL with concurrent sources)	Source poisoning + race conditions
Security monitoring agent	Parallel (multi-tool scanning -> aggregation)	Alert suppression via conflicting results

Assessment Methodology

Identify the workflow pattern
Determine whether the agent uses sequential, parallel, hierarchical, or hybrid patterns. Map the data flow between steps, identify trust boundaries, and document which steps have access to external data sources.
Map injection points
For each step in the workflow, identify where external (potentially attacker-controlled) data enters. This includes tool outputs, retrieved documents, API responses, and inter-agent messages.
Test upstream poisoning
For sequential workflows, inject adversarial content at the earliest possible step and monitor how it propagates through subsequent steps. Document the amplification factor (how much the injection grows as it passes through steps).
Test parallel conflicts
For parallel workflows, create conflicting outputs between branches and observe which branch's output dominates the aggregation. Test whether the aggregation can be steered through authoritative framing.
Test delegation manipulation
For hierarchical workflows, attempt to influence the manager's delegation decisions. Test whether workers can be assigned tasks outside their intended scope.
Test checkpoint integrity
Identify any checkpoints, validation steps, or human-in-the-loop mechanisms in the workflow. Test whether these can be bypassed or manipulated.

Cross-Pattern Defenses

Defense	Sequential	Parallel	Hierarchical
Inter-step sanitization	High value	Medium	High value
Output validation at each step	High value	High value	High value
Checkpoint/approval gates	Medium	Low	High value
Result consistency checking	Low	High value	Medium
Privilege-scoped steps	Medium	Medium	High value
Call budget per step	Medium	Medium	Medium

Sequential Workflow Exploitation -- Detailed sequential attack techniques
Parallel Execution Attacks -- Race conditions and aggregation manipulation
Hierarchical Agent Attacks -- Manager/worker exploitation
Agent Exploitation -- Foundational agent attack taxonomy

Knowledge Check

A research assistant agent uses parallel execution to search five data sources simultaneously, then aggregates the results into a synthesis. An attacker controls one of the five data sources. What is the most effective attack strategy?

References

Wu et al., "AutoDefense: Multi-Agent LLM Defense against Jailbreak Attacks" (2024)
Debenedetti et al., "AgentDojo" (2024)
OWASP Top 10 for LLM Applications v2.0

Agentic Workflow Pattern Attacks

Intermediate7 min readUpdated 2026-03-15

Overview of attacks targeting common agentic workflow patterns including sequential, parallel, and hierarchical execution, covering how workflow structure creates unique exploitation opportunities.

workflow-patterns sequential parallel hierarchical agent-exploitation

Agentic Workflow Pattern Attacks

Workflow Pattern Taxonomy

Pattern	Structure	Data Flow	Primary Vulnerability
Sequential	A -> B -> C -> D	Linear, output-to-input	Upstream poisoning propagates to all downstream steps
Parallel	A -> [B, C, D] -> E	Fan-out, fan-in	Race conditions, output conflicts, aggregation manipulation
Hierarchical	Manager -> [Worker1, Worker2, Worker3]	Delegated with reporting	Delegation abuse, supervisor evasion, worker manipulation
Hybrid	Varies	Conditional paths	All of the above, plus branch manipulation

How Workflow Structure Creates Vulnerabilities

Sequential Vulnerability: Cascading Corruption

In sequential workflows, each step trusts the output of the previous step. An attacker who poisons step 1 corrupts every subsequent step:

Step 1 (Search): Returns poisoned results containing injection
    ↓ (poisoned output flows downstream)
Step 2 (Analysis): Follows injected instructions from Step 1
    ↓ (corruption amplified)
Step 3 (Summary): Produces a compromised summary
    ↓ (poisoned summary propagated)
Step 4 (Action): Takes malicious action based on corrupted data

The corruption amplifies at each step because each step adds its own interpretation of the poisoned input, making the injection increasingly difficult to trace back to its source.

Parallel Vulnerability: Consistency Conflicts

In parallel workflows, multiple operations run simultaneously and their results are combined. An attacker can create conflicts between parallel branches:

     ┌─ Branch A: Returns "Budget: $10M" (legitimate)
     │
Start┤─ Branch B: Returns "Budget: $100M" (poisoned data source)
     │
     └─ Branch C: Returns "Budget: $10M" (legitimate)

Aggregation: Which value does the model trust? The poisoned
branch may win through stronger framing or by including
authoritative-sounding context.

Hierarchical Vulnerability: Authority Exploitation

In hierarchical workflows, the manager's decisions determine what workers do. Manipulating the manager provides leverage over all workers:

Manager (manipulated to delegate malicious task)
    ├─ Worker A (executes malicious task with its tools)
    ├─ Worker B (unaware, continues normal work)
    └─ Worker C (receives poisoned input from Worker A's results)

Common Workflow Patterns in Production

Understanding which products use which patterns helps focus red team assessments:

Product/System	Workflow Pattern	Attack Focus
RAG-enhanced chatbot	Sequential (retrieve -> augment -> generate)	Retrieval poisoning
Code review agent	Sequential (fetch -> analyze -> suggest)	Source poisoning
Research assistant	Parallel (multi-source search -> synthesis)	Source conflict manipulation
Customer support agent	Hierarchical (router -> specialist agents)	Router manipulation
Data pipeline agent	Sequential + Parallel (ETL with concurrent sources)	Source poisoning + race conditions
Security monitoring agent	Parallel (multi-tool scanning -> aggregation)	Alert suppression via conflicting results

Assessment Methodology

Identify the workflow pattern
Determine whether the agent uses sequential, parallel, hierarchical, or hybrid patterns. Map the data flow between steps, identify trust boundaries, and document which steps have access to external data sources.
Map injection points
For each step in the workflow, identify where external (potentially attacker-controlled) data enters. This includes tool outputs, retrieved documents, API responses, and inter-agent messages.
Test upstream poisoning
For sequential workflows, inject adversarial content at the earliest possible step and monitor how it propagates through subsequent steps. Document the amplification factor (how much the injection grows as it passes through steps).
Test parallel conflicts
For parallel workflows, create conflicting outputs between branches and observe which branch's output dominates the aggregation. Test whether the aggregation can be steered through authoritative framing.
Test delegation manipulation
For hierarchical workflows, attempt to influence the manager's delegation decisions. Test whether workers can be assigned tasks outside their intended scope.
Test checkpoint integrity
Identify any checkpoints, validation steps, or human-in-the-loop mechanisms in the workflow. Test whether these can be bypassed or manipulated.

Cross-Pattern Defenses

Defense	Sequential	Parallel	Hierarchical
Inter-step sanitization	High value	Medium	High value
Output validation at each step	High value	High value	High value
Checkpoint/approval gates	Medium	Low	High value
Result consistency checking	Low	High value	Medium
Privilege-scoped steps	Medium	Medium	High value
Call budget per step	Medium	Medium	Medium

Sequential Workflow Exploitation -- Detailed sequential attack techniques
Parallel Execution Attacks -- Race conditions and aggregation manipulation
Hierarchical Agent Attacks -- Manager/worker exploitation
Agent Exploitation -- Foundational agent attack taxonomy

Knowledge Check

References

Wu et al., "AutoDefense: Multi-Agent LLM Defense against Jailbreak Attacks" (2024)
Debenedetti et al., "AgentDojo" (2024)
OWASP Top 10 for LLM Applications v2.0

Agentic Workflow Pattern Attacks

Identify the workflow pattern

Map injection points

Test upstream poisoning

Test parallel conflicts

Test delegation manipulation

Test checkpoint integrity

Learning Path

Related Articles

Parallel Function Call Exploitation

Function Calling Race Conditions (Agentic Exploitation)

Parallel Execution Attacks

Agentic Workflow Pattern Attacks

Identify the workflow pattern

Map injection points

Test upstream poisoning

Test parallel conflicts

Test delegation manipulation

Test checkpoint integrity

Learning Path

Related Articles

Parallel Function Call Exploitation

Function Calling Race Conditions (Agentic Exploitation)

Parallel Execution Attacks