{"id":"https://openalex.org/W7135025888","doi":"https://doi.org/10.1016/j.iotcps.2026.03.001","title":"Securing LLM agents: From prompt sanitization to autonomous red teaming and beyond","display_name":"Securing LLM agents: From prompt sanitization to autonomous red teaming and beyond","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W7135025888","doi":"https://doi.org/10.1016/j.iotcps.2026.03.001"},"language":"en","primary_location":{"id":"doi:10.1016/j.iotcps.2026.03.001","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.iotcps.2026.03.001","pdf_url":null,"source":{"id":"https://openalex.org/S4210180977","display_name":"Internet of Things and Cyber-Physical Systems","issn_l":"2667-3452","issn":["2667-3452"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Internet of Things and Cyber-Physical Systems","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://doi.org/10.1016/j.iotcps.2026.03.001","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5026903935","display_name":"Mohamed Amine Ferrag","orcid":"https://orcid.org/0000-0002-0632-3172"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mohamed Amine Ferrag","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0002-0632-3172","affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090441509","display_name":"Abderrahmane Lakas","orcid":"https://orcid.org/0000-0003-4725-8634"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Abderrahmane Lakas","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5073042391","display_name":"Norbert Tihanyi","orcid":"https://orcid.org/0000-0002-9002-5935"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Norbert Tihanyi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5128822128","display_name":"M\u00e9rouane Debbah","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Merouane Debbah","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0001-8941-8080","affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.7588,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.91501767,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":"5","issue":null,"first_page":"185","last_page":"209"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.14229999482631683,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.14229999482631683,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12203","display_name":"Mobile Agent-Based Network Management","score":0.11079999804496765,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.0989999994635582,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.26350000500679016},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.257999986410141},{"id":"https://openalex.org/keywords/government","display_name":"Government (linguistics)","score":0.23989999294281006},{"id":"https://openalex.org/keywords/patient-privacy","display_name":"Patient privacy","score":0.23890000581741333}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4097000062465668},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.3978999853134155},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.30140000581741333},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.29170000553131104},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.27390000224113464},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.26350000500679016},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.257999986410141},{"id":"https://openalex.org/C2778137410","wikidata":"https://www.wikidata.org/wiki/Q2732820","display_name":"Government (linguistics)","level":2,"score":0.23989999294281006},{"id":"https://openalex.org/C2910417920","wikidata":"https://www.wikidata.org/wiki/Q4116434","display_name":"Patient privacy","level":3,"score":0.23890000581741333},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.23180000483989716}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1016/j.iotcps.2026.03.001","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.iotcps.2026.03.001","pdf_url":null,"source":{"id":"https://openalex.org/S4210180977","display_name":"Internet of Things and Cyber-Physical Systems","issn_l":"2667-3452","issn":["2667-3452"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Internet of Things and Cyber-Physical Systems","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:d5361f05fc9443f48c57e7d54f01ae3a","is_oa":true,"landing_page_url":"https://doaj.org/article/d5361f05fc9443f48c57e7d54f01ae3a","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Internet of Things and Cyber-Physical Systems, Vol 5, Iss , Pp 185-209 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.1016/j.iotcps.2026.03.001","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.iotcps.2026.03.001","pdf_url":null,"source":{"id":"https://openalex.org/S4210180977","display_name":"Internet of Things and Cyber-Physical Systems","issn_l":"2667-3452","issn":["2667-3452"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Internet of Things and Cyber-Physical Systems","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320323593","display_name":"United Arab Emirates University","ror":"https://ror.org/01km6p862"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":37,"referenced_works":["https://openalex.org/W4387167478","https://openalex.org/W4389617257","https://openalex.org/W4401042259","https://openalex.org/W4401450595","https://openalex.org/W4402217583","https://openalex.org/W4402669751","https://openalex.org/W4402671718","https://openalex.org/W4402671828","https://openalex.org/W4403180628","https://openalex.org/W4403507961","https://openalex.org/W4403780746","https://openalex.org/W4404782584","https://openalex.org/W4406109384","https://openalex.org/W4406882309","https://openalex.org/W4407070057","https://openalex.org/W4407207546","https://openalex.org/W4408167800","https://openalex.org/W4409150456","https://openalex.org/W4409568327","https://openalex.org/W4410583248","https://openalex.org/W4410632703","https://openalex.org/W4410907505","https://openalex.org/W4411001734","https://openalex.org/W4411113449","https://openalex.org/W4411119061","https://openalex.org/W4411337486","https://openalex.org/W4412482272","https://openalex.org/W4412877008","https://openalex.org/W4412888589","https://openalex.org/W4412888909","https://openalex.org/W4412944922","https://openalex.org/W4413755286","https://openalex.org/W4415967072","https://openalex.org/W4416034461","https://openalex.org/W4416036922","https://openalex.org/W4416922845","https://openalex.org/W7117538756"],"related_works":[],"abstract_inverted_index":{"Large":[0],"Language":[1],"Models":[2],"(LLMs)":[3],"are":[4],"rapidly":[5],"transitioning":[6],"from":[7,76],"standalone":[8],"conversational":[9],"systems":[10],"to":[11,82,89,209],"autonomous":[12],"agents":[13,222],"that":[14],"reason,":[15],"plan,":[16],"and":[17,35,43,55,79,86,115,141,147,158,161,171,183,200,213,219],"interact":[18],"with":[19,117],"external":[20],"tools.":[21],"While":[22],"this":[23,176],"shift":[24],"enables":[25],"powerful":[26],"applications":[27],"in":[28,155,215],"domains":[29],"such":[30,47],"as":[31,48,98],"healthcare,":[32],"finance,":[33],"law,":[34],"software":[36],"engineering,":[37],"it":[38],"also":[39,68],"introduces":[40],"new":[41],"security":[42],"safety":[44],"risks.":[45],"Attacks":[46],"prompt":[49],"injection,":[50],"jailbreak":[51],"exploits,":[52],"backdoor":[53],"triggers,":[54],"multimodal":[56,159],"adversarial":[57],"inputs":[58],"expose":[59],"vulnerabilities":[60,154],"not":[61],"only":[62],"at":[63],"the":[64,70,123,188],"model":[65],"level":[66],"but":[67],"across":[69,113],"broader":[71],"agentic":[72,148],"workflow.":[73],"Existing":[74],"defenses\u2014ranging":[75],"input":[77],"filtering":[78],"alignment":[80],"reinforcement":[81],"runtime":[83],"monitoring\u2014remain":[84],"fragmented":[85],"often":[87],"fail":[88],"anticipate":[90],"adaptive":[91,197],"adversaries.":[92],"Meanwhile,":[93],"red":[94,136,149],"teaming":[95,137,150],"has":[96],"emerged":[97],"a":[99],"critical":[100],"methodology":[101],"for":[102,190,223],"stress-testing":[103],"these":[104],"systems;":[105],"however,":[106],"current":[107],"efforts":[108],"lack":[109],"standardization,":[110],"comprehensive":[111,125],"coverage":[112],"modalities,":[114],"integration":[116,202],"agent-specific":[118],"contexts.":[119],"This":[120],"paper":[121],"provides":[122],"first":[124],"survey":[126],"of":[127,203],"LLM":[128],"agent":[129],"security,":[130],"synthesizing":[131],"research":[132,185],"on":[133,175],"attack":[134],"strategies,":[135],"frameworks,":[138],"evaluation":[139],"suites,":[140],"defense":[142,163],"mechanisms.":[143],"We":[144],"categorize":[145],"automated":[146],"approaches,":[151],"highlight":[152],"domain-specific":[153],"code,":[156],"web,":[157],"agents,":[160],"analyze":[162],"strategies":[164],"spanning":[165],"prompt-level,":[166],"decoding-time,":[167],"runtime,":[168],"backdoor,":[169],"privacy-preserving,":[170],"multi-agent":[172,204],"safeguards.":[173],"Building":[174],"synthesis,":[177],"we":[178],"outline":[179],"key":[180],"open":[181],"challenges":[182],"future":[184],"directions,":[186],"including":[187],"need":[189],"scalable":[191],"defenses,":[192],"standardized":[193],"benchmarks,":[194],"robustness":[195],"against":[196],"attacks,":[198],"explainability,":[199],"secure":[201],"workflows.":[205],"Our":[206],"findings":[207],"aim":[208],"guide":[210],"both":[211],"researchers":[212],"practitioners":[214],"advancing":[216],"robust,":[217],"trustworthy,":[218],"resilient":[220],"LLM-powered":[221],"safety-critical":[224],"applications.":[225]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-03-13T00:00:00"}