Customer Story · Emergent
RED-TEAMING WINGMAN BEFORE A SINGLE USER TOUCHED IT.
Emergent, the AI app builder behind millions of production applications, engaged Straiker STAR Labs to attack its connected AI assistant under realistic adversarial conditions, hardening the agent's controls before public launch.
The challenge
A connected agent changes the security model.
.png)
Wingman is Emergent's personal AI assistant for the places where work already happens. Users reach it through iMessage, WhatsApp, and Telegram, and connect it to Gmail, Calendar, Slack, Drive, GitHub, Notion, and their CRM. It reads messages, prepares meetings, searches across tools, runs code in a sandbox, and comes back later to finish recurring work in the background.
Those same capabilities create new attack surface. Traditional software keeps a clear line between data and instructions: an email is data, a calendar invite is data, a GitHub issue is data. For an AI agent, that line is harder to hold, because the agent reads content in order to decide what to do next. If attacker-controlled content carries hidden instructions, it can try to steer the agent into using the user's own authorized permissions against them. This is indirect prompt injection, and Wingman's connected, action-taking design makes it far more consequential than it is for a chatbot.
The question Emergent needed answered before launch was not "can the model spot a bad prompt?" It was "can the product stop untrusted content from causing unauthorized side effects?"
.png)
The approach
Attack the agent the way an adversary would.
Straiker STAR Labs built a controlled dual-organization environment with realistic corporate data, live integrations, simulated external attacker identities, and ordinary user prompts. That let the team exercise the full agent loop, from content ingestion and provenance through model reasoning, tool calls, action approval, scheduler behavior, sandbox boundaries, and final side effects on connected systems.
Ascend AI
Straiker's adversarial testing arm, STAR Labs, continuously red-teams agents with real-world adversarial prompts across 30+ exploit categories, then turns every confirmed finding into a replayable regression test.
Every connector was treated as three things at once: a place an attack can enter, a source of sensitive data, and a channel to act on the outside world. The team evaluated outcomes, not model text. A model repeating malicious text is one class of failure. An agent using a mailbox, a drive, a repository, or a code-execution environment to complete an attacker-controlled workflow is a different class of risk entirely.
What we exercised
Untrusted content can look like work.
Cross-connector pivoting
Inject in one connector, read sensitive data from a second, exfiltrate or act through a third. The boundary is the flow, not the connector.
Multi-hop trust laundering
A benign-looking link in the first artifact routes the agent to malicious instructions on a second hop, slipping past first-artifact inspection.
Scheduled-task persistence
A one-time injection becomes durable when it creates or mutates a recurring job that runs while the user is away.
Browser-mediated exfiltration
Encoded data, defanged URLs, fake validators, and local-looking web tools move data through channels that don't resemble connector exfiltration.
The outcome
Stronger where fixes moved beyond the prompt.
Emergent's response was strongest where remediation moved past prompt hardening to durable controls that make unsafe tool calls difficult or impossible even when malicious content reaches the model. The architectural principle the assessment reinforced is simple: treat model output as a proposal, not as authority. A separate control layer decides whether a proposed action is allowed, whether confirmation is required, and whether the destination is appropriate for the data involved.
Emergent has published a companion post describing how it built Wingman's defenses from the architecture up.
What the engagement produced
Controls hardened across connectors, sandbox, and scheduler before public launch
Provenance carried across links, attachments, fetched pages, and scheduled context
Cross-connector data movement treated as a source-to-destination policy decision
Confirmation tightened on external sends, public posts, permission grants, and destructive actions
Every confirmed finding converted into a replayable regression evaluation
Why Straiker
Built to test agents as action-taking systems.
Connected agents need to be tested as systems that reach into real tools and take real actions, not as chat surfaces. Gartner positions Straiker across its agentic and AI security research, including Hype Cycle reports, and Straiker Ascend AI was named Best AI Security Testing Platform by The Hacker News Cybersecurity Stars Awards 2026. Both point to the same reality this engagement showed in practice: securing agents requires purpose-built adversarial testing, runtime controls, and a deep understanding of how agentic systems fail when ordinary content becomes part of the attack surface.
Read Straiker's full threat-model write-up, Threat Modeling a Connected Agent, or Emergent's companion post on how Wingman's defenses were built.
Test your agents before attackers do.







