REBAR

Every major runtime security tool was built for actors that don’t reason about their own restrictions. Path-based identity, static rules, enforcement at a single syscall were reasonable tradeoffs for containers. Agents rename binaries. They disable sandboxes. When that fails, they find a different syscall path the tooling wasn’t built for.

How would you know if your controls hold? There’s no benchmark. No shared test suite. No equivalent of CIS benchmarks for containers.

REBAR is an open effort to building that evaluation framework.

The pattern is already in production. AI workflows compromised via prompt injection. Supply chain malware targeting coding assistants. Consumer chatbots used to generate exploit code. In every case the security boundary was a prompt, a permission, or a path rule.

We watched an agent bypass a denylist by renaming a binary, circumvent a sandbox by disabling it, and when content-addressable enforcement blocked both, invoke the dynamic linker to load code via mmap instead of execve. Nobody told it to do any of this.

Blocking known attacks is table stakes. But what holds when the adversary keeps trying?

Organizations need to run background agents in production with enforcement that doesn’t depend on prompts or best-effort permissions. That requires measuring what actually holds under repeated, adaptive attempts to break it.

Which bypass classes belong in a shared benchmark? How do you score layered defenses? What does “pass” mean when the adversary adapts between attempts?

We invite security researchers, kernel engineers, AI labs, and red teamers building the runtime evaluation benchmark with us.