Skip to content

July 9, 2026

End-to-end multimodal AI red teaming — probe vision, audio, and video models with full media rendering in findings and traces

← All updates

End-to-end multimodal AI red teaming — probe vision, audio, and video models with full media rendering in findings and traces

16 new 5 improved 14 fixed

  • Structured findings and assets in the platform. Agents can emit structured vulnerabilities, endpoints, and other typed items during runs — viewable in a new Structured Output page with per-type tables, detail panels, and provenance history. Web-security agents now produce WebVulnerability and WebEndpoint items visible in the Items UI for triage, filtering, and cross-session tracking. (dreadnode/capabilities#74, dreadnode/dreadnode-tiger#1830, dreadnode/dreadnode-tiger#1862)
  • Web chat — interactive/autonomous mode toggle, rewind, and session actions. Web chat sessions now support an interactive ↔ autonomous mode toggle with optional step cap, a “Rewind to here” control on any prior user message, and a full action menu (copy ID/link, export trajectory, archive/freeze/delete) directly from the session list. (dreadnode/dreadnode-tiger#1904, dreadnode/dreadnode-tiger#1906, dreadnode/dreadnode-tiger#1908)
  • Web chat — inline human-input prompts, live tool media, and reasoning-effort selector. The web chat transcript now surfaces ask_user prompts inline, renders live tool media during streaming, and exposes a reasoning-effort selector in the composer. (dreadnode/dreadnode-tiger#1853)
  • Chat UI promoted to main navigation. Web chat is now accessible from the main sidebar navigation instead of the previous beta route. (dreadnode/dreadnode-tiger#1895)
  • Session compaction rendered as a labeled divider in web chat. Compaction events now appear as a divider with an expandable summary of how many messages were summarized, instead of leaking raw XML into the transcript. (dreadnode/dreadnode-tiger#1905)
  • Agent sessions default to no grouping. The Sessions page now defaults to ungrouped; workflow grouping is still available in the selector. (dreadnode/dreadnode-tiger#1854)
  • Unified produces key for capability manifests. A single produces key now configures built-in item types, custom types, and disablement — replacing the older items key. (dreadnode/dreadnode-tiger#1862)
  • Chat sandbox no longer auto-pauses mid-session. A periodic keepalive extends the runtime’s expiry every 30 seconds while you’re actively working. (dreadnode/dreadnode-tiger#1849)

Full multimodal support lands in AI red teaming this week — probe vision, audio, and video targets end-to-end, with media rendering inline across findings, traces, and exports.

New

  • Multimodal AI red teaming — end-to-end. Probe LLMs with text, image, audio, and video inputs; apply per-modality transforms; score outputs (including generated media) with the new multimodal_judge scorer; view full message parts inline in findings, traces, and parquet exports (new schema v3 with base64 media columns). Includes a cross-product prompt_matrix mode (N prompts × M media items = N×M trials) and Nova Sonic speech-to-speech target support. (dreadnode/capabilities#75, dreadnode/capabilities#76, dreadnode/capabilities#79, dreadnode/capabilities#81, dreadnode/capabilities#82, dreadnode/dreadnode-tiger#1881, dreadnode/dreadnode-tiger#1883, dreadnode/dreadnode-tiger#1891, dreadnode/dreadnode-tiger#1892, dreadnode/dreadnode-tiger#1893, dreadnode/dreadnode-tiger#1894)

  • Custom HTTP targets for AI red teaming — any cloud, any auth. New build_target(TargetSpec) factory and custom_http target mode let you point TAP, PAIR, and other attacks at any endpoint (Azure, Vertex, SageMaker, Bedrock, OpenAI-compatible, arbitrary URLs) with declarative auth strategies (API key, Bearer, AWS SigV4, Azure AD, GCP). (dreadnode/capabilities#77, dreadnode/dreadnode-tiger#1907)

  • Per-modality response scores in the platform. Findings and Assessment Findings tables now show independent scores per output modality (text, image, audio, video) with the highest-scoring modality emphasized. (dreadnode/dreadnode-tiger#1894)

  • Task Sets (V1). Group multiple tasks into a named, versioned set and run evaluations against the whole set via API, CLI (dn task-set), or the Environments UI. (dreadnode/dreadnode-tiger#1826)

  • Task-set provenance on evaluation detail. Evaluation detail now shows a linked “From task set org/name” and a collapsible list of skipped members with reasons — previously CLI-only information. (dreadnode/dreadnode-tiger#1851)

  • Session groups and workflow hierarchies. Multi-session agent runs are now organized into collapsible workflow groups in the Sessions view instead of a flat list; the SDK exposes a new client.workflow() API. (dreadnode/dreadnode-tiger#1831)

  • Model reasoning as a first-class field in session transcripts and trajectory export. Native reasoning content (Anthropic thinking blocks, reasoning_content) now appears in the session transcript viewer and ATIF trajectory export as a typed field rather than being silently dropped. (dreadnode/dreadnode-tiger#1910, dreadnode/dreadnode-tiger#1901)

  • SecurityContext MCP server for web-security agents. New MCP server lets agents mine commit history and CVE disclosures to generate hunting briefs, top risks, and ranked vulnerability leads before auditing a codebase — three tools: get_security_context, create_security_context, get_vulnerability_leads. (dreadnode/capabilities#69)

  • Three new web-security skills. Added git-integration-exploitation, http-query-method (RFC 10008 parser differentials), and dom-vulnerability-detection (postMessage IP normalization bypass). (dreadnode/capabilities#71)

  • Hub scope tabs — Mine · {org} · Public. Dataset, Model, Capability, and Environment browse pages now have scope tabs with live count pills and scope-aware empty states. (dreadnode/dreadnode-tiger#1789)

  • Bundle README surfaced in frontend, TUI, and CLI. Capability and task detail pages now include a README tab; the TUI exposes it with d; the CLI adds --readme / -R to dn capability info and dn task info. (dreadnode/dreadnode-tiger#1481)

  • Auth-setup-guide skill for AIRT. New skill walks you through authenticating target, attacker, and judge models from your own environment — covering Azure, AWS Bedrock, GCP Vertex, custom HTTP endpoints, and more. (dreadnode/capabilities#80)

  • multimodal_judge scorer. New scorer evaluates generated images, audio, and video using a vision/audio-capable model instead of stringifying media output. (dreadnode/dreadnode-tiger#1892)

  • dreadnode[nova-sonic] SDK extra. Install the new extra to get all required AWS deps for Nova Sonic speech-to-speech targets; missing deps now raise a clear error instead of an opaque import trace. (dreadnode/dreadnode-tiger#1918)

  • AIRT multimodal output capture and per-modality scoring. All output modalities (text, image, audio, video) are now captured from target models, with per-modality worst-case MAX score aggregation, and audio/video playback fixed in the trace viewer. (dreadnode/dreadnode-tiger#1891)

  • Nova Sonic S2S target support in the TUI and AIRT SDK. Nova Sonic speech-to-speech targets are now available in the TUI capability picker and the SDK’s build_target factory. (dreadnode/capabilities#81, dreadnode/dreadnode-tiger#1907)

Improvements

  • Multimodal AIRT findings layout — Original → Transformed → Response. Findings now display a clean three-panel message layout with judge model, transformed prompt, and inline trace media shown correctly. (dreadnode/dreadnode-tiger#1886)

  • Model reasoning always visible inline in TUI and web session viewer. Reasoning now appears as always-visible inline prose; ^O controls tool-output verbosity only and no longer hides reasoning blocks. (dreadnode/dreadnode-tiger#1870)

  • AIRT findings ranked by severity. Critical findings now surface first in the findings list. (dreadnode/dreadnode-tiger#1868)

  • Improved dn update diagnostics. The CLI and TUI now show accurate resolver-failure details when dn update exits without changing the installed version. (dreadnode/dreadnode-tiger#1887)

  • Org, workspace, and project names enforce 100-character limit. Name inputs now validate length as you type, preventing overflow and submission errors. (dreadnode/dreadnode-tiger#1919)

Fixes

  • SDK installable again — MoviePy moved to dreadnode[video] extra. dreadnode 2.0.32+ is installable from PyPI; the Pillow/MoviePy conflict is resolved by making MoviePy optional. (dreadnode/dreadnode-tiger#1882)

  • spawn_agent no longer hangs indefinitely. Sub-agents now have a default 1-hour timeout (configurable); the undocumented run_in_background field has been removed. (dreadnode/dreadnode-tiger#1861)

  • Native reasoning now reaches the client on dn/ proxy routes. Thinking blocks and reasoning_content from Claude and other reasoning models were previously silently dropped on platform proxy routes. (dreadnode/dreadnode-tiger#1901)

  • Nova Sonic adapter no longer hangs on missing AWS credentials. The adapter now resolves credentials via the standard AWS chain (env, profile, SSO, IMDS) and fails fast with a clear error, eliminating the 9+ minute hang. (dreadnode/dreadnode-tiger#1911)

  • Multimodal AIRT findings show real errors instead of “(no response)”. When a target call fails (e.g. auth 401, bad model ID), the actual error is surfaced so failures are distinguishable from genuine model refusals. (dreadnode/dreadnode-tiger#1912)

  • AIRT trial counts, missing responses, score tooltips, and trace deep-links fixed. Trial counts display correctly, missing responses fall back to trial data, tooltips work on score columns, and silent refusals show a descriptive message. (dreadnode/dreadnode-tiger#1916)

  • Judge reasoning now appears in finding headlines and markdown exports. Previously blank even when trial-level reasoning was present; root cause was reading from the study-level span instead of the trial span. (dreadnode/dreadnode-tiger#1915)

  • Judge LLM field on assessment-detail header shows model name. Previously displayed ”—” for multimodal assessments. (dreadnode/dreadnode-tiger#1914)

  • AIRT compliance dashboards show correct denominators. OWASP LLM Top 10 now shows /10 and NIST AI RMF shows /4; multimodal media in trace spans renders inline instead of as raw JSON. (dreadnode/dreadnode-tiger#1900)

  • AIRT multimodal video, audio playback, and per-trial message blocks fixed. Video input, audio playback, and judge reasoning work correctly; findings tables show per-trial message blocks instead of a single best-trial view. (dreadnode/dreadnode-tiger#1888)

  • AIRT multimodal view shows correct attacker prompt on failed trials. Previously showed the wrong prompt; media downloads now save to disk instead of opening inline, and trial scores carry clearer “Overall Score” labeling. (dreadnode/dreadnode-tiger#1897)

  • TUI model picker cursor no longer jumps when filtering. Cursor now stays at the top of filtered results instead of jumping to the bottom. (dreadnode/dreadnode-tiger#1859)

  • TUI first-run defaults to a platform-hosted model. New users without a personal Anthropic API key no longer hit an immediate failure on TUI startup. (dreadnode/dreadnode-tiger#1860)

  • Network-ops tool wrapper bugs fixed. Four confirmed bugs resolved: smbclient preserves partial directory listings, netexec handles multiple groups in enumeration, SharpView correctly parses arguments with spaces, and Impacket script discovery works with bash wrapper scripts. (dreadnode/capabilities#72)