Adversarial Graph-Traversal Games

Updated 18 June 2026

Adversarial graph-traversal games are strategic frameworks where players counteract each other by modifying graph elements through moves, probes, or deletions.
They reveal structural dichotomies that distinguish winnable graphs by characteristics like connectivity, cycles, and branching, often leading to NP-hard or PSPACE-complete challenges.
Algorithmic approaches such as dynamic programming, LP formulations, and double-oracle methods are applied to optimize strategies in security, routing, and multi-agent settings.

Adversarial graph-traversal games constitute a central research focus in combinatorial game theory, algorithmic graph theory, and security modeling. Such games abstract pathfinding, evasion, interdiction, or information discovery on a graph in the explicit presence of an adversary capable of manipulating the process—directly or indirectly—subject to precise game rules. The literature encompasses pursuit–evasion, sabotage/path interdiction, partizan and impartial trail competitions, broadcast/information propagation under edge deletions, Stackelberg and risk-averse routing, and multi-agent zero-sum coordination games. The common structure is a vertex- or edge-labeled graph, two or more players with asymmetric or symmetric objectives, and alternating or concurrent actions including moves, probes, deletions, or cost modifications. Analytical emphasis falls on structural dichotomies between winnable and invincible graphs, strategy complexity, and the effect of adversarial action models on computational hardness.

1. Structural Models and Game Definitions

Most adversarial graph-traversal games are formalized as perfect- or imperfect-information turn-based games on a finite graph, defined by:

Arena: A graph $G = (V, E)$ , simple or directed, possibly with costs on edges or payoffs on vertices, and designated initial/final vertices, goals, or “exits.”
Players and Actions: Two-player zero-sum variants prevail. Examples include:
- Pursuer–Evader: Cat guesses, Mouse must move upon failure (Haslegrave, 2017).
- Adversarial Interdiction: An adversary modifies edge costs or structures to maximize traversal costs (Berneburg et al., 2024, Rostobaya et al., 22 May 2026).
- Safe Routing under Sabotage: Edge removals or payoff reductions each round (Bergé et al., 20 Jan 2026).
- Partizan Trail Competitions: Alternating moves along unused edges, each player operating their own token (Buchanan et al., 2024).
- Exploration vs. Adversarial Revelation: Map discovery controlled by adversarial vertex revelation order (Fuchs et al., 2023).
- Broadcast Games: Agents disseminate knowledge while an adversary deletes edges, preserving connectivity at each step (Moses et al., 12 Mar 2026).
Objectives: Varied as reachability (fugitive or mouse reaches exit), capture, coverage (explore all vertices), survival maximization, cost or reward optimization, or information dissemination.
Action Models: Edge deletions forbidden/allowed, cost manipulation, partial revelation, adversarial choices over a library of environments.

The game state typically consists of the current positions of all agents, the present edge or cost structure, which nodes or tokens bear knowledge, and—if relevant—history information for belief updates (Rostobaya et al., 22 May 2026).

2. Structural Dichotomies and Graph Characterizations

Several classes of adversarial traversal games admit precise dichotomy theorems distinguishing winnable and unwinnable graphs under optimal play:

Active Pursuit–Evasion: Haslegrave’s characterizes capture in the invisible-mouse game: the cat wins if and only if $G$ is a tree free of a particular forbidden subtree $T^*$ —three disjoint length-3 arms attached to a central vertex (Haslegrave, 2017).
Trail Trap: On trees, outcome hinges on the degree and location of center vertices: $P_1$ -win trees require precise central configurations, while for general graphs the game is NP-hard for the second player (Buchanan et al., 2024).
Broadcast/Agents–Adversary: Agents win on trees (Adversary cannot disconnect), cycles if $k \geq 3$ agents, and cliques when $k \geq m-1$ for $K_m$ ; otherwise, Adversary can indefinitely delay full broadcast. The notion of $k$ -spanning-tree symmetry generalizes families where Adversary wins (Moses et al., 12 Mar 2026).
Nemesis Escape: On trees and degree- $\leq 3$ graphs, the existence of a “binary escape tree” rooted at or adjacent to the fugitive’s starting location is necessary and sufficient for fugitive victory. On general graphs, detecting such a subtree is NP-complete (Bergé et al., 20 Jan 2026).

Contextually, these dichotomies illuminate how global structural features—cycles, centrality, branching—determine whether optimal evasion, trapping, or coverage is possible under adversarial conditions.

3. Algorithmic and Complexity Results

Adversarial graph-traversal games span a spectrum from polynomial-time solvable to PSPACE-complete:

Game/Variant	Complexity	Reference
Evasion active pursuit on T $^*$ -free trees	Linear time (O(n + t))	(Haslegrave, 2017)
Nemesis/Blizzard on trees, $G$ 0	Linear time	(Bergé et al., 20 Jan 2026)
Trail Trap (trees)	$G$ 1	(Buchanan et al., 2024)
General Nemesis (simple graphs)	PSPACE-complete	(Bergé et al., 20 Jan 2026)
Graph Exploration (online, minimax adversary)	PSPACE-complete	(Fuchs et al., 2023)
Trail Trap (planar, bipartite, $G$ 2)	NP-hard	(Buchanan et al., 2024)
Binary Escape Tree (deg- $G$ 34, root existence)	NP-complete	(Bergé et al., 20 Jan 2026)
Stackelberg mean-payoff threshold (ASV $G$ 4)	NP-complete;	(Balachander et al., 2020)
$G$ 5-NE for two-sided deception game (indef. horizon)	Finitely terminating XDO	(Rostobaya et al., 22 May 2026)
Layered Graph Security Games (binary utilities, DO+MILP)	Practically scalable, NP-hard best-response	(Černý et al., 2024)

Proofs combine gadget-based reductions from SAT/QBF for hardness, BFS/DFS or dynamic programming for tractable tree-like cases, and algorithmic frameworks such as double-oracle for large but structured min–max equilibrium computations.

4. Stochastic, Stackelberg, and Risk-Averse Formulations

A major line targets not existential winning/losing but optimization of expected or worst-case cost in the presence of intelligent adversaries:

Adversarial Stackelberg Games: Mean-payoff Stackelberg model on bi-weighted arenas, with Leader (e.g., route planner) committing to a strategy and Follower (adversary) best-responding. Zero-sum Stackelberg is robust to model perturbation and suboptimal Follower strategies, but general-sum is fragile—small deviations can degrade payoff significantly. Robust $G$ 6-relaxations guarantee bounded loss under adversarial/approximate adversaries, and the value can be computed in EXPTIME via LPs over the extended graph (Balachander et al., 2020).
Adversarial Risk Analysis in Routing: The traveler models edge costs and payoffs with a Normal–Inverse–Wishart prior and maintains Bayesian beliefs over adversary type. Opponent may reduce payoffs at neighbors. The adaptive “uncertainty policy” search never underperforms the best fixed path, and learning improves outcomes substantially, as substantiated by simulation (Banks et al., 11 Feb 2026).
Time-Varying, Multi-Agent Path Planning: Blue robots traverse a sequence of graphs chosen by an adversary who aims to maximize cost within a dynamic environment model. Nash equilibria are obtained via value iteration and matrix games at each state. Empirically, equilibrium policies for both sides require stochastic mixing, coordinated waiting, or splitting, and outperform naive strategies (Berneburg et al., 2024).
Deception and Counter-Deception: In incomplete-information settings (types unknown to opponent, goal or attack structure private), both sides randomize and update beliefs via Bayes’ rule. An adapted Extensive-Form Double Oracle (XDO) method is shown to return $G$ 7-NE in finite time due to the introduction of proper default strategies (Rostobaya et al., 22 May 2026).

These frameworks blend Bayesian reasoning, robust control, and game-theoretic solution concepts, with practical implications for security and logistics.

5. Connections to Security, Interdiction, and Multi-Agent Games

Adversarial graph-traversal games underpin a diversity of security and control applications:

Layered Graph Security Games: Both attacker and defender choose (potentially mixed) path policies through layered graphs, modeling patrol/interdiction, pursuit–evasion, and multi-period resource allocation. Under linear utilities, equilibria are computable in polynomial time using flow-based LPs; binary-utility variants rely on double-oracle and MILP best-response, and can encode MAX-SAT for NP-hardness (Černý et al., 2024).
Dynamic Networks & Edge-Deletion Adversaries: The Agents–Adversary broadcast game and Nemesis escape paradigm both study edge-deletion adversaries with connectivity constraints, offering insights for dynamic networks, information dissemination, and robust routing (Moses et al., 12 Mar 2026, Bergé et al., 20 Jan 2026).
Partizan Trail and Geography Games: Edge-use competitions (Trail Trap, Edge Geography) model resource exhaustion, exclusive access, and “one-shot” navigation contests, yielding complex dichotomies—analogous to parity-invariant games—and spurring open conjectures about NP- vs. PSPACE-completeness and asymptomatic P $G$ 8-advantage prevalence (Buchanan et al., 2024).

A plausible implication is that adversarial traversal games serve as canonical hard instances for online, robust, and competitive pathfinding under real-world constraints, unifying strategies across computational geometry, security game theory, and stochastic control.

6. Open Problems and Future Directions

Current research identifies numerous unresolved questions:

Full Structural Characterizations: Necessary and sufficient conditions for player 1 wins remain incomplete in Trail Trap, broadcast, and generalized evasion games.
Complexity Gaps and Scaling: Whether Trail Trap is PSPACE-complete (conjectured), optimal approximation complexity for adversarial graph exploration, existence of online Hamiltonian walk strategies under specific graph classes.
Belief, Deception, and Mixed-Information Models: Quantifying value of information in two-sided incomplete-information traversal, equilibrium deception/counter-deception analysis (Rostobaya et al., 22 May 2026).
Coordination in Multi-Robot/Agent Settings: Extensions to decentralized policy computation, partial information, or continuous action spaces in adversarially varying environments (Berneburg et al., 2024).
Quantitative Propagation in Broadcast Games: Necessary and sufficient thresholds for Agents’ victory; the impact of topology and symmetry-based invariants (Moses et al., 12 Mar 2026).
Hybrid Security Models: Interplay of layered graph structure, time windows, and functional constraints in LGSGs, particularly with multiple simultaneous attackers/defenders or probabilistic interdiction (Černý et al., 2024).

These challenges stand at the intersection of combinatorics, complexity theory, game theory, and security informatics, marking adversarial graph-traversal games as a rich and still rapidly developing domain.