Dynamic Adversary Agent (DAA)
- Dynamic Adversary Agent (DAA) is an adaptive adversary characterized by evolving strategies through reinforcement learning and iterative feedback.
- It spans applications in multi-agent deception, pursuit–evasion, and red-teaming, employing methods like DQN, curriculum learning, and graph-based communication.
- DAA methodologies enhance both offensive and defensive systems by modeling realistic, adaptive attack dynamics with role-based and communication-driven strategies.
Dynamic Adversary Agent (DAA) is, in the literature surveyed here, an adversarial agent whose behavior evolves during interaction rather than remaining fixed. This usage spans pursuit–evasion under fog of war, cooperative multi-agent deception, adversarial red-teaming of AI agents, and dynamic cybersecurity evaluation. In these settings, the adversary is not merely a disturbance model or a static attack script; it is an explicit decision-making entity with observations, actions, and an adaptation loop, often implemented with deep reinforcement learning, graph-based communication, or closed-loop attack optimization (Huang, 2021, Ghiya et al., 2020, Chen et al., 6 May 2026, Wei et al., 23 May 2025).
1. Scope and research usage
The term is used across several adjacent lines of work to denote adversarial agency under temporal adaptation. In multi-agent deep reinforcement learning, the adversary may be tasked with discovering a high-value target by observing cooperative agents, or with evading capture in a partially observable environment (Ghiya et al., 2020, Huang, 2021). In agent security, the adversary may be an autonomous red-teaming system that iteratively refines attacks against a victim AI agent using environmental feedback and a verifiable judge (Chen et al., 6 May 2026). In cybersecurity evaluation, the adversary may be modeled as an entity that exploits multiple “degrees of freedom” such as repeated sampling, iterative prompt refinement, self-training, and workflow refinement within a fixed compute budget (Wei et al., 23 May 2025).
| Research setting | Representative DAA instantiation |
|---|---|
| Multi-agent deception | An adversary agent infers the true target landmark from cooperative agents’ behavior (Ghiya et al., 2020) |
| Pursuit–evasion | Independent pursuer and evader agents interact under fog of war in the SAAC environment (Huang, 2021) |
| Agentic red-teaming | DTap-Red autonomously discovers and optimizes attacks across prompt, tool, skill, and environment channels (Chen et al., 6 May 2026) |
| Cyber risk assessment | Adversaries iteratively improve offensive agents through compute-bounded adaptation (Wei et al., 23 May 2025) |
A consistent feature is explicit adversarial policy adaptation. The surveyed works therefore distinguish DAA-like systems from fixed scripted opponents, one-shot prompt attacks, or static benchmark perturbations. This suggests that DAA is best understood as a modeling pattern for adaptive adversarial behavior rather than as a single canonical algorithm.
2. Reinforcement-learning formulations
In graph-based multi-agent deception, cooperative agents and the adversary are represented through modular neural components. Each good agent has an Agent State Encoder, Environment State Encoder, Opponent State Encoder, and Inter-Agent Communication Module; all cooperating agents share network weights under centralized training and decentralized execution (Ghiya et al., 2020). The adversary’s role is to discover the high-value landmark by observing the good agents. Training uses a two-stage curriculum: first coverage, then deception, with the combined reward
The reported effect is that increasing deception weight makes the agents more successful at deceiving the adversary, at the cost of less-than-optimal coverage (Ghiya et al., 2020).
In pursuit–evasion, the SAAC environment extends StarCraft II mini-games so that both pursuers and evaders can be controlled by separate agents in a zero-sum dynamic game under fog of war (Huang, 2021). The evader-side DAA is trained with DQN, and the environment is grounded in control and differential game theory through a linear-quadratic cost
The paper reports that trained adversary evaders reduce the number of captured units from approximately $51$ for a random-action baseline to approximately $30$, while also exhibiting team clustering and corner hiding reminiscent of known hiding strategies (Huang, 2021).
A closely related formulation appears in the Traitor Markov Decision Process (TMDP), where adversarial “traitor” agents are injected into a cooperative multi-agent reinforcement learning system and trained with the same MARL algorithm as victim agents, but with adversarial reward
Because direct credit assignment is difficult, CuDA2 adds Random Network Distillation (RND)-based curiosity through dynamic Potential-Based Reward Shaping, while preserving optimal policy invariance for the traitors (Chen et al., 2024). Empirically, CuDA2 yields comparable or superior attack capabilities on SMAC relative to baselines such as stop, random, and minus_r (Chen et al., 2024).
These RL formulations show that DAA behavior can emerge either from explicit adversarial objectives, from game-theoretic asymmetry between teams, or from reward shaping that encourages the adversary to drive the system into unfamiliar regions of state space.
3. Communication, roles, and adversarial interaction in multi-agent systems
A second strand of work treats dynamic adversariality as a problem of communication structure and team coordination. TodyComm addresses multi-round LLM-based multi-agent systems in which fixed communication topologies fail when agents’ roles change across rounds due to dynamic adversary, task progression, or communication bandwidth constraints (Fan et al., 3 Feb 2026). At each round, communication is a directed acyclic graph , and agent participation is determined by per-agent, per-round credits computed from a gated recurrent network and an MLP. Training uses REINFORCE over communication and decision graphs, and the reported result is that TodyComm identifies adversarial agents with more than accuracy on average without access to adversarial labels, while retaining token efficiency and scalability (Fan et al., 3 Feb 2026).
Collaborative Threat-Aware Autonomy (CTAA) addresses dynamic, adversarial Weapon Engagement Zones by assigning Autonomous Collaborative Platforms distinct roles: primary intercept, escort, and decoy (Sharma et al., 25 May 2026). Each ACP independently applies a reactive guidance law derived from the Collision Sphere Boundary for Evader Zero-Set (CSBEZ), and the architecture exploits two effects: probabilistic redundancy and threat saturation. In deterministic simulation, the reported mission success rises from $0.72$ for a single CSBEZ-aware vehicle to $0.978$ for a three-ACP team; in Monte Carlo experiments, the single-vehicle success is 0 and the multi-ACP team reaches 1 (Sharma et al., 25 May 2026).
These results broaden the DAA concept beyond a single hostile policy. Dynamic adversariality can also be mediated by communication topology, route separation, role differentiation, and adaptive exclusion of unreliable agents. In that sense, the adversary is partly a property of the interaction graph, not only of an isolated attacking policy.
4. Autonomous red-teaming and offensive cybersecurity agents
Recent work recasts DAA as an autonomous attack-generation system for AI agents. DTap introduces a controllable and interactive red-teaming platform spanning 14 real-world domains and over 50 simulation environments, and DTap-Red is described as the first autonomous red-teaming agent that systematically explores prompt, tool, skill, environment, and combined injection vectors (Chen et al., 6 May 2026). Its architecture is a closed loop: attack optimization and generation, execution against the victim agent, verifiable judge evaluation, and iterative refinement. The system includes a Multi-Layer Memory Module, an Attack Skill Library with 200+ advanced strategies, flexible spatial-temporal injection, and an 2-greedy exploration–exploitation policy (Chen et al., 6 May 2026).
| Agent framework and model | Direct ASR (%) | Indirect ASR (%) |
|---|---|---|
| Google ADK (Gemini) | 48 | 56 |
| OpenAI Agents SDK (GPT-5.2) | 59 | 47 |
| OpenClaw (DeepSeek-V4-Pro) | 60 | 42 |
| Claude Code (Sonnet-4.5) | 27 | 25 |
The same paper reports that multi-vector, chain-composed attacks yield superlinear ASR improvements, that harness flaws such as batch tool invocation can create “execute-then-refuse” failures, and that attacks transfer across models (Chen et al., 6 May 2026). The adversary here is dynamic in a strong sense: it retrieves prior successes and failures, selects or adapts attack skills, executes them in a realistic environment, and re-optimizes against a verifiable objective.
Dynamic risk assessment for offensive cybersecurity agents generalizes this idea from single attacks to compute-bounded adversarial improvement (Wei et al., 23 May 2025). The paper identifies five degrees of freedom: repeated sampling, increasing max rounds of interactions, iterative prompt refinement, self-training, and iterative workflow refinement. Under an 8 H100 GPU-hour budget, adversaries improve an agent’s cybersecurity capability on InterCode CTF by more than 40\% relative to the baseline, without external assistance (Wei et al., 23 May 2025). The threat model differentiates stateful environments, where only one trajectory may be possible, from non-stateful environments, where resets allow much greater exploitation of these degrees of freedom (Wei et al., 23 May 2025).
This line of work shifts DAA from a reinforcement-learning opponent inside a simulated environment to an agentic attacker that treats the victim system itself as the environment and uses iterative search to discover high-yield vulnerabilities.
5. Defensive and diagnostic counterparts
DAA research has also stimulated defensive systems that explicitly reason about adversary dynamics. In agentic honeynet configuration, an AI-driven architecture analyzes IDS alerts and network state to infer attack progression, identify compromised assets, predict likely attacker targets, and dynamically select a subset 3 of honeypots under an exposure budget 4 (Mirra et al., 14 Mar 2026). The agent operates in a perception–inference–action loop and is evaluated with an Attack-Stage Inference Score
5
Preliminary results indicate that stronger LLMs achieve higher phase-inference accuracy, while even weaker models can sometimes sustain attacker engagement when the attack surface is unambiguous (Mirra et al., 14 Mar 2026).
In reinforcement learning, PolicyGuard addresses adversary-agent attacks at test time and step level through GP posterior variance over state-action trajectories (Huang, 11 Jun 2026). The paper reports average AUROC of 6 for original adversary-agent attacks and 7 for hard-coded adversary-agent attacks, under black-box constraints and without access to internal agent parameters (Huang, 11 Jun 2026). The key idea is that backdoor-triggered behaviors induced by adversarial interactions produce elevated uncertainty relative to clean behavior.
For LLM-based multi-agent systems, SafeAgents provides a fine-grained diagnostic framework for adversarial prompting (Arora et al., 14 Nov 2025). Its DHARMA taxonomy localizes whether a harmful trajectory was stopped or ignored at the planner or sub-agent level. The reported results include 66.37\% unmitigated execution for Magentic on SafeArena under atomic delegation, and 51.97\% of attack stoppages at the sub-agent level on AgentHarm for centralized Magentic (Arora et al., 14 Nov 2025). These findings show that, once adversaries are dynamic and multi-stage, evaluation must also become pipeline-aware and temporally localized.
Together, these systems indicate that DAA research is inseparable from adversary-aware observability, verifiable judging, and step-level or stage-level diagnostics. A dynamic adversary is difficult to study with only final-outcome metrics.
6. Terminology, misconceptions, and related acronyms
A recurring source of confusion is acronym overload. In the cited literature, DAA may also denote Dynamic Attention Analysis, a backdoor-detection method for text-to-image diffusion models (Wang et al., 29 Apr 2025), or Dynamic Asset Allocation, an adaptive financial evaluation method (Yang et al., 2021). In adversarial representation learning, DAA is also used for downstream-agnostic attacks, including targeted downstream-agnostic attack variants (Lei et al., 19 May 2026). These usages are unrelated to Dynamic Adversary Agent.
Another common misconception is that a DAA must be a fully learned neural policy. The surveyed work includes heuristic adversaries that move toward the landmark closest to any good agent (Ghiya et al., 2020), DQN-trained evaders under fog of war (Huang, 2021), traitor agents trained with adversarial reward shaping (Chen et al., 2024), and autonomous red-teaming systems with memory, attack libraries, and iterative refinement rather than a single end-to-end policy (Chen et al., 6 May 2026). Dynamicity, likewise, is not confined to online gradient updates: it may arise from multi-round communication adaptation (Fan et al., 3 Feb 2026), role-based threat saturation (Sharma et al., 25 May 2026), compute-bounded prompt and workflow refinement (Wei et al., 23 May 2025), or sequential exposure control in a honeynet (Mirra et al., 14 Mar 2026).
Taken together, these works trace a clear transition from fixed or heuristic opponents toward adversaries that learn, communicate, remember, diagnose outcomes, and iteratively refine behavior. This suggests that the modern DAA is less a single architecture than a unifying abstraction for adversarial agency under feedback, partial observability, and temporal adaptation.