THE Unit 42 executive summary of Amazon Bedrock Agents’ multi-agent collaboration outlines how an attacker could methodically progress through an attack chain by first determining the operating mode, then discovering collaborator agents, delivering attacker‑controlled payloads and finally exploiting target agents.
The researchers demonstrate end‑to‑end attacks across Supervisor Mode and Supervisor with Routing Mode, including extracting instructions, tool schemas and triggering tool use, while emphasising that no vulnerabilities were found in Bedrock itself. Importantly, they note that Bedrock’s built‑in pre‑processing prompts and Guardrails stopped the attacks when properly configured, and that these defenses form part of a layered approach to mitigate prompt injection and tool misuse.
The testing was performed in the authors’ own AWS accounts, focusing on agent logic and application integrations, with collaboration from Amazon’s security team. According to AWS notes, Bedrock’s pre‑processing stages and Guardrails effectively block the demonstrated attacks, and Palo Alto Networks positions Prisma AIRS and Cortex Cloud as additional protections for AI systems. Published 3 April 2026.