ADR-Bench — MCP-Native Agent Security Benchmark

A defender-side benchmark for detecting attacks against AI agents that operate through the Model Context Protocol, released with the ADR system paper (MLSys 2026). It is derived from real enterprise telemetry at Uber rather than synthesized from scratch, and is published on GitHub with the ADR sensor and detection framework.1

What it is

PropertyDetail
Tasks302 (42 malicious / 260 benign — 13.9% attack prevalence)1
MCP servers133, spanning 14 categories (81.2% benign / 18.8% malicious)1
Tools729 distinct; benign servers expose more (median 7) than malicious ones (median 3)1
Threat coverage17 techniques across 5 tactics — full 17/17 framework coverage1
Task complexity28.5 MCP tool calls per task on average1
ProvenanceAdapted benchmarks (MCP-Artifact, RAS-Eval) + public incident disclosures + Uber internal threat intel1
ReleaseTask specs, runnable MCP registry, evaluation pipeline, and a minimal JSON config; sensitive identifiers replaced with safe stand-ins1

Why it matters for the wiki

ADR-Bench’s claimed differentiator is realism under enterprise conditions that prior agent benchmarks omit: native MCP context, severe class imbalance (benign dominates), the presence of sensitive information, and policy-violation tasks (agent actions not inherently malicious but violating internal policy, scored against a YAML policy store exposed over MCP).1 On the paper’s own comparison (Table 1) it is the only listed benchmark with MCP support and full 17/17 technique coverage, where peers cover 3–6 of 17.1

This places it as the enterprise, MCP-native comparator in the agentic-security benchmark landscape, complementary to AgentDojo (independent prompt-injection, 4/17) and DefenseBench (defender-agent investigation on Splunk BOTSv3). For the CMM D7 evidence requirement, it offers an MCP-aware detection benchmark to report alongside AgentDojo.

Single-organization provenance

ADR-Bench is derived from one enterprise’s SOC telemetry and macOS coding-agent deployment. Its task mix and class balance model Uber’s environment; external validity to other enterprise agent fleets is asserted by design intent, not yet measured by independent re-evaluation. Cross-vendor leaderboard adoption is the test it has not yet faced.

Reported results on it

ADR reports perfect precision (1.000), zero false positives, and 0.667 recall (0.800 F1), 2–4x the F1 of the three baselines, which each fire 30–40 false positives across the 260 benign tasks.2

DetectorPrecisionRecallF1FP (of 260)
ADR1.0000.6670.8000
ALRPHFS0.3330.4050.36634
GuardAgent0.2310.2140.22230
LlamaFirewall0.1670.1900.17840

See Also

Footnotes

  1. §4 ADR-Bench and Table 1, arXiv:2605.17380: 302 tasks (42/260), 133 servers across 14 categories, 729 tools, median tools per server, 28.5 tool calls/task, three provenance sources, policy-violation tasks and YAML policy store, full 17/17 coverage versus prior benchmarks, and the GitHub release with safe stand-ins. 2 3 4 5 6 7 8 9 10

  2. §5 Evaluation, Table 2, arXiv:2605.17380: precision/recall/F1 and false-positive counts on ADR-Bench for ADR and the three baselines.