BraveGuard: From Open-World Threats to Safer Computer-Use Agents
Title: BraveGuard: Securing Computer-Use Agents Against Evolving Open-World Threats
Abstract:
Computer-use agents represent a significant evolution in artificial intelligence, moving beyond simple text generation to enable sustained interaction with files, terminals, browsers, and external tools. However, this expanded capability introduces complex safety risks that are challenging to identify through isolated prompts or final outputs alone. Often, harmful outcomes only become apparent through multi-step execution traces, where individual actions may seem innocuous in isolation. To address this, we present BraveGuard, a self-evolving defense framework designed to train guard models using open-world threat signals and realistic agent trajectories.
BraveGuard operates by mining recent research to pinpoint emerging risks and attack patterns, which are then instantiated as executable computer-use tasks. By collecting agent rollouts from these tasks, the framework derives trajectory-level supervision necessary for training guard models. This process creates an adaptive defense loop; as new threats emerge or validation failures occur, the pipeline can be repeated to continuously update the model, moving away from static, benchmark-driven training methods.
We demonstrated the efficacy of BraveGuard by training multiple guard backbones, including variants of Llama-Guard and Qwen3-Guard. Evaluations on trajectory-level agent-safety benchmarks revealed that BraveGuard consistently enhances safety detection capabilities. Notably, on the AgentHazard benchmark, it significantly outperformed off-the-shelf guard models, boosting detection accuracy from 38.79% to 82.38% under the averaged guard-model setting. These findings indicate that grounding guard supervision in open-world threat discovery and realistic agent execution offers a superior approach to safety monitoring compared to fixed taxonomies and synthetic prompt-level data. Ultimately, BraveGuard provides a scalable pathway toward adaptive defenses capable of addressing the evolving real-world risks faced by computer-use agents.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
