Existing red-teaming approaches struggle to identify critical vulnerable agents and their collaborative attack pathways in multi-agent systems, thereby failing to effectively evaluate overall robustness under role specialization and distributed security mechanisms. This work proposes MAStrike, a novel framework that introduces agent-level Shapley values to quantify each agent’s marginal contribution to system robustness, enabling the identification of susceptible agent coalitions and the generation of role-aware collaborative adversarial perturbations. By integrating structured causal diagnosis to iteratively refine attack strategies, MAStrike establishes a closed-loop, scalable red-teaming methodology. Experiments demonstrate that MAStrike substantially outperforms heuristic baselines, uncovers non-trivial Shapley value distributions and emergent collaborative vulnerability patterns, and introduces the first comprehensive benchmark for multi-agent red-teaming evaluation.

Hierarchical multi-agent systems (MAS) are rapidly being deployed in high-stakes workflows across domains such as finance and software engineering. In these systems, safety and security are inherently distributed across role-specialized agents, significantly expanding the attack surface, particularly under coordinated adversarial behaviors such as privilege escalation and cross-agent collusion. Existing red-teaming approaches for MAS remain limited: they rely on heuristic selection of target agents and perturb isolated message streams, leaving critical questions unanswered as which agents are most responsible for system safety, and how compromised agents can coordinate to bypass defenses. We propose MAStrike, a closed-loop framework for collusive red-teaming in hierarchical MAS. We propose the first agent-level Shapley value analysis for MAS, quantifying each agent's marginal contribution to system robustness under task-specific distributions. GGuided by this attribution, MAStrike identifies vulnerable agent coalitions and generates coordinated, role-aware adversarial manipulations. These attacks are iteratively refined through structured causal diagnosis, attributing failure cases to uncompromised agents that block adversarial attempts. We further build a comprehensive MAS red-teaming benchmark and controllable environments spanning diverse hierarchical topologies and domains, including finance, software engineering, and CRM. Extensive experiments across MAS built on multiple frontier models show that MAStrike substantially outperforms heuristic baselines. Our analysis further uncovers non-trivial Shapley value distributions and higher-order interaction structures among agents, revealing critical vulnerabilities and coordination patterns that are overlooked by prior single-agent or template-based methods.