< ciso
brief />
Tag Banner

All news with #agent security tag

263 articles · page 2 of 14

Securing AI agents as tools shift from read to act

🛡️ This Microsoft Incident Response post examines an attack pattern targeting Model Context Protocol (MCP) tools, where poisoned tool metadata causes agentic AI to perform unauthorized actions. It outlines a playbook for detecting, containing, and preventing these attacks using Microsoft security controls and maps techniques to the OWASP Top 10 for Agentic Applications. The guidance emphasizes treating MCP servers as supply-chain dependencies, reviewing tool descriptions as prompts, and applying least agency controls.
read more →

GuardFall bypasses safety in open-source AI agents

🔒 New research from Adversa AI, dubbed GuardFall, shows a decades-old shell trick can bypass simple blocklist checks in open-source AI coding agents, letting hidden destructive commands run. The flaw arises because filters inspect the command as plain text while shells like bash rewrite and expand that text before execution. Ten of eleven tested agents were vulnerable; only Continue defended by parsing commands the same way the shell does.
read more →

AWS WAF Protects Amazon Bedrock AgentCore Gateway

🔒 AWS announces general availability of AWS WAF protection for Amazon Bedrock AgentCore Gateway, enabling protection of agentic AI workloads from common web exploits and abuse. You can associate an AWS WAF protection pack with your AgentCore Gateway to enforce IP-based access controls, rate-based throttling, and AWS Managed Rule Groups including Bot Control. Configure protections once at the Gateway and have them applied consistently to all targets behind it.
read more →

New VPC-SC Controls to Secure Agentic AI Workloads

🔒 Google Cloud announces new VPC Service Controls features to secure agentic AI deployments by enforcing network-level perimeters and integrating agent identities. These updates let administrators add agent principals and principalSets to ingress/egress rules, apply conditional rules based on MCP attributes like mcp.toolName and mcp.method, and automatically protect the Gemini Enterprise Agent Platform from public internet access. The enhancements are designed to complement IAM and resource policies to prevent exfiltration and tool misuse in production agent fleets.
read more →

Guardian Agents: The Next Layer of Identity

🛡️ This guide examines how agentic AI shifted enterprise identity risks and why existing IAM controls fall short. It explains how AI agents inherit human permissions, traverse systems at machine speed, and create an expanding population of autonomous identities often deployed without security review. The piece outlines the guardian agent concept: a purpose-built runtime control layer that inventories agents, baselines behavior, detects anomalies, and enforces least-privilege at execution time to close the governance gap.
read more →

AI browsers tricked into leaking credentials in demo

🔒 Researchers at LayerX demonstrated a technique called BioShocking that convinces AI-powered web browsers they are playing a game, causing them to abandon safety guardrails and exfiltrate user data. The team tested six agentic browsers and plugins, including ChatGPT Atlas, Perplexity's Comet and Anthropic's Claude extension, and in a proof-of-concept had each copy login credentials and send them to an attacker. LayerX recommended requiring user confirmation for account reads and adding context-aware flags to limit what agents can access.
read more →

AI-SPM Buyers Guide: Comparing AI Security Tools

🔒 This article examines the rising need for AI security posture management (AI-SPM) as enterprises adopt AI across workflows. It outlines how AI maturity stages — from AI-assisted to AI-native — change security requirements and why agents and model services expand the attack surface. The piece surveys vendor approaches, key features, and integrations, and provides guidance for selecting AI-SPM solutions to avoid coverage gaps.
read more →

Fake AI Agent Skill Bypasses Security Checks

🛡️ A security firm, AIR, created a benign but deceptive AI agent skill named brand-landingpage, pushed it through a major skill marketplace and promoted it with an Instagram ad, and reports it reached roughly 26,000 agents including corporate accounts. Scanners from vendors like Cisco and NVIDIA marked the package safe because the skill pointed to external setup documentation rather than embedding malicious code. AIR later swapped the external page to deliver a harmless payload that collected email addresses, demonstrating how scanners miss links that can be rewritten after review. The experiment highlights structural trust problems with skills and common mitigations such as pinning versions and vetting external references.
read more →

Shadow AI Risk Shifts from Leakage to Access Control

🛡️ Shadow AI has evolved from simple data leakage to an access control challenge as employee-built agents connect to enterprise systems. These agents — created across platforms, extensions, and scripts — can call APIs, use credentials, and perform actions in production, often with broad or forgotten permissions. Traditional controls like DLP and domain blocking miss non-human identities, so organizations must inventory agents, map ownership and credentials, and enforce automated remediation.
read more →

Web-enabled AI agents can enable host-level RCE

🔒 Microsoft demonstrated a new remote code execution path called “AutoJack,” showing how web-enabled AI agents can be hijacked to reach local Model Context Protocol (MCP) services and execute arbitrary processes. The researchers exploited three weaknesses in AutoGen Studio’s MCP WebSocket implementation—origin allowlist inheritance, missing authentication for MCP paths, and unsanitized URL-supplied server parameters that spawn processes. Microsoft reported and mitigated the issue in development builds and warned this pattern could affect other agentic frameworks.
read more →

AutoJack vulnerability in AutoGen Studio patched

🛡️ Ongoing research found an exploit chain in AutoGen Studio that allowed untrusted web content rendered by a browsing agent to reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. Microsoft’s team reported the issue and maintainers hardened the main branch in commit b047730; the vulnerable MCP WebSocket surface was never included in the PyPI release. The advisory explains the attack chain, remediation steps, and developer guidance to avoid localhost trust-boundary risks.
read more →

Securing AI Agent Behavior with AgentCore and Check Point

🔒 Check Point and AWS are collaborating to secure enterprise AI agents by integrating Amazon Bedrock AgentCore with Check Point AI Security. This partnership extends AgentCore’s identity, gateway, registry, and policy capabilities with runtime behavioral protections that monitor agent actions across models, tools, data, and applications. The integration enables policy-driven governance, visibility into agent deployments, and prevention of misuse such as prompt injection or unintended data exposure.
read more →

Automating Disassembly with Local AI Agents

🛠️ This blog demonstrates using AI agents to automate a VB6 disassembler by exposing its parsed model through the Windows Running Object Table and providing an operator briefing plus auto-generated prototypes. The agent (Claude Code in the examples) binds to the COM object, runs scripts to extract P-code, reconstruct source, generate call graphs, and export function metadata to SQLite, all locally without uploading binaries. The approach decouples tool features from fixed menus, enables repeatable exhaustive analysis, and preserves sensitive data on the analyst's workstation.
read more →

Amazon Bedrock AgentCore Adds Policy Guardrails

🛡️ Amazon Web Services announced that Amazon Bedrock AgentCore now supports Bedrock Guardrails in policy, enabling enterprises to enforce safety and security controls on AI agents in production. AgentCore policy authorizes which actions agents can take and now evaluates outputs and gateway inputs in real time to detect and block prompt injection, harmful content, and sensitive data exposure. Guardrail enforcement occurs at the AgentCore gateway perimeter, with all evaluations logged via AgentCore observability for auditing and optimization. The capability integrates with existing gateway deployments, supports natural language or policy-as-code authoring, uses consumption-based pricing, and is available in multiple global AWS regions.
read more →

AgentCore adds production-driven optimization tools

🔍 AWS announces new AgentCore optimization capabilities that turn production traces into continuous agent improvements. The features surface failure, intent, and trajectory insights across sessions to reveal silent and recurring failures, then generate data-grounded recommendations for prompts and tool descriptions. Batch evaluation and A/B testing validate fixes against defined metrics before rollout, and capabilities work across AgentCore runtime, Lambda, EKS, and non-AWS environments.
read more →

Palo Alto and Databricks Set AI Security Standard

🔒 Palo Alto Networks and Databricks announce an integrated runtime security solution to protect agentic AI across the enterprise. The partnership embeds Prisma AIRS into the Databricks Unity AI Gateway to provide centralized governance, real-time inspection, and policy-driven enforcement for prompts, tool calls, and model interactions. This approach aims to prevent prompt injections, data exfiltration, and malicious tool usage while enabling faster, secure AI deployments.
read more →

Google unveils new data agents for the Agentic Data Cloud

🤖 Google announces expanded Agentic Data Cloud capabilities, introducing new data agents and tools to enable conversational analytics and agent-driven workflows across BigQuery, Lakehouse, AlloyDB, Spanner, and Cloud SQL. The update includes Data Engineering, Data Science, Database Observability, Looker Dashboard, Data Insights, and Deep Research agents, plus developer toolkits like the Data Agent Kit and Managed MCP servers. These features aim to ground agents in real-time enterprise data with unified governance and near-100% accuracy for tasks such as NL-to-SQL conversions and automated pipeline maintenance.
read more →

Graph-Based Systems Enable Trusted Agentic Action

🧭 This post describes how Yahoo and Google Cloud built Seller Agent, an agentic media-buying platform that collapses multi-week manual workflows into governed campaigns executed in seconds. The architecture uses a dual-graph approach — a knowledge graph for deterministic business logic and a context graph for auditable decision traces — combined with Google Cloud services like Spanner Graph, BigQuery Graph, and Gemini. The design emphasizes explainability, regulator-grade governance, and closed-loop learning to ensure autonomous actions remain transparent and accountable.
read more →

Researchers warn guardrails can enable AI DoS attacks

🛡️ New research shows that reasoning-based AI agent guardrails can be weaponized into denial-of-service vectors by a single poisoned document that traps safety systems in extended thinking loops. The study, from the Hong Kong University of Science and Technology and collaborators, demonstrated large slowdowns across four agent frameworks, with LangGraph suffering the worst impact. The work highlights a tradeoff where stronger guardrail reasoning increases resource use and introduces concentration risk for shared governance.
read more →

Runtime signals to detect compromised AI agents

🛡️ In response to widespread prompt-injection risks, the article outlines runtime signals to detect compromised AI agents that possess the so-called lethal trifecta: access to private data, ingestion of untrusted content, and external communication ability. It argues that this trifecta is now the default for useful agents, so defenses must shift from architecture rules to behavioral, runtime detection. Recommended signals include instruction-following anomalies, unexpected tool-call sequences, low-bandwidth exfiltration channels, out-of-scope credential access, and suspicious memory writes.
read more →