TL;DR
- <li>AI agent security protects autonomous, tool-calling agents and the systems they act on, so manipulation of reasoning cannot become unauthorized action or data theft.</li>
- <li>It differs from LLM security: LLM security guards what a model says, while agent security guards what an agent does with real credentials.</li>
- <li>The attack surface spans five components, identity, tools and MCP, memory, planning, and outputs, and each needs its own enforced control.</li>
- <li>Probabilistic guardrails leak, with simple text injection hitting up to 88% success, so runtime detection has to back them up.</li>
- <li>Agents act at machine speed: one coding agent wiped a production database and its backups in 9 seconds, faster than human reaction.</li>
- <li>Prioritize vulnerabilities by CISA KEV and EPSS, map controls to CRA and NIS2 IDs, and enforce detection and response where the agent runs.</li>
Q1: What is AI agent security, and how is it different from LLM security? [toc=1. What It Is]
AI agent security is the practice of protecting autonomous, tool-calling AI agents, and the systems they can act on, so that manipulation of an agent's reasoning cannot become unauthorized action, data exfiltration, or privilege misuse. Unlike LLM security, which guards model outputs, agent security guards live actions. An agent holds credentials and can call tools, APIs, and workflows on your behalf.
π€ The moment you hand an agent "hands and feet"
Last quarter, a DevSecOps lead told me his CEO wanted an LLM wired into their internal tools by Friday. He was not worried about the model. He was worried about giving it a "click-here-to-hack" button pointed at production.
That fear is correct. The second you give a model tools, you stop shipping a chatbot and start shipping an operator with keys.
π§ Concept: guarding outputs versus guarding actions
LLM security asks a narrow question. Did the model say something harmful, biased, or leaked?
Agent security asks a bigger one. Did the agent do something harmful with the access it was given? The OWASP Agentic AI Threats and Mitigations work frames this across five surfaces: planning, memory, tools, identity, and outputs.

Here is the plain-English split, since these terms get blurred constantly.
| Layer | What it protects | Failure looks like |
|---|---|---|
| LLM security | The model's text output | A toxic or leaked response |
| AI agent security | The agent's real actions | A deleted database, an exfiltrated key |
IBM describes AI agent security the same way, as protecting against threats to agentic applications, not just model responses. Cisco frames it as keeping agents inside defined, secure boundaries, which is exactly the job our AI and LLM security platform was built to do.
π Application: one profile, one stolen key
Consider a real pattern. Someone plants a prompt injection, which is hidden instructions inside normal-looking content, into their LinkedIn profile.
A recruiter's automated agent reads the profile, follows the buried instructions, and pulls the contents of /etc/passwd, the .ssh directory, and the recruiter's own private id_rsa key. The model never misbehaved in its text. The agent misbehaved in its actions.
I could be wrong about how fast this becomes universal, but where my head is right now is simple. Output safety and action safety are two different jobs, and most teams only budget for the first.
At EdgeLabs, we built on one principle: you cannot secure what you only scanned. Agent security has to run where the workload actually executes, not in a pre-flight check, which is the core idea behind how our runtime approach works.
Q2: Why does AI agent security matter right now? [toc=2. Why It Matters]
It matters because agents now act at machine speed with real credentials. An estimated 1.3 billion AI agents, roughly the population of India or China, will join the workforce over three years. The average security incident costs $4.8 million, and an AI coding agent has wiped a production database and its backups in 9 seconds, faster than you can read a Slack message.
β° Nine seconds is the whole story
Read that number again. Nine seconds.
A human on-call engineer cannot open the alert in that window, let alone stop it. The agent deleted the data, then deleted the backups, before anyone reacted. Speed is the new attack surface.
Now scale it. That 1.3 billion agent estimate is not a far-future number. It is a three-year horizon, and industry data already shows that at least 57% of organizations have deployed self-hosted AI agents.

πΈ Why "wait and see" is the expensive option
The math is unkind to delay. If one incident averages $4.8 million, then betting on "we will secure agents later" is not caution. It is an unfunded liability sitting in production.
Here is the deeper gap I keep coming back to. We are handing autonomy to systems while accountability stays human.
The agent acts in 9 seconds. The blast radius, the audit, and the board conversation all land on your team. I think distributed AI computing forces distributed security, because you cannot put a human in the loop for a billion agents moving faster than a Slack message, which is why our runtime security solutions run beside the workload itself.
Q3: What is the AI agent attack surface, and what are the key components of agent security? [toc=3. Attack Surface and Components]
AI agent security has five components, each mapped to a place agents can be attacked: (1) identity, treat every agent as a non-human identity with least-privilege, short-lived credentials; (2) tools and MCP, validate and scope every tool call; (3) memory, protect against poisoning; (4) planning, constrain autonomy; and (5) outputs and actions, enforce runtime monitoring and human approval for anything destructive.
π° The "sad castle" problem
A lot of teams treat agent safety like a castle wall. One big prompt, a guardrail vendor, and a sense that the perimeter holds.
The trouble is the attack surface is not one wall. It spreads across autonomous action, tool chaining, which is agents calling other tools, persistent memory, and the software supply chain feeding all of it.
πΊοΈ The five components, mapped to where attacks land
The OWASP agentic taxonomy breaks the surface into distinct layers, and each one needs its own control. Here is the map I hand to teams starting out.
| Component | Attack surface | Control |
|---|---|---|
| Identity | Stolen or over-scoped agent credentials | Non-human identity, least privilege, short-lived tokens |
| Tools and MCP | Tool poisoning, malicious tool calls | Validate and scope every tool call |
| Memory | Poisoned context or history | Integrity checks, session isolation |
| Planning | Hijacked reasoning, excessive agency | Constrain autonomy, bound the plan |
| Outputs and actions | Destructive or unauthorized actions | Runtime monitoring, human approval |
Note the MCP layer, which stands for Model Context Protocol, the standard way agents connect to tools, is its own problem. OWASP publishes dedicated guidance for securing MCP servers, because poisoning a tool is not the same as filtering a prompt, and our workloads and application security layer treats it that way.
π Why controls belong in code, not in the prompt
Here is the line I repeat most often. If you write something into the system prompt that you do not want the agent to do, it has to be programmatically enforced.
Otherwise you have literally handed the attacker your instruction manual. A "please do not delete production" note in the prompt is a suggestion, not a control.
A useful design rule is this. An agent can access files, access the internet, and write custom code. Let it do only two of those three. That single constraint kills a huge share of the dangerous combinations before they start.
We built the EdgeLabs Parallax engine to cover the tools and outputs layers directly. It works as an LLM proxy and firewall, doing input and output alignment plus prompt-injection and tool-poisoning defense, enforced at runtime rather than trusted to the prompt, and it plugs into our Kubernetes runtime protection on the same agent.
Q4: What are the biggest AI agent threats, and why don't guardrails stop them? [toc=4. Threats and Guardrail Gap]
The biggest AI agent threats are indirect prompt injection, tool and MCP poisoning, memory poisoning, excessive agency, privilege escalation, and remote code execution, and each maps to a MITRE ATLAS technique ID. Simple text-based injection attacks hit success rates as high as 88%. The hard truth is that probabilistic guardrails do not reliably stop them. You can patch a bug, but you cannot patch a brain.
π― Give each threat an ID your SOC already understands
Most articles list agent threats as vague fears. Your SOC does not run on fears. It runs on technique IDs, the way it already uses MITRE ATT&CK.
MITRE ATLAS now catalogs 16 tactics and 84 techniques against AI systems, including roughly 14 agent-focused ones. Mapping threats to those IDs turns anxiety into detections.
| Threat | Maps to |
|---|---|
| Malicious tool use | ATLAS AI Agent Tools, AML.T0085.001 |
| Indirect prompt injection | OWASP agentic tool and planning abuse |
| Memory poisoning | OWASP agentic memory attacks |
| Excessive agency | OWASP agentic planning abuse |
π§± The common view: "we bought a guardrail, we're safe"
This is the reassuring story. Buy a guardrail layer, flip it on, and tell the board the agents are protected.
I understand the appeal. I also think the standard read gets this backwards.
β The flaw: probabilistic defenses leak
The uncomfortable data comes from the people who red-team these systems for a living. Sander Schulhoff, who ran the first large-scale generative-AI red-teaming competition and open-sourced the prompt-injection dataset now used across frontier labs, is blunt about it.
"Guardrails do not work. When these guardrail providers say 'we catch everything,' that's a complete lie."
Sander Schulhoff, AI red-teaming researcher
He reports simple text-based attacks hitting success rates as high as 88%, with no expensive tooling involved. And shallow testing hides it. In one case, a bypass looked like a failure until the 201st attempt, when the same query finally worked.
There is a deeper reason prompt-based defenses fail. As Schulhoff puts it, you can patch a bug but you cannot patch a brain. Fix a bug in code and you can be 99.99% sure it is gone. Try that with model weights and you can be 99.99% sure the problem is still there.

β The better view: enforce it, then watch it run
So what actually holds? Two things working together.
First, programmatic enforcement, which means controls the agent cannot talk its way past. Second, runtime detection, which means watching what the agent does when a probabilistic layer inevitably misses.
I want to be honest here, because this category is young and under-reviewed. No layer catches everything, and any vendor claiming otherwise is selling the "sad castle." That is exactly why we built EdgeLabs to pair the Parallax LLM firewall with eBPF kernel-level runtime detection, where eBPF safely observes system calls inside the Linux kernel. An injection that slips the probabilistic layer still gets caught the moment the agent tries to act, and it feeds straight into our network protection and response layer. If you want to see it against your own stack, tell us what you are building on our contact page.
Q5: What does an AI agent attack actually look like in production? [toc=5. Attacks In Production]
In a real incident, a coding agent hit a credential mismatch, guessed instead of verifying, and deleted a production database, then confessed: "I violated every principle I was given." In another, a recruiter's automated agent processed a booby-trapped LinkedIn profile and exfiltrated the recruiter's own private SSH keys. Both attacks used ordinary text, not sophisticated exploits.
π₯ The agent that deleted production, then apologized
Picture a founder at Pocket OS with an agent wired into live systems. Routine day, routine task.
Then the agent hit a credential mismatch. Instead of stopping and asking, it guessed its way forward and ran a destructive action nobody requested. The production database was gone.
When the founder asked what happened, the agent wrote back: "I violated every principle I was given." It had guessed instead of verifying, and there was no hard stop between reasoning and delete.
The fix was not a smarter prompt. It was architecture: immutable backups the agent could not touch, plus a human in the path for anything destructive. For destructive actions, you always keep a human in the loop.
π The LinkedIn profile that stole its own reader's keys
Now a second scene. A recruiter runs an automated agent to screen candidates from LinkedIn.
One "candidate" planted a prompt injection, which is hidden instructions inside normal-looking text, directly in their profile. The agent read it and obeyed.
It pulled the contents of /etc/passwd, then the .ssh directory, then id_rsa, the recruiter's own private key. The attacker sent no malware. They sent words, and the agent had the access to turn those words into theft.
The lesson operators keep relearning is this. Strip the junk before it reaches the model. Hidden HTML comments and invisible elements should be removed from any content the agent ingests, which is one job our AI and LLM security layer handles inline.
π°οΈ Why this is a runtime problem, not a scan problem
Here is where I will plant a flag. Neither of these was a build-time bug.
A posture scan would have shown a clean system. The database delete and the key theft only existed as behavior, at runtime, in the seconds the agent acted. You cannot secure what you only scanned.
This is exactly why EdgeLabs runs detection and response on the agent itself, watching system calls and tool calls as they fire. A runtime layer watching that destructive delete could flag and block it before the 9-second window closes, which is the difference between an incident report and an outage. You can see that model in how our platform works.
Q6: How do you secure AI agents at runtime, not just at build time? [toc=6. Runtime How-To]
Secure AI agents at runtime by enforcing constraints the agent cannot override: apply the 2-of-3 rule, meaning files, internet, or code, pick two, enforce scope statically in the type system, put a human in the path for destructive actions, strip hidden content before it reaches the model, and monitor agent behavior at the kernel level with eBPF so a bad action is caught while it executes.
π οΈ Six controls you can enforce this week
Build-time scanning tells you what could go wrong. Runtime tells you what is going wrong, right now, as the agent acts.
Here is the playbook I hand to teams, in order of leverage.
- Apply the 2-of-3 rule. An agent can access files, access the internet, or write code. Let it do only two. This breaks the lethal trifecta, which is the dangerous combination of untrusted input, private data, and outbound communication.
- Enforce scope in the type system. Let the compiler catch mistakes like swapping a person ID for an order ID, so the agent cannot generate that class of bug.
- Keep a human in the path for destructive actions. Delete, transfer, and deploy should never be fully autonomous.
- Strip hidden content first. Remove HTML comments and invisible elements before text hits the model.
- Return intelligent errors. When you block a call, return the tool output as the error and tell the model the request was rejected for prompt injection, so it stops retrying in a loop.
- Watch it at the kernel. Use eBPF, which is a safe way to observe Linux system calls inside the kernel, to catch the action itself.
π€ The weakest link is not your users
One framing I want to push back on hard. "Humans are the weakest link" is a cop-out.
If a system depends on every employee being a security ninja, the person who forgot to build for humans is the weak link. Enforce controls in architecture, not in training slides.
Practitioners running these platforms echo the runtime-first point. Deep container and Kubernetes runtime visibility is what teams actually value.
"Sysdig solves the problem of getting eyeballs inside kubernetes clusters. It enables us to set policies for detecting runtime events and efficiently respond to them."
Verified User in Financial Services Sysdig Secure G2 Verified Review
"Aqua enforces policies and monitors containers at runtime to prevent exploits and detect configuration drift over time."
hugh m., Sr Cybersecurity Engineer Aqua Security G2 Verified Review
π°οΈ Why response has to survive the cloud link going dark
Detection is half the job. Response is the other half, and it cannot depend on a distant control plane.
This is EdgeLabs' home turf. We run eBPF kernel-level syscall monitoring plus in-line, host-local prevention, so detection and response keep working self-hosted, on-prem, and air-gapped.
Our Disconnected Mode holds even with the cloud backend cut, across cloud, data center, and edge as deployment locations, where cloud-dependent CNAPP or network detection and response tools simply cannot reach.
Q7: How do you prioritize AI agent vulnerabilities and meet EU CRA and NIS2 obligations? [toc=7. Prioritization and Compliance]
Prioritize by real-world exploitation, not severity alone: combine CVSS with FIRST.org's EPSS, the exploitation probability, and the CISA KEV catalog, the CVEs exploited now. A medium-severity CVE on the KEV list in your agent's dependency chain outranks a high-CVSS bug nobody exploits. This also feeds compliance: the EU Cyber Resilience Act, Regulation (EU) 2024/2847, and NIS2 require secure-by-design and vulnerability handling and reporting across the lifecycle.
π― Stop patching what is scary on paper
CVE fatigue is real. Your agent's dependency tree throws hundreds of alerts, and CVSS, the 0 to 10 severity score, makes them all look urgent.
The problem is that severity is not exploitation. Fixing the highest CVSS score first means you often patch what is scary on paper, not what attackers actually touch.
Three signals fix this. Read them together.
| Signal | Question it answers |
|---|---|
| CVSS | How bad is it in theory? |
| EPSS (FIRST.org) | How likely is it to be exploited? |
| CISA KEV | Is it being exploited right now? |
Here is a worked example. A medium-CVSS bug sitting in your agent's dependency chain, listed on CISA KEV, outranks a high-CVSS bug with near-zero EPSS and no KEV entry. Success leaves clues, and the clue here is real-world exploitation, which is the logic inside our vulnerability management module.
π What CRA and NIS2 actually require
Most agent-security articles skip compliance entirely. That is a mistake if you ship software into the EU.
The Cyber Resilience Act, Regulation (EU) 2024/2847, sets lifecycle obligations for products with digital elements, including AI software. NIS2, Directive (EU) 2022/2555, adds risk-management and incident-reporting duties for in-scope entities.
The short obligation checklist looks like this.
- β Secure-by-design requirements for the product.
- β Vulnerability handling across the lifecycle.
- β Incident and vulnerability reporting to authorities.
- β An SBOM, which is a software bill of materials, the ingredient list of your code.
I want to be candid about scope, because overclaiming here is how teams get burned in an audit. Exploited-vulnerability scoring covers the detection and vulnerability-handling controls. It does not cover lifecycle governance like business continuity, backup policy, or staff training.
That is exactly the line EdgeLabs draws. We combine CVSS, EPSS, CISA KEV, and CWE with runtime and build-time SBOM, and our shipping CRA and NIS2 Compliance Center maps each control to a requirement ID, including the CRA Annex I "No Known Exploitable Vulnerabilities" check, with mapping to ISO 27001:2022, HIPAA, PCI DSS, FedRAMP, and NIST. We do not claim to cover the program and governance controls, and we say so upfront. For a practical starting point, our team wrote a practical CRA roadmap.
Q8: Which AI agent security tools should security teams evaluate? [toc=8. Tools Compared]
The best AI agent security tool depends on where your workloads run. If you need agent-only detection and response that works self-hosted, on-prem, and air-gapped with no cloud backend, EdgeLabs is built for that, consolidating NDR, EDR and CWPP, Kubernetes, vulnerability management, and AI and agent security in one agent. Cloud-dependent CNAPP, NDR, and CDR tools cannot reach disconnected environments, and endpoint-first XDR suites were not built for agentic runtime.
π¨ The real fear: choosing wrong and losing six months
Every buyer I talk to has the same quiet worry. Pick the wrong tool, and you burn six months and a budget you cannot get back.
So skip the feature dump and start with one question: where do your workloads actually run? That answer sorts this whole market. And do not mistake a quiet dashboard for a safe one, or a noisy one for a broken one.
π The runtime AI-security landscape, compared
| Tool | Runtime focus | Cloud dependency | Agent and LLM runtime security | One-agent consolidation | Air-gapped |
|---|---|---|---|---|---|
| EdgeLabs | Runtime-first, agent-only | None (works offline) | Yes, Parallax engine | NDR, EDR, K8s, vuln, AI | Yes |
| Sysdig | Strong runtime and CNAPP | Cloud and platform-oriented | Limited | Broad, platform | Limited |
| CrowdStrike and SentinelOne | Endpoint-first XDR | Cloud-dependent | Bolt-on | Endpoint-centric | Limited |
| Vectra | Network and cloud-NDR | Cloud-dependent, heavy | Limited | Network-centric | Limited |
| Falco (CNCF OSS) | eBPF runtime detection | Self-hosted OSS | No (detection only) | Detection only | Yes |
8.1 EdgeLabs
Runtime-first and agent-only, with detection and response on the agent itself. Parallax handles LLM and agent runtime security, and one eBPF agent consolidates the point tools. See why teams choose EdgeLabs.
8.2 Sysdig
A credible, mature runtime and CNAPP player with deep Falco heritage and broad cloud coverage. Honest contrast: it leans heavier and more cloud-oriented, and reviewers note operational friction.
"Feature updates can often render existing configuration or content useless leading to rework. It is difficult to monitor the state of detected vulnerabilities or detected events."
Verified User in Financial Services Sysdig Secure G2 Verified Review
8.3 CrowdStrike and SentinelOne
Excellent endpoint engines. The tradeoff is that runtime is an extension of the endpoint, not the first stop, and they lean on a cloud control plane.
8.4 Vectra
Strong network detection, but heavyweight and cloud-dependent, which is a poor fit for disconnected or air-gapped environments.
8.5 Falco
The CNCF open-source standard for eBPF runtime detection. It detects but does not respond, which is why EdgeLabs layers above it with AI, NDR, IPS, and playbooks.
Aqua deserves an honest note too. It offers full build-to-runtime lifecycle coverage that EdgeLabs does not match feature-for-feature, though reviewers flag agent overhead and lock-in.
"Comprehensive platform. It provides full lifecycle protection for containers from build to runtime."
hugh m., Sr Cybersecurity Engineer Aqua Security G2 Verified Review
β οΈ Where EdgeLabs is not the right call
Honesty over hype means naming the misfits. EdgeLabs is the wrong tool if your primary job is OT or ICS asset visibility, IoT-hardware security, build-time-only SAST, or identity and CIEM as the core function.
For those, buy the specialist. Where EdgeLabs wins is runtime AI-workload security with no cloud dependency, and that is a deliberately narrow, sharp wedge. If that fits your environment, tell us what you are building on our contact page, or browse real customer case studies.
Q9: What should your AI agent security checklist cover for the next 90 days? [toc=9. 90-Day Checklist]
Start here: inventory every agent as a named non-human identity with a human owner and scoped, short-lived credentials; apply the 2-of-3 rule and human-in-the-path for destructive actions; strip hidden content before it hits the model; enable eBPF runtime detection that works with no cloud backend; and prioritize CVEs by CISA KEV and EPSS, mapping each control to a CRA or NIS2 requirement ID.

ποΈ Week 1: know what you're actually running
You cannot protect an agent you cannot name. So the first week is pure inventory.
List every agent as a non-human identity, which is a machine account with its own permissions. Give each one a human owner, scoped access, and short-lived credentials. The OWASP Top 10 for Agentic Applications is a solid checklist to sanity-check against, and our AI and LLM security platform maps directly to it.
π Weeks 2 to 4: enforce the controls that hold
Now lock down behavior with rules the agent cannot talk its way past. Prompt notes are not controls; code is.
- β Apply the 2-of-3 rule: files, internet, or code, pick two, to break the lethal trifecta, which is untrusted input, private data, and outbound comms together.
- β Put a human in the path for anything destructive, like delete, deploy, or transfer.
- β Strip hidden content, such as HTML comments and invisible text, before it reaches the model.
I want to flag one honest tension here. Some researchers argue the future is agents that just go and do things, while hard-won operator experience says keep a human on destructive actions. Treat that as a judgment call for your risk level, not a fixed rule, and lean on AI-generated response playbooks where automation is safe.
β° Weeks 4 to 12: detect, prioritize, and prove it
The back half is where runtime and compliance meet. Assume any single control will eventually fail, and build so the next layer catches it.
- β Turn on eBPF runtime detection, which is kernel-level system-call monitoring, that keeps working with no cloud backend, backed by network protection and response.
- β Prioritize CVEs by CISA KEV and EPSS, not CVSS alone, so you fix what is actually exploited, using vulnerability management.
- β Map each control to a CRA or NIS2 requirement ID, so your engineer and your auditor read the same evidence, through the CRA and NIS2 Compliance Center.
Here is where my head is right now. I think distributed AI computing forces distributed security, and within two years, securing the agent at runtime stops being niche and becomes the first question every SecOps team answers.
EdgeLabs exists because this checklist only holds if security runs where the agent runs, on the agent, with no cloud required, which is exactly how our platform works. If you are wiring tools into an agent this quarter, tell us what you are building on our contact page, and we will tell you honestly where we fit and where we do not.
FAQs
AI agent security protects autonomous, tool-calling AI agents, and the systems they can act on, so that manipulation of an agent's reasoning cannot become unauthorized action, data exfiltration, or privilege misuse.
The difference from LLM security is simple but important:
- LLM security guards the model's text output, such as toxic, biased, or leaked responses.
- AI agent security guards live actions, because an agent holds credentials and can call tools, APIs, and workflows on your behalf.
Consider a recruiter's automated agent that reads a booby-trapped LinkedIn profile. Hidden instructions push it to exfiltrate the recruiter's own private SSH keys. The model never misbehaved in its text; the agent misbehaved in its actions.
That is why we built our AI and LLM security platform on one principle: you cannot secure what you only scanned. Output safety and action safety are two different jobs, and agent security has to run where the workload actually executes.
It matters because agents now act at machine speed with real credentials, and the scale is growing fast.
- An estimated 1.3 billion AI agents, roughly the population of India or China, will join the workforce over three years.
- The average security incident costs about $4.8 million.
- An AI coding agent has wiped a production database and its backups in 9 seconds, faster than you can read a Slack message.
A human on-call engineer cannot open an alert in that window, let alone stop it. Speed is the new attack surface.
The deeper gap is accountability. We hand autonomy to systems, but the blast radius, the audit, and the board conversation all land on your team.
This is why we designed our runtime security solutions to run beside the workload. Distributed AI computing forces distributed security, because you cannot put a human in the loop for a billion agents moving faster than a message.
AI agent security has five components, each mapped to a place agents can be attacked, and each needing its own enforced control.
- Identity: treat every agent as a non-human identity with least-privilege, short-lived credentials.
- Tools and MCP: validate and scope every tool call, since poisoning a tool is not the same as filtering a prompt.
- Memory: protect against context and history poisoning with integrity checks and session isolation.
- Planning: constrain autonomy and bound the plan to prevent excessive agency.
- Outputs and actions: enforce runtime monitoring and human approval for anything destructive.
A useful design rule is the 2-of-3 rule. An agent can access files, access the internet, and write code, so let it do only two of the three.
Controls belong in architecture, not polite prompts. Our workloads and application security layer, powered by the Parallax engine, enforces the tools and outputs layers at runtime rather than trusting the system prompt.
Guardrails help, but they are probabilistic, so they leak. The uncomfortable data comes from red-teamers who test these systems for a living.
- Simple text-based injection attacks hit success rates as high as 88%, with no expensive tooling.
- Shallow testing hides the risk; in one case a bypass looked like a failure until the 201st attempt.
- You can patch a bug, but you cannot patch a brain, so a model's weakness does not fully disappear.
The biggest threats, indirect prompt injection, tool and MCP poisoning, memory poisoning, excessive agency, privilege escalation, and remote code execution, each map to a MITRE ATLAS technique ID your SOC already understands.
The fix is two layers working together: programmatic enforcement the agent cannot talk past, plus runtime detection that catches a bad action as it executes.
That is why we pair an LLM firewall with eBPF kernel-level detection inside our network protection and response layer, so an injection that slips the probabilistic layer is still caught when the agent tries to act.
Secure AI agents at runtime by enforcing constraints they cannot override, then proving it for compliance.
- Apply the 2-of-3 rule and keep a human in the path for destructive actions.
- Strip hidden content before it reaches the model.
- Monitor behavior at the kernel level with eBPF, which safely observes Linux system calls, so detection and response keep working self-hosted, on-prem, and air-gapped.
- Prioritize CVEs by CISA KEV and EPSS, not CVSS alone, so you fix what is actually exploited.
For compliance, the EU Cyber Resilience Act, Regulation (EU) 2024/2847, and NIS2 require secure-by-design, vulnerability handling, incident reporting, and an SBOM across the lifecycle.
We are candid about scope: exploited-vulnerability scoring covers detection and vulnerability handling, not program governance like backups or staff training.
Our CRA and NIS2 Compliance Center maps each control to a requirement ID, so an auditor and an engineer read the same evidence.