The agent-specific threat surface: agents as attack vectors, attack targets, and unwitting accomplices. How adversaries exploit the unique properties of agentic systems to compromise regulated institutions.
OWASP LLM Top 10, OWASP Agentic Top 10, NIST CSF, and institutional cybersecurity programs address known threat categories. These risks document the specific ways agentic systems create novel attack surfaces, amplify existing threats, and introduce attack vectors that traditional security controls (WAFs, EDR, SIEM, DLP) were not designed to detect. Each risk names the existing security control that should work and explains why it does not when agents are the target or vector.
These risks document the specific ways agentic systems create novel attack surfaces, amplify existing threats, and introduce attack vectors that traditional security controls were not designed to detect. Each risk names the existing security control that should work and explains why it does not when agents are the target or vector.
What makes these risks specifically agentic is the combination of prompt-driven behavior, dynamic tool use, persistent memory, and chain delegation. An agent that processes natural language inputs cannot be protected by WAFs designed for structured inputs. An agent with persistent memory creates a new data store that EDR does not monitor. An agent that delegates to other agents creates lateral movement paths that network segmentation cannot contain.
CISOs, security operations teams, penetration testing teams, threat intelligence analysts, and security architects evaluating agent deployments in production environments.
| Critical | High | Moderate | Low |
|---|---|---|---|
| 6 | 4 | 0 | 0 |
Adversaries embed instructions in data the agent processes. Existing input validation cannot distinguish adversarial instructions from legitimate content.
An adversary can impersonate a legitimate agent in inter-agent communication, inheriting the impersonated agent's trust relationships and permissions.
A compromised agent can reach systems that network controls would otherwise isolate, because agent tool connections constitute authorized cross-boundary communication.
Agents can exfiltrate data through tool invocations that DLP does not monitor. The agent transforms data before exfiltration, defeating pattern-based detection.
Adversaries can corrupt agent persistent memory through crafted interactions, influencing all future decisions without triggering any security alert.
Credentials may persist in the agent's context window, appear in logs, be transmitted to downstream agents, or be exposed through tool invocations.
An agent that interacts with users through natural language can be manipulated to deliver social engineering attacks. Users trust agent outputs differently than emails.
A compromised third-party component is inherited by every agent that invokes it. Supply chain controls validate at deployment, not at runtime invocation.
Agents with code execution capabilities can test sandbox boundaries. A successful escape grants access to host resources or adjacent containers.
Each tool, API, and data source connected to an agent creates a new attack surface that may not be inventoried. The attack surface changes at runtime.
Agent-specific threats require controls beyond traditional WAFs, EDR, and DLP. Our advisory engagements help institutions assess agentic threat surfaces and implement defense-in-depth for autonomous systems.
Schedule a Briefing