Attackers Now Run at Machine Speed

If you have been following this blog, you know that 2026 has not been a quiet year for the security community. The Trivy supply chain attack in March was the wake up call: a trusted security scanner turned into a credential harvesting machine, followed by the CanisterWorm escalation that propagated itself through the npm ecosystem at a speed no human operator could match. In the weeks after, we saw several other serious and successful exploitations following the same pattern: automation turned against the defenders, with exploits appearing within hours of a patch instead of months.

This is the part that should worry us the most. Frontier AI models are compressing the timeline between vulnerability disclosure and working exploit from months to hours, at a marginal cost measured in dollars. Attackers who adopt these tools, or who simply wait for defenders’ patches and reverse engineer them into exploits, move faster than any SOC built around human triage can react.

At the same time, we keep deploying AI agents everywhere. And let’s be honest: AI agents are too powerful to run without clear boundaries. They interpret goals, select tools, execute multi step operations, access databases and APIs, and they do all of this with the privileges we hand them. I wrote about this paradigm shift in my reflection on securing AI agents from a DevSecOps perspective: an agent is effectively a privileged automation account, with all the associated risks and none of the traditional human accountability mechanisms.

Tools to address this problem are arriving on the market, both open source and enterprise. But tools without a framework produce checkbox security. That’s why I found Anthropic’s recently published eBook, Zero Trust for AI Agents, linked from their blog post, genuinely valuable. Having the point of view of a frontier AI lab on how to translate Zero Trust, a proven and battle tested security model, into a foundational framework for agentic systems is a huge opportunity for anyone deploying agents today. This post is a sneak peek of the eBook; if it sparks your interest, go read the full document to get the complete picture.

Inside the eBook

The document is organized in five parts. The first two give security leaders the threat landscape and compliance context they need; the last three are implementation guidance for security architects and engineers. Before diving in, the eBook recaps the three Zero Trust principles codified in NIST SP 800-207: never trust and always verify, least privilege, and assume breach.

One idea stuck with me right away, a design test the authors call “impossible, not tedious”: for every control, ask whether it makes the attack impossible or just tedious. Rate limits, extra pivot hops, and SMS based MFA only add friction, and agentic attackers have unlimited patience and near zero per attempt cost. Controls that survive the test rely on hardware bound credentials, expiring tokens, cryptographic identity, and network paths that simply do not exist. Keep this question in mind during your next design review; it changes the conversation.

Parts I and II: Threat Modeling for Security Leaders

Part I explains what makes agentic systems different from traditional software. Agents execute operations without human approval at each step, access tools through protocols like MCP, make autonomous decisions based on ambiguous instructions, persist context across sessions, and coordinate with other agents. Each capability is also an attack surface. The eBook introduces useful vocabulary here: blast radius as the measure of potential damage if an agent is compromised, and least agency, the OWASP term that extends least privilege to what each agent tool can do, how often, and where. There is also a solid overview of how Zero Trust aligns with regulatory requirements in healthcare, finance, and government, where adoption deadlines are real and approaching.

Part II maps the current threat landscape, and it is the best compact summary of agentic threats I have read so far. It covers direct and indirect prompt injection (research shows algorithmic approaches achieving 100% attack success rates), tool poisoning and rug pull attacks on MCP servers, tool chaining where legitimate tools get combined in harmful sequences that host centric monitoring never flags, identity and privilege abuse including the confused deputy problem in multi agent systems, and memory poisoning that persists across sessions long after the initial injection. The supply chain section resonates with what I keep writing about on this blog: agentic ecosystems compose capabilities at runtime, which expands the attack surface beyond what traditional software composition analysis can handle. Anthropic’s own research showing that just 250 malicious documents can backdoor LLMs from 600 million to 13 billion parameters is a sobering data point.

Parts III, IV, and V: The Implementation Guide

This is where the eBook earns its place on an engineer’s desk. Part III applies Zero Trust to agentic services through three capability tiers: Foundation, Enterprise, and Advanced. Each tier builds on the previous one, covering agent identity and authentication, access control, sandboxing, monitoring, and governance. The honest framing here matters: because of AI accelerated offense, the Foundation floor has been raised, and friction only controls no longer qualify as minimum viable security. Short lived tokens and cryptographically rooted identity are now entry requirements, not aspirations.

Part IV turns the architecture into an eight phase implementation workflow: identify requirements, manage supply chain risks, define agent boundaries, defend against prompt injection, secure tool access, control identity and access, safeguard agent memory, and measure what matters. The advice is concrete and verifiable. A few examples I appreciated:

  • Build an AI-BOM with OWASP’s CycloneDX extension and score every dependency with OpenSSF Scorecard in CI.
  • Apply input isolation: Microsoft’s Spotlighting technique reduces indirect injection success from over 50% to under 2%.
  • Give each agent a unique cryptographic identity with its own credentials; splitting one agent into many while sharing credentials fails to compartmentalize anything.
  • Instrument dwell time and alert coverage before any other metric, and ask yourself: would we know within an hour if an agent went rogue?

If you read my piece on securely using third party MCP servers, Phase 5 on tool allow listing, parameter validation, and sandbox execution will feel like a natural continuation.

Part V closes the loop: securing your agents is only half the work, the other half is running defensive operations at the speed of autonomous threats. The eBook makes the case for Agentic SOAR, putting a model at the front of your alert queue for automated first pass investigation, while keeping humans on containment and disclosure decisions. It suggests mapping detection coverage against MITRE ATT&CK and validating it with Atomic Red Team, and running tabletop exercises for five simultaneous incidents instead of one. Crucially, it applies the same Zero Trust skepticism to defensive agents themselves: verified integrity, limited blast radius, and clear escalation paths, because a compromised defensive agent is a powerful weapon.

Final Thoughts

What I appreciate most about this eBook is its honesty. It does not sell a product as the solution (the Claude Code pro tips are clearly marked and easy to skip), and it openly admits that this is a fast moving space where today’s Advanced tier will become tomorrow’s Foundation. The closing message is one I fully subscribe to: the organizations best positioned for this shift will not be the ones with the most advanced AI, but the ones whose fundamentals are strong enough that AI assisted scanning finds fewer bugs in the first place, and whose agent deployments were architected for breach from day one.

After a year that started with Trivy and kept escalating, we cannot keep treating agent security as an afterthought. Zero Trust gives us a foundation that has already survived contact with reality; this eBook translates it into the agentic world with enough detail to act on. Read the threat modeling parts if you are a security leader, work through the tier tables and the eight phase workflow if you are an architect or engineer. Either way, it is around 35 pages well spent.

References