Field notes from the audit trail.
Patterns, findings and arguments from 250+ real vulnerabilities found across AI agent systems, MCP servers and developer tools. Written for the teams building and securing agent systems. The research explains the same problems Oktsec is built to control: tool access, prompt injection, MCP exposure, signed policy and verified evidence.
Prompt injection is an authorization problem.
Every few weeks a new prompt-injection trick makes the rounds, and every few weeks a new filter ships to block it. That arms race is unwinnable. The durable fix is to stop asking what the model read and start enforcing what the agent is allowed to do.
Read the articleAnatomy of the agent-tooling CVEs.
Six critical 2025-2026 CVEs (mcp-remote, Cursor CurXecute and DuneSlide, MCPoison, MCP Inspector, Copilot YOLO mode) read as one pattern: untrusted input reaching a privileged action through a config the tool auto-trusts.
How agent security benchmarks actually score.
AgentDojo, InjecAgent, ASB, MCPSecBench, MSB, MCPTox measure different attack classes on different harnesses. A single ASR number out of context tells you almost nothing.
Oktsec Labs: measuring a defense's ASR delta with AgentDojo.
Run AgentDojo with and without a defense, report the ASR drop and the utility cost, and treat any isolated score as provisional until the attack adapts. Reproducible.
What the research shows about defending AI agents.
The 2025-2026 defense literature read as one document: detection defenses post the best isolated AgentDojo scores and lose to adaptive attacks, while pre-action authorization keeps its guarantee.
How exposed are MCP servers, really?
A meta-analysis of the 2025-2026 scans (Astrix, Trend Micro, Knostic, Enkrypt, MCPTox): the through-line across independent surveys is missing authentication and over-broad credentials, not exotic exploits.
Oktsec Labs: reproducing a tool-poisoning attack, and catching it.
A reproducible walkthrough: stand up a legitimate MCP server, poison a tool description, watch the agent follow it, then catch it with a static scan, and see why authorization at the boundary is the durable control.
Prompt injection is an authorization problem.
Filtering malicious input will keep failing. The durable fix is deciding what an agent is allowed to do before it acts, and verifying what it did after.
What an MCP server actually exposes.
A practical map of the tool surfaces, credentials and trust boundaries behind the Model Context Protocol, drawn from real audits.
Why policy for agents must be signed.
How signed bundles and pull initiated by the node keep policy verifiable from authoring to apply, even in isolated environments.
The agent supply chain is bigger than your dependency tree.
Packages, MCP servers, skills and the trust behind them: what agents pull into your environment and the failure patterns found monitoring 58,000+ published artifacts.
Agent work needs evidence, not trust.
What to record when agents do company work: per-call evidence, signed policy as the reference, and verification that closes the loop.
The identity stack for AI agents: what shipped, what didn't.
Signed Agent Cards, Enterprise-Managed Authorization, task-scoped tokens and delegation proofs, mapped layer by layer, with the per-instance gap nobody ships yet.
Authorization telemetry for AI agents.
Instrument the authorization decision on every tool call: a trace_authorization span with identity, tool, arguments and verdict, exported through OpenTelemetry.
How to secure an MCP server.
Deciding what a server's tools may do before an agent calls them, and verifying what happened after. The four surfaces, least privilege, and the current spec.
How to audit a Claude skill before you run it.
A skill is instructions an agent will follow. After ClawHavoc's 335 malicious skills, how to read one the way an attacker would, by hand and at scale.
The CSA Agentic Trust Framework, in plain terms.
What the Cloud Security Alliance framework says about zero trust for agents, and how its principles map to authorization, signed policy and verified evidence.
Detection versus authorization.
The two security models for AI agents, defined. Why agents break detection-first security and why authorization has to come first, with detection on top.
The Agent Security Checklist
The same checklist we run on client code, distilled from 250+ real vulnerabilities. Vendor-neutral, no product required.
From reading about agent risk to controlling it.
The control loop in these articles is the product. See it run on your own environments.