This week two major security vendors dropped reports that should make every AI agent developer pay attention.
CrowdStrike published a detailed threat brief analyzing how AI super-agents with shell access, browser control, and API integrations can be hijacked via prompt injection — turning productivity tools into adversary-controlled backdoors. They specifically called out agents that store config and history locally with expansive execution privileges.
Cisco released their State of AI Security 2026 report, highlighting that while 83% of organizations planned to deploy agentic AI, only 29% felt ready to do so securely. The report dives into prompt injection evolution, MCP protocol risks, and how agents can be weaponized for lateral movement.
The message from both: agents that can act can be exploited, and the security tooling hasn't caught up.
The Gap Between Awareness and Action
Here's the uncomfortable part: most of us building with AI agents know this is a problem. We've read the OWASP Agentic AI Top 10. We've seen the CVEs (EchoLeak, Browser Use agent, CrewAI platform vuln). But what are we actually doing about it?
The CrowdStrike approach is enterprise endpoint monitoring — Falcon sensors watching for suspicious AI agent behavior on corporate machines. That's great if you're a Fortune 500 with a CrowdStrike subscription. But what about the rest of us?
An Open-Source Alternative
I've been working on ClawMoat, an open-source security scanner built specifically for AI agent sessions. Not web apps, not APIs — agents.
It addresses the exact attack classes CrowdStrike and Cisco are warning about:
- Prompt injection detection — catches direct/indirect injection, jailbreaks, role hijacking (maps to OWASP A01)
- Credential leak scanning — flags API keys, tokens, passwords in agent I/O (OWASP A02)
- Data exfiltration monitoring — detects unauthorized outbound data via URLs, commands, tool calls (OWASP A06)
- Memory poisoning detection — watches for planted instructions in agent memory/context files (OWASP A05)
- Tool abuse prevention — policy engine that sits between agent and tools, enforcing allowlists and rate limits (OWASP A03/A04)
- Privilege escalation detection — catches permission boundary violations (OWASP A07)
Quick start:
# Scan a session transcript
npx clawmoat scan ./session.json
# Watch a live session
npx clawmoat watch --session live --alert webhook
# Audit agent configuration
npx clawmoat audit --config ./agent-config.yml
Zero dependencies. Pure Node.js. MIT licensed.
Why This Matters Now
The CrowdStrike report noted that one open-source AI agent project surpassed 150,000 GitHub stars recently. Cisco found that organizations are rushing to integrate LLMs into critical workflows, bypassing traditional security vetting. The attack surface is growing exponentially while defenses lag behind.
The 2025 incident record speaks for itself:
- EchoLeak (CVE-2025-32711): Single crafted email → automatic data exfiltration from Microsoft 365 Copilot. CVSS 9.3.
- Drift/Salesloft compromise: One chat agent integration → cascading access across 700+ organizations.
- CrewAI on GPT-4o: Successful data exfiltration in 65% of tested scenarios.
- Magentic-One orchestrator: Arbitrary malicious code execution 97% of the time with malicious files.
We don't need more awareness reports. We need tools that actually sit in the execution path and catch these attacks before they land.
What's Next
ClawMoat today handles the pattern matching and heuristic detection layer well. The roadmap includes:
- ML classifier for semantic attack detection (Q2 2026)
- Behavioral analysis for anomaly detection
- SaaS dashboard for teams running multiple agents
If you're building or deploying AI agents, give it a spin. Star the repo if it's useful. Open an issue if you find gaps.
The security industry is writing threat reports about what our agents can do. Time we started scanning what they actually do.
Top comments (0)