AI agents are entering production. Financial services. Healthcare. Logistics. Government.
The security conversation so far has focused on one thing: identity. Sign the agent. Verify the card. Move on.
Identity is important. But it is the front door, not the building.
## What happens after the agent walks in?
A signed identity card tells you who the agent claims to be. It does not tell you:
- Whether the agent's requests have been tampered with in transit
- Whether the agent is replaying a previous request to bypass controls
- Whether the agent is injecting malicious payloads through tool arguments
- Whether the agent is exfiltrating data through its responses
- Whether the agent is escalating its own privileges
- Whether the agent's behaviour has drifted from its baseline
- Whether the agent is trying to disable its own monitoring
- What the agent actually did, with cryptographic proof, for your auditor
These are not edge cases. These are the attack surface of every agent in production today.
## The Agentic Security Ecosystem
Securing agents requires multiple layers. Here is what we built and ship today.
### MCPS -- Per-message signing for every interaction
Every tool call, every response, every message between agent and server is individually signed with a unique nonce and timestamp. Not the identity card -- the actual conversation. Tamper with a single byte and the signature breaks. Replay a captured request and the nonce rejects it.
MCPS is published as an IETF Internet-Draft and implemented as a zero-dependency npm package (mcp-secure) with 732 downloads in the last 30 days.
It is integrated into production fintech infrastructure where agents perform sanctions screening against global watchlists.
Patent supported.
### AgentPass -- Trust scoring before production access
Every agent gets evaluated across 8 dimensions before it touches production. Identity verification. Code integrity. Vulnerability
exposure. Compliance mapping. Sandbox isolation. Behaviour monitoring. Cryptographic signing. Output filtering.
Pass the assessment, get a signed passport with a trust score (L0 to L4). Fail, and the agent is denied before it sees a single record.
The credit check for AI agents. No score, no access.
Patent supported.
### OpenAPI x-agent-trust -- Peer-reviewed and merged
The OpenAPI Technical Direction Committee reviewed and merged our x-agent-trust extension into the
official OpenAPI Extension Registry. This allows any API to declare agent trust requirements directly in its OpenAPI specification --
trust level, required scopes, signing algorithm.
Reviewed and by respected OpenAPI maintainers. Any API can now declare: "this endpoint requires a trust level of L2 or
above, with a valid MCPS signature." The agent either meets the bar or gets denied.
Declared in the spec. Enforced at the gate.
### AEBA -- Runtime behaviour analysis (just released)
AEBA-XDR is the first SOC built specifically for AI agents.
It establishes a behavioural baseline per agent, then detects anomalies in real-time: rate spikes, category shifts, off-hours activity, tool probing, model drift, exfiltration patterns, self-escalation attempts, monitoring disable attempts.
36 detection rules across 6 packs (core, fintech, finserv, finops, insurance, EU AI Act). Every rule is mapped to MITRE ATT&CK technique
IDs (T1566, T1565, T1499, T1070, T1110, T1078, T1020) and MITRE ATLAS AI-specific techniques (AML.T0051 prompt injection, AML.T0048 goal hijacking, AML.T0019 tool poisoning, AML.T0024 exfiltration, AML.T0031 model drift).
Detection latency under 1 millisecond. Hash-chained tamper-evident audit trail. Adaptive trust scoring. Self-healing on compromise.
### Cybersecify -- MCP security scanner for AI developers
20 tools available as an MCP server. Install with npx, add to your Claude or Cursor config, and scan any MCP server from inside your AI
assistant. OWASP MCP Top 10 scanning, agent DAST, supply chain checks, package safety verification, and EU AI Act compliance mapping.
Works in Claude Desktop, Cursor, Windsurf, and any MCP-compatible client.
## The gap
An agent with a signed identity card can still:
- Send tampered requests -- no per-message signing
- Replay captured requests -- no nonce or replay protection
- Inject SQL, commands, or prompts -- no input inspection
- Exfiltrate data through responses -- no output filtering
- Escalate its own privileges -- no trust boundary enforcement
- Drift from intended behaviour -- no runtime monitoring
- Disable its own logging -- no monitoring protection
- Operate without an audit trail -- no hash-chained evidence
Identity is layer one. Production security requires all eight.
## The full stack
Identity -- AgentPass
Trust scoring L0-L4 across 8 dimensions. No score, no access.
API Declaration -- OpenAPI x-agent-trust
Declare trust requirements in your API spec. Peer-reviewed, merged into official registry.
Signing -- MCPS
Per-message nonce + timestamp + HMAC. Every interaction signed. IETF Internet-Draft.
Runtime -- AEBA
Behavioural analysis. 36 rules. MITRE ATT&CK + ATLAS mapped. Sub-millisecond detection.
Developer -- Cybersecify
MCP scanner inside your AI assistant. 20 tools. Zero dependencies.
## Supporting Information
- IETF drafts: MCPS
- CVE-2026-39313 (CVSS 8.7) discovered and responsibly disclosed
- OWASP AISVS Chapter 10: three contributed requirements (10.2.13, 10.4.11, 10.6.4)
- OpenAPI x-agent-trust: merged into official extension registry
- npm packages: mcp-secure, agentsign, agentpass, cybersecify -- all published
- Fully patent supported across all our tech stack.
- Production integration live in fintech sanctions screening infrastructure
Agent security is not one layer. It is an ecosystem.
Raza Sharif
Founder, CyberSecAI Ltd
cybersecai.co.uk contact@agentsign.dev
Top comments (0)