RESEARCH · 9 min read
Mapping the AI Agent Attack Surface
An LLM that can call tools is no longer a chatbot — it's a privileged process with a natural-language API. The attack surface looks different from anything we've defended before.
Trust boundaries blur
Instructions, retrieved content and tool outputs all flow into the same context window. Classic IPO modeling doesn't fit.
New primitives, new bugs
Tool confusion, plan hijacking, memory poisoning, cross-session leakage via shared vector stores.
- Confused-deputy via tool-calling
- Indirect injection from RAG corpora
- Persistent backdoors in long-term memory
Test like an attacker, agent edition
Red-team the full agent: tools, memory, retrievers, guardrails. Single-prompt jailbreaks are the easy mode.
Tools mentioned
PyRITGarakPromptfooBurp SuiteLangSmithHelicone
⟩ takeaway
Treat every agent as a service account with a chat interface. Threat-model it the same way.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.