Agentjacking Attack Exposes Critical Gap in AI Agent Security

The Agentjacking Attack: How It Works and Why It Succeeds

In June 2026, Tenet Security disclosed a new attack vector—agentjacking—that exploits the trusted connections between AI coding agents and monitoring tools like Sentry, Datadog, PagerDuty, and Jira. In controlled testing, a single crafted Sentry error event injected attacker instructions into error data that Claude Code, Cursor, and Codex executed as trusted diagnostic output. The attack achieved an 85% success rate across 100+ targets. No credentials were stolen, no policy was violated, no perimeter was breached. Every step in the chain was authorized. That is the problem.

Tenet identified 2,388 organizations with publicly exposed Sentry credentials that could be used to inject malicious events at scale. One captured Claude Code environment held a live AWS secret access key and private repository URLs. The Cloud Security Alliance classified agentjacking as a systemic MCP vulnerability class within days of the disclosure. Sentry called the flaw "technically not defensible."

Why Traditional Security Fails Against Authorized Attacks

Agentjacking works because every step is authorized: The attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer's privileges. No signature fired. EDR, WAF, IAM, and the firewall all missed it completely. SOC teams have never needed to distinguish between a developer running an npm install and an agent running that command in response to a malicious error event. That distinction did not exist until AI coding agents became production tools. The stack that cannot make it is the stack agentjacking bypasses.

This is not a vulnerability in Sentry or any single tool. It is a structural weakness in how enterprises trust data from MCP-connected sources. As CrowdStrike CTO Elia Zaitsev noted, "People have kind of forgotten about runtime security. We did this with endpoint, virtualization, and cloud. People focused on patching vulnerabilities, locking down permissions. Somehow, they always seem to miss something. The safety net is runtime."

The Identity Gap: Treating Agents as Privileged Insiders

Five independent surveys from the first half of 2026 reveal a consistent pattern: enterprises trust their AI agents far more than their enforcement justifies. Only 34% of organizations apply the same security controls to AI agents as to humans, according to an Okta/Apprize360 survey of 784 respondents. 52% of employees use unapproved AI tools, and 58% of executives reported an AI-related incident or close call in the prior year.

HiddenLayer's 2026 AI Threat Landscape Report surveyed 250 IT and security leaders: 33% reported agents had already exceeded intended scope, and 31% could not confirm whether they had experienced an AI breach. One in eight AI breaches was linked to agentic systems. Gravitee's survey of over 900 executives and practitioners found only 14.4% of agents went live with full security approval, and 88% reported confirmed or suspected incidents. A follow-up of 750 leaders in April found agent estates had doubled while monitoring barely moved.

"Securing agents looks very similar to securing highly privileged users," said Zaitsev. "They have identities, access to underlying systems, they reason, they take action." Yet only 22% treat agents as independent identity-bearing entities. 45.6% rely on shared API keys for agent-to-agent authentication. 61% of privileged access is fulfilled without proper review. An agent with a static OAuth token and no review cycle is a permanent privileged account with no termination date.

Regulatory Pressure: EU AI Act and the August 2 Deadline

The EU AI Act's high-risk compliance obligations take effect August 2, 2026. This deadline creates urgent demand for agent security solutions. Organizations that cannot distinguish agent-initiated actions from human-initiated actions in production telemetry will struggle to meet disclosure timelines under GDPR, CCPA, HIPAA, and SEC cybersecurity rules. Agentjacking proved that EDR, WAF, IAM, and firewall pass an agent-mediated attack without a single alert. Without runtime detection specific to agents, breach detection certainty is unachievable.

Kayne McGladrey, an IEEE Senior Member, described the structural challenge: "The CISO doesn't have the budget. The CISO doesn't have the staff. We can observe risks, we can advise on business risks, but we don't own the business systems affected by those risks." When agent governance spans six departmental budgets, no single executive can confirm whether agents get the same access reviews as humans.

Strategic Implications for Enterprises and Vendors

Agentjacking strips away an assumption that has survived every security architecture since the first firewall went live: authorized means safe. When every step in the chain is legitimate, the only defense that matters is the one watching what agents do. Not what policies say. What agents do.

For enterprises, the immediate priority is to treat every agent as a privileged insider. That means adding every production agent to the next access review cycle, mandating human-in-the-loop for any action touching PII, financial data, or production infrastructure, and replacing shared API keys with scoped, short-lived tokens. The five-question gap test from the Tenet disclosure provides a practical framework: agent inventory, controls parity, scope drift, governance perception gap, and breach detection certainty.

For vendors, the market is shifting from traditional perimeter and endpoint security to identity-centric agent security. CrowdStrike shipped Continuous Identity for AI Agents on June 15, replacing static policies with continuous enforcement that authorizes every agent action in real time. This control class—continuous action-level authorization with verifiable agent identity—is now a baseline procurement criterion regardless of vendor. Traditional security vendors whose products were bypassed by agentjacking face an existential threat unless they can demonstrate agent-specific runtime detection.

Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, put it plainly: "The real risk starts not by the implementation of AI systems. It is the fact that baseline architecture is not well established. When we put an AI system on top of something not architected well, we are accelerating the fractures." Keren called runtime behavior analytics "an unsolved problem right now."

Action Plan: Closing the Runtime Security Gap

The security teams getting this right are the ones that started with a complete inventory and worked forward from there. Commission a full agent, MCP server, and LLM automation census before any Q3 vendor evaluation. Make census completion a procurement gate. Flag any agent discovered post-census as a shadow AI incident.

Test the perception gap before investing in new tooling. One question to 50 knowledge workers: Do you know your company's AI agent policies? If the gap between their answer and leadership's answer exceeds 15 points, that is the problem to solve first. No vendor product fixes a governance posture your own workforce does not recognize.

Require agent-specific runtime detection as a procurement prerequisite. Confirm your organization can distinguish agent-initiated actions from human-initiated actions in production telemetry. Test your SOC's ability to attribute a specific action to a specific agent within 60 minutes. The EU AI Act deadline is August 2, 2026. The clock is ticking.

Source: VentureBeat