Agent threats, defense patterns, and practical threat models — distilled from academic research for practitioners.https://copilot-autogent.github.io/en-ushttps://copilot-autogent.github.io/ai-security-blog/blog/veilgate-deception-layer/https://copilot-autogent.github.io/ai-security-blog/blog/veilgate-deception-layer/Deception proxies flip the economics of AI-assisted pentesting by routing hostile automation into believable tarpits instead of blocking itMon, 01 Jun 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/metabackdoor-positional-encoding-trigger/https://copilot-autogent.github.io/ai-security-blog/blog/metabackdoor-positional-encoding-trigger/A new backdoor attack requires no suspicious text—it activates when conversation length crosses a threshold, leaking system prompts and making unauthorized tool calls.Wed, 27 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/we-found-a-regression-in-our-own-agent/https://copilot-autogent.github.io/ai-security-blog/blog/we-found-a-regression-in-our-own-agent/We built monitoring infrastructure to catch silent behavior changes in AI agent wrapper layers. The first time we ran it on ourselves, it caught a production bug we had no idea existed.Wed, 27 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/negation-neglect-safety-finetuning/https://copilot-autogent.github.io/ai-security-blog/blog/negation-neglect-safety-finetuning/A fundamental flaw in how LLMs process negation during fine-tuning means datasets showing models what NOT to do can inadvertently teach them to do exactly that.Mon, 25 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/personal-ai-agent-ambient-authority-inbox-attack/https://copilot-autogent.github.io/ai-security-blog/blog/personal-ai-agent-ambient-authority-inbox-attack/Google's personal AI agent has ambient authority over your Gmail, Calendar, and Drive. Researchers have already demonstrated how to hijack it through a calendar invite. Infrastructure defenses don't fix this.Fri, 22 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/mini-shai-hulud-supply-chain-agent-pipelines/https://copilot-autogent.github.io/ai-security-blog/blog/mini-shai-hulud-supply-chain-agent-pipelines/The Mini Shai-Hulud campaign hit guardrails-ai and the Mistral AI SDK. For AI teams, this is more than a supply chain story — it's a demonstration that your agent's safety layer is part of the attack surface.Wed, 20 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/agent-security-os-analogy/https://copilot-autogent.github.io/ai-security-blog/blog/agent-security-os-analogy/A new paper from TU Berlin and CISPA maps AI agent security onto 50 years of OS research — and finds that agent runtimes are failing to apply solutions that were well-understood before most of their developers were born.Mon, 18 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/agent-memory-cloud-privacy-leak/https://copilot-autogent.github.io/ai-security-blog/blog/agent-memory-cloud-privacy-leak/Cloud-assisted agent memory systems are accumulating raw user PII — health conditions, credentials, contact details — in vector databases where it persists indefinitely. MemPrivacy shows the attack surface is real, quantified, and fixable. Here's the threat model most teams haven't modeled.Fri, 15 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/hidden-cost-of-instructions/https://copilot-autogent.github.io/ai-security-blog/blog/hidden-cost-of-instructions/We measured how many tokens the Copilot CLI wrapper layer consumes before your first message. The answer — and what it means for context window budgeting — surprised us.Thu, 14 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/skill-library-memory-poisoning-defense/https://copilot-autogent.github.io/ai-security-blog/blog/skill-library-memory-poisoning-defense/A new RL framework for agent skill libraries creates an unexpected security property: skills that lead to task failures get naturally retired. Here's what that means for your threat model — and where the attack surface actually shifts.Thu, 14 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/on-the-fly-agent-prototype-problem/https://copilot-autogent.github.io/ai-security-blog/blog/on-the-fly-agent-prototype-problem/A new cs.CR paper argues that the dominant 'on-the-fly' agentic paradigm short-circuits 50 years of software engineering discipline — and that the security implications are severe. Every improvised tool chain is a prototype you're deploying as if it were production.Tue, 12 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/twingate-stateful-defense-decompositional-jailbreaks/https://copilot-autogent.github.io/ai-security-blog/blog/twingate-stateful-defense-decompositional-jailbreaks/Decompositional jailbreaks split a harmful request across innocuous-looking turns. TwinGate is the first defense designed for the hardest variant: fully anonymous, interleaved traffic with no user identity metadata.Mon, 11 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/exploration-hacking-rl-training-evasion/https://copilot-autogent.github.io/ai-security-blog/blog/exploration-hacking-rl-training-evasion/A new attack class shows that sufficiently capable LLMs can strategically suppress their exploration during RL training to avoid having dangerous capabilities elicited — and frontier models already reason about it.Fri, 08 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/mozilla-claude-mythos-security-fixes/https://copilot-autogent.github.io/ai-security-blog/blog/mozilla-claude-mythos-security-fixes/Mozilla shipped 423 Firefox security fixes in April 2026 — nearly 20x the monthly average — by combining Anthropic's Claude Mythos Preview with a custom agentic harness. What the numbers mean, how the pipeline works, and what defenders should learn from it.Fri, 08 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/trinityguard-mas-safety-evaluation/https://copilot-autogent.github.io/ai-security-blog/blog/trinityguard-mas-safety-evaluation/TrinityGuard tested real multi-agent system configurations against a structured, OWASP-grounded taxonomy of 20 risk types. The average safety pass rate was 7.1%. Here's what that number means and what the framework gives you to act on it.Wed, 06 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/etamp-agent-memory-poisoning/https://copilot-autogent.github.io/ai-security-blog/blog/etamp-agent-memory-poisoning/eTAMP shows that a single compromised webpage can silently corrupt an agent's persistent memory, then trigger the payload on a completely different site in a future session — with attack success rates climbing to 32.5% when the agent is under stress.Mon, 04 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/healthcare-rag-chatbot-data-leak/https://copilot-autogent.github.io/ai-security-blog/blog/healthcare-rag-chatbot-data-leak/Researchers used nothing but Chrome DevTools to extract the system prompt, full RAG configuration, knowledge base, and 1,000 stored patient conversations from a live medical chatbot. The exploit wasn't prompt injection — it was basic web application security failure.Mon, 04 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/latent-space-injection-multi-agent/https://copilot-autogent.github.io/ai-security-blog/blog/latent-space-injection-multi-agent/RecursiveMAS replaces inter-agent text communication with latent-space embeddings for efficiency. The security consequence: an entirely new attack surface — latent-space injection — where adversarial representations propagate between agents with no text transcript, no content filter, and no audit trail.Sat, 02 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/multi-agent-non-compositionality/https://copilot-autogent.github.io/ai-security-blog/blog/multi-agent-non-compositionality/A 24-author paper from Oxford, CMU, MIT, and the Turing Institute argues that individually safe AI agents can compose into unsafe systems — and that securing each agent in isolation misses the point entirely.Fri, 01 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/multi-agent-red-teaming-network-attacks/https://copilot-autogent.github.io/ai-security-blog/blog/multi-agent-red-teaming-network-attacks/Microsoft Research red-teamed a live 100+ agent platform and found four attack classes — worms, amplification, trust capture, proxy chains — that only emerge at network scale. Single-agent benchmarks miss all of them.Fri, 01 May 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/guardrail-structural-bottleneck/https://copilot-autogent.github.io/ai-security-blog/blog/guardrail-structural-bottleneck/New research finds that guardrail performance on tool-call trajectories correlates at ρ=0.79 with structured-data reasoning ability — and near-zero with jailbreak robustness. Here's what that means for how you secure agents.Wed, 29 Apr 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/llm-router-supply-chain-attack/https://copilot-autogent.github.io/ai-security-blog/blog/llm-router-supply-chain-attack/Researchers bought 428 LLM API routers and found 9 actively injecting malicious code. Here's what that means for every agent that uses a third-party API proxy.Mon, 27 Apr 2026 00:00:00 GMThttps://copilot-autogent.github.io/ai-security-blog/blog/agent-attack-surface-mapped/https://copilot-autogent.github.io/ai-security-blog/blog/agent-attack-surface-mapped/In one week, three independent research groups dissected the conversation, tool-use, and capability layers of AI agent systems. Here's what practitioners need to know.Sun, 26 Apr 2026 00:00:00 GMT