Why AI agent security can't wait

We're in the middle of the biggest infrastructure shift since cloud computing. AI agents are moving from demos to production — calling APIs, accessing databases, executing code, making decisions. And most of them are running with zero security checks.

I've been building Aguara Scanner and Oktsec precisely because of what I keep finding: the AI agent ecosystem has a massive security gap, and it's growing faster than anyone is addressing it.

What I'm seeing

After scanning thousands of MCP servers and agent configurations, the patterns are consistent and alarming:

• Tool poisoning is everywhere. MCP servers can inject instructions into tool descriptions that override agent behavior. Most developers don't even know this attack vector exists.
• No authentication by default. The majority of MCP servers have zero authentication. Anyone who can reach the endpoint can invoke any tool.
• Cross-origin escalation. Agents that connect to multiple MCP servers create implicit trust chains. A compromised server can leverage the agent's access to every other server it's connected to.
• Data exfiltration through tool outputs. Agents routinely pass sensitive data between tools without any filtering or boundary enforcement.

These aren't theoretical risks. They're in production systems right now.

Why this is different from traditional AppSec

Traditional application security has decades of tooling, frameworks, and best practices. SQL injection, XSS, CSRF — we have scanners, WAFs, and established patterns to prevent them.

AI agent security is fundamentally different:

The attack surface is dynamic. An agent's behavior depends on its prompt, the tools available, and the runtime context. The same agent can behave safely in one configuration and be completely vulnerable in another.

Trust boundaries are implicit. When an agent connects to an MCP server, it implicitly trusts every tool that server exposes. There's no granular permission model, no capability-based security, no principle of least privilege applied at the tool level.

The supply chain is unaudited. Developers are adding MCP servers to their agents the way they used to add npm packages — by searching a registry and installing whatever looks useful. Except there's no equivalent of npm audit, no vulnerability database, no CVE tracking.

That's exactly why we built Aguara Watch — to continuously monitor 40K+ skills across 7 registries and flag threats before they reach production.

The window is now

There's a narrow window where we can establish security patterns for this ecosystem before it calcifies. The same thing happened with web security — it took a decade of painful breaches before OWASP, CSP headers, and security-by-default frameworks became standard.

We don't have a decade. Agent adoption is moving at AI speed. If we don't build the security infrastructure now, we'll be retrofitting it onto a broken foundation for years.

That's what I'm focused on. Not AI security as a feature — AI agent security as infrastructure.

What needs to happen

1. Scanning before deployment. Every MCP server and agent configuration should be scanned for known vulnerability patterns before going live. That's what Aguara does with 148+ rules across 13 categories.
2. Runtime enforcement. Static scanning isn't enough. Agents need runtime security policies that prevent unauthorized actions as they happen. That's what Oktsec does at the MCP gateway layer.
3. Ecosystem monitoring. The threat landscape is evolving daily. New MCP servers appear, existing ones get updated, and novel attack patterns emerge. Continuous monitoring isn't optional — it's the baseline.
4. Open-source by default. Security tooling for a new ecosystem can't be locked behind vendor gates. The community needs to be able to inspect, contribute to, and build on these tools. That's why everything we build is open-source.

If you're deploying AI agents in production, the time to think about security is not after the first incident. It's now.