# AI Agent Security Blog: Research, CVE Analysis, Runtime Defense Canonical URL: https://pipelab.org/blog/ Description: Security research and practical guides for AI agent security. Attack breakdowns, CVE analysis, runtime defense strategies, agent firewall implementation. Subtitle: Field notes on agent firewalls, MCP security, runtime guardrails, and the people who use them. ## Overview Technical field notes for builders running AI agents with real network access. Posts cover agent firewalls, MCP security, runtime containment, signed receipts, and operational lessons from Pipelock deployments. ## Pages - [Pipelock v2.6: Inspection Moves to the Operation Boundary](https://pipelab.org/blog/pipelock-v260-release/): Pipelock v2.6 adds operation-level request policy, file-borne injection detection, hook-based agent inspection, and MCP hardening from NSA guidance. - [What Stateless MCP Means for Agent Runtime Security](https://pipelab.org/blog/what-stateless-mcp-means-for-agent-runtime-security/): MCP 2026-07-28 removes Mcp-Session-Id, the initialize handshake, and resumable streams. What stateless means for runtime agent security. - [What the NSA's MCP security guidance says, and what an agent firewall does](https://pipelab.org/blog/nsa-mcp-security-guidance/): NSA MCP security guidance names outgoing proxies, DLP, sandboxing, message integrity, and output filtering. Where an agent firewall fits. - [Pipelock v2.5.0: Portable Audit Evidence and Host Containment](https://pipelab.org/blog/pipelock-v250-release/): Pipelock v2.5.0 ships Audit Packet verifiers, host containment lifecycle commands, strict federation, MCP integrity, and IDE installers. - [Per-Pod NetworkPolicy in Practice: Migrating Five Agents in a Day](https://pipelab.org/blog/per-pod-networkpolicy-five-agents-field-report/): A per-pod NetworkPolicy migration for AI agents: ConfigMap drift, init container egress, identity binding, and VPN sidecars. - [Mediator Receipts: The Question to Ask About Agent Attestation](https://pipelab.org/blog/independent-attestation-mediator-receipts/): Signed receipts are real. Who holds the key is what decides whether they're evidence or self-report. Architecture question for any AI agent posture. - [Three Things "Set HTTPS_PROXY" Cannot Stop](https://pipelab.org/blog/three-things-https-proxy-cannot-stop/): HTTPS_PROXY is cooperative. Three bypass classes the kernel does not enforce: subprocess env-clear, non-HTTP transports, and NO_PROXY domain matches. - [Capture and Replay: Testing Security Policy Without Production Risk](https://pipelab.org/blog/capture-replay-policy-shadow-deploy/): Learn-and-lock records verdicts, replays candidate contracts, and reports the diff. Test Pipelock policy before promotion. - [Pipelock Agent Egress Control: the missing CI primitive for AI agents](https://pipelab.org/blog/agent-egress-control-launch/): Pipelock Agent Egress Control v0.1.0: GitHub Action that wraps agent scripts in kernel-enforced network containment and writes signed Audit Packets. - [Wedge Detection: Knowing Your Security Proxy Still Works](https://pipelab.org/blog/wedge-detection-security-proxy/): Wedge detection catches a security proxy that is running but stuck. Liveness probes pass while scans stop draining. The fix is a watchdog. - [Block-Reason Headers: Make Your Security Proxy Tell You Why](https://pipelab.org/blog/block-reason-headers-agent-debugging/): A generic 403 burns retry budget. X-Pipelock-Block-Reason gives agent firewalls a structured reason, severity, and retry hint. - [What Pipelock Inspects, And What Tool Policy Inspects Instead](https://pipelab.org/blog/pipelock-inspection-layers/): Pipelock scans HTTP, MCP, and WebSocket wire bytes for DLP, injection, and SSRF. Opaque media gets caught at the tool layer instead. Here's the split. - [subPath ConfigMap Mounts Don't Hot-Reload: Silent Drift in Kubernetes](https://pipelab.org/blog/subpath-configmap-no-hot-reload/): subPath ConfigMap mounts in Kubernetes do not propagate updates to running pods. The mount is frozen at creation. What breaks and how to avoid it. - [Webhook vs Egress: Two Architectures for AI Agent Security](https://pipelab.org/blog/webhook-vs-egress-ai-agent-security/): Webhook-based runtime monitoring and network-egress firewalls catch different agent attacks. Where each fits and why most serious deployments need both. - [The Three-UID Containment Pattern for AI Agents on Linux](https://pipelab.org/blog/three-uid-agent-containment-linux/): Naive Linux agent containment uses two UIDs and leaks. The right model uses three: operator, proxy-runner, agent-runner. Here is the working chain. - [Politeness vs Enforcement: Why "Set HTTPS_PROXY" Isn't a Security Control](https://pipelab.org/blog/politeness-vs-enforcement-https-proxy/): HTTPS_PROXY is policy, not enforcement. The kernel does not enforce environment variables. How agent egress controls fail and how to fix them. - [Pipelock v2.4.0: Learn-and-Lock Contracts for Agent Traffic](https://pipelab.org/blog/pipelock-v240-release/): Pipelock v2.4.0 ships learn-and-lock contracts, block reason headers, inbound envelope verification, Gemini redaction, and health checks. - [Pipelock v2.3.0: Class-Preserving Redaction and Generic SSE Streaming](https://pipelab.org/blog/pipelock-v230-release/): Pipelock v2.3.0 ships class-preserving redaction across request transports, plus inline scanning for text/event-stream responses. - [Pipelock v2.2.0: Companion Proxies, Session Recovery, and Signed Mediation](https://pipelab.org/blog/pipelock-v220-release/): Pipelock v2.2.0 adds Kubernetes companion-proxy generation, session recovery, posture verification, signed mediation, and strict YAML validation. - [What CSA, SANS, and OWASP Just Told Every CISO About Runtime Agent Security](https://pipelab.org/blog/mythos-ready-in-20-minutes/): CSA, SANS, and OWASP published a Mythos-Ready playbook. Four priority actions call for egress filtering and machine-speed containment. - [Why AI Guardrails Aren't Enough for Agent Security](https://pipelab.org/blog/why-ai-guardrails-arent-enough/): AI guardrails classify prompts and completions. They miss HTTP exfiltration, MCP tool poisoning, and network-layer attacks. What to add alongside. - [The AI Agent Security Acquisition Wave: What It Means for Buyers](https://pipelab.org/blog/ai-agent-security-acquisition-wave-2026/): AI agent security acquisitions: Snyk, F5, Check Point, SentinelOne, Proofpoint. What the M&A wave means for buyers and why open-source matters. - [Best AI Agent Security Tools 2026: 24 Options by Boundary](https://pipelab.org/blog/best-ai-agent-security-tools-2026/): Compare AI agent security tools for 2026 by boundary: model gateway, MCP gateway, identity, platform governance, containment, and egress. - [Why Domain Allowlists Aren't Enough for AI Agent Security](https://pipelab.org/blog/why-domain-allowlists-arent-enough/): Domain allowlists stop agents reaching bad destinations but miss credential leaks, injection, and tool poisoning on approved traffic. - [MCP Scanner Comparison: Cisco vs Snyk vs Pipelock](https://pipelab.org/blog/mcp-scanner-comparison-2026/): MCP scanner comparison: Cisco mcp-scanner, Snyk agent-scan, and Pipelock. Pre-deploy scanning vs runtime protection. What each catches. - [The State of MCP Security 2026: Incidents, Attack Patterns, and Defense Coverage](https://pipelab.org/blog/state-of-mcp-security-2026/): State of MCP Security 2026: public incidents, CVE trends, OWASP MCP Top 10 mapping, and control coverage across scanners, gateways, and inspection tools. - [Claude Mythos Can Find Zero-Days. What Happens When Your Coding Agent Can Too?](https://pipelab.org/blog/claude-mythos-agent-security/): Claude Mythos finds zero-days in code. When that capability runs inside a coding agent with your API keys, egress inspection is essential. - [I published my benchmark scores. Your turn.](https://pipelab.org/blog/pipelock-gauntlet-public-benchmark/): Pipelock runs agent-egress-bench before every release and publishes the scores. The gauntlet is open to any security tool. Submit your results. - [LinkedIn Scanned 6,222 Browser Extensions. Your AI Agent's Browser Is Next.](https://pipelab.org/blog/linkedin-browsergate-agent-fingerprinting/): AI agent fingerprinting using the same technique as LinkedIn's BrowserGate. Headless Chromium browsers running AI agents are the next target. - [When Your AI Agent Makes an HTTP Request](https://pipelab.org/blog/what-happens-when-your-agent-makes-http-request/): AI agents make HTTP requests with your secrets in memory. Exfiltration, tool poisoning, and injection are real risks. Here's how to catch them. - [Cross-Request Exfiltration: 5 Requests Leak a Key](https://pipelab.org/blog/cross-request-exfiltration/): Per-request DLP scans each request in isolation. An agent splitting secrets across multiple requests bypasses it. Cross-request detection catches it. - [We built a test corpus for AI agent egress security tools](https://pipelab.org/blog/agent-egress-bench-benchmark-corpus/): Agent Egress Bench: open-source test corpus for AI agent security tools. 72 cases covering secret exfiltration, prompt injection, SSRF, and tool poisoning. - [Your agent leaks secrets in POST bodies, not just URLs](https://pipelab.org/blog/secrets-in-post-bodies/): AI agent secret leaks through POST bodies that URL scanning misses. JSON fields, form data, multipart uploads, and headers bypass URL-level DLP. - [Your MCP server's tool descriptions are an attack surface](https://pipelab.org/blog/tool-poisoning-mcp-attack-surface/): MCP tool poisoning through hidden instructions in tool descriptions. A malicious server injects commands your agent obeys. The attack and defense. - [OBLITERATUS Stripped Your Model's Safety. The Network Layer Is What's Left.](https://pipelab.org/blog/guardrails-deleted-now-what/): OBLITERATUS strips refusal training from open-weight models via weight ablation. When the model won't say no, the network layer is your last defense. - [CVE-2026-25253: WebSocket Hijacking in OpenClaw AI Agents](https://pipelab.org/blog/openclaw-cve-2026-25253/): A CVSS 8.8 vulnerability in OpenClaw lets attackers hijack agent sessions via cross-site WebSocket. The attack chain and how to add defense-in-depth. - [Your AI agent leaks API keys through DNS queries](https://pipelab.org/blog/dns-exfil-ai-agent/): DNS exfiltration lets AI agents leak secrets before HTTP scanning starts. Here's the attack, the proof, and why scan ordering matters. - [Every protocol your agent speaks, scanned](https://pipelab.org/blog/every-protocol-your-agent-speaks-scanned/): AI agent protocol security across HTTP, MCP, and WebSocket. Each protocol has its own attack surface. Here's what can go wrong and how to scan it. - [Your Agent Just Leaked Your AWS Keys: The Attack and Fix](https://pipelab.org/blog/your-agent-just-leaked-your-aws-keys/): A prompt injection tells your coding agent to exfiltrate credentials via HTTP. No malware. Here's the attack, the output, and the config that stops it. - [What Is an Agent Firewall? A Plain-Language Explainer](https://pipelab.org/blog/what-is-an-agent-firewall/): Plain-language explainer on what an agent firewall is, what it catches, and how it differs from a WAF or older egress proxy for AI agents. - [EU AI Act Runtime Security: What You Need Before August](https://pipelab.org/blog/eu-ai-act-runtime-security/): The EU AI Act high-risk deadline is August 2, 2026, but compliance standards lag behind. What to build now if you run AI agents. - [First AI Agent Espionage Campaign](https://pipelab.org/blog/first-ai-agent-espionage-campaign/): GTG-1002 is the first AI agent espionage campaign. A state actor jailbroke Claude Code for autonomous hacking. What defenses actually work. - [What's next for Pipelock: the v0.2 roadmap](https://pipelab.org/blog/pipelock-v02-roadmap/): Historical v0.2 Pipelock roadmap (Feb 2026). GitHub Actions, MCP input scanning, smart DLP, enterprise tier. Current state in the v2.5.0 release post. - [Wrapping Claude Code MCP Servers with Pipelock](https://pipelab.org/blog/securing-claude-code-with-pipelock/): Wrap Claude Code's MCP servers through Pipelock to scan responses for prompt injection and tool poisoning before they reach the context window. - [283 ClawHub Skills Are Leaking Your Secrets](https://pipelab.org/blog/leaky-clawhub-skills/): ClawHub security risk: Snyk found 283 skills leaking API keys through the LLM context window. Static scanning misses runtime exfiltration. - [One Injection, Whole Mesh: Lateral Movement in Multi-Agent LLMs](https://pipelab.org/blog/lateral-movement-multi-agent-llm/): How a single prompt injection spreads laterally through multi-agent LLM systems via shared files, MCP servers, and tool delegation, and what blocks it.