https://pipelab.org/blog/Recent content in AI Agent Security Blog: Research, CVE Analysis, Runtime Defense on PipeLabHugoen-usSat, 13 Jun 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v260-release/Sun, 31 May 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v260-release/Pipelock v2.6 decides egress by operation, not just by host: allow or deny individual API and GraphQL operations, catch prompt injection hidden in files, bridge hook-based agent events into the scanner pipeline, and harden MCP against the attack chains the NSA guidance calls out.https://pipelab.org/blog/what-stateless-mcp-means-for-agent-runtime-security/Sat, 23 May 2026 00:00:00 +0000https://pipelab.org/blog/what-stateless-mcp-means-for-agent-runtime-security/MCP 2026-07-28 deletes the session. Here’s what that changes at the runtime layer, and why outside-the-agent mediation matters more under stateless.https://pipelab.org/blog/nsa-mcp-security-guidance/Fri, 22 May 2026 00:00:00 +0000https://pipelab.org/blog/nsa-mcp-security-guidance/The NSA’s May 2026 MCP guidance names filtering outgoing proxies, DLP, sandboxing, message integrity, output filtering, and local MCP scans. Here is where an agent firewall fits.https://pipelab.org/blog/pipelock-v250-release/Wed, 20 May 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v250-release/Pipelock v2.5.0 adds Audit Packet verifiers, host containment lifecycle commands, strict federation, MCP integrity manifests, and broader IDE coverage.https://pipelab.org/blog/per-pod-networkpolicy-five-agents-field-report/Fri, 15 May 2026 00:00:00 +0000https://pipelab.org/blog/per-pod-networkpolicy-five-agents-field-report/A field report on moving five Kubernetes-deployed AI agents from in-pod sidecars to companion-pod separation. The non-glamorous lessons that burned cycles.https://pipelab.org/blog/independent-attestation-mediator-receipts/Wed, 13 May 2026 00:00:00 +0000https://pipelab.org/blog/independent-attestation-mediator-receipts/Signed receipts from your AI agent are real. Who held the pen is what decides whether they’re evidence or self-report.https://pipelab.org/blog/three-things-https-proxy-cannot-stop/Wed, 13 May 2026 00:00:00 +0000https://pipelab.org/blog/three-things-https-proxy-cannot-stop/Setting HTTPS_PROXY is policy. Three bypass shapes the kernel doesn’t agree with: env-cleared subprocesses, non-HTTP transports, and NO_PROXY domains.https://pipelab.org/blog/capture-replay-policy-shadow-deploy/Tue, 12 May 2026 00:00:00 +0000https://pipelab.org/blog/capture-replay-policy-shadow-deploy/Changing a live security policy breaks workflows somewhere. Record real verdicts, replay against the candidate config, see the diff before you ship.https://pipelab.org/blog/agent-egress-control-launch/Sun, 10 May 2026 00:00:00 +0000https://pipelab.org/blog/agent-egress-control-launch/Pipelock Agent Egress Control is a GitHub Action that runs an agent script through Pipelock with kernel-enforced network containment and produces a signed Audit Packet a third party can verify.https://pipelab.org/blog/wedge-detection-security-proxy/Sun, 10 May 2026 00:00:00 +0000https://pipelab.org/blog/wedge-detection-security-proxy/A liveness probe that returns 200 doesn’t prove the request pipeline is making progress. Monitoring can stay green while enforcement stalls. Here’s how to detect that.https://pipelab.org/blog/block-reason-headers-agent-debugging/Sat, 09 May 2026 00:00:00 +0000https://pipelab.org/blog/block-reason-headers-agent-debugging/A 403 from a security proxy with no reason is a black hole for the agent. The X-Pipelock-Block-Reason header gives the agent a structured signal it can route around.https://pipelab.org/blog/pipelock-inspection-layers/Fri, 08 May 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-inspection-layers/Pipelock scans wire bytes. Opaque media bytes pass through that layer untouched and get caught at a different layer: tool policy URL rules and tool-chain detection.https://pipelab.org/blog/subpath-configmap-no-hot-reload/Thu, 07 May 2026 00:00:00 +0000https://pipelab.org/blog/subpath-configmap-no-hot-reload/Mount a ConfigMap with subPath and kubelet stops propagating updates. Your service’s hot-reload watches a frozen file. Documented behavior, easy to miss, real impact.https://pipelab.org/blog/webhook-vs-egress-ai-agent-security/Thu, 07 May 2026 00:00:00 +0000https://pipelab.org/blog/webhook-vs-egress-ai-agent-security/Webhook-based controls work when the platform cooperates. Network-egress firewalls work at the traffic boundary. Here is where each fits.https://pipelab.org/blog/three-uid-agent-containment-linux/Wed, 06 May 2026 00:00:00 +0000https://pipelab.org/blog/three-uid-agent-containment-linux/A working agent containment story on Linux needs three UIDs, not two. The proxy UID has internet by design, so the agent UID has to be a third identity.https://pipelab.org/blog/politeness-vs-enforcement-https-proxy/Tue, 05 May 2026 00:00:00 +0000https://pipelab.org/blog/politeness-vs-enforcement-https-proxy/HTTPS_PROXY env vars and tool deny-lists are policy, not enforcement. Here’s the line between them and what crossing it actually takes.https://pipelab.org/blog/pipelock-v240-release/Mon, 04 May 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v240-release/Pipelock v2.4.0 adds observed-traffic contracts, shadow replay, block reason headers, inbound envelope verification, and Gemini redaction.https://pipelab.org/blog/pipelock-v230-release/Fri, 24 Apr 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v230-release/Pipelock v2.3.0 adds class-preserving request redaction and generic SSE streaming response scanning, plus a release-blocker pass and a tech-debt sprint.https://pipelab.org/blog/pipelock-v220-release/Fri, 17 Apr 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v220-release/Pipelock v2.2.0 adds Kubernetes companion-proxy generation, session recovery controls, posture verification, signed mediation, and strict YAML parsing.https://pipelab.org/blog/mythos-ready-in-20-minutes/Mon, 13 Apr 2026 00:00:00 +0000https://pipelab.org/blog/mythos-ready-in-20-minutes/A joint briefing from CSA, SANS, and OWASP lays out 11 priority actions for the post-Mythos threat environment. Four of them describe runtime agent controls in detail but name zero tools. Here is what they are asking for.https://pipelab.org/blog/why-ai-guardrails-arent-enough/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/why-ai-guardrails-arent-enough/AI guardrails classify prompts and completions at the model layer. They miss everything that happens in HTTP, MCP, and tool responses. Here’s what else you need.https://pipelab.org/blog/ai-agent-security-acquisition-wave-2026/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/ai-agent-security-acquisition-wave-2026/Six AI agent security deals announced in recent months (five closed, one pending). What the consolidation means for buyers, and why permissive licensing still matters.https://pipelab.org/blog/best-ai-agent-security-tools-2026/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/best-ai-agent-security-tools-2026/25 AI agent security options mapped to the six boundaries: model gateway, MCP gateway, identity, platform governance, runtime containment, and network egress.https://pipelab.org/blog/why-domain-allowlists-arent-enough/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/why-domain-allowlists-arent-enough/Domain allowlisting is a necessary first layer for agent egress control. It is not sufficient on its own. Here’s what gets through, with receipts.https://pipelab.org/blog/mcp-scanner-comparison-2026/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/mcp-scanner-comparison-2026/Three MCP security tools compared: Cisco mcp-scanner, Snyk agent-scan (formerly Invariant), and Pipelock. What each catches and where they differ.https://pipelab.org/blog/state-of-mcp-security-2026/Sun, 12 Apr 2026 00:00:00 +0000https://pipelab.org/blog/state-of-mcp-security-2026/A data-backed look at MCP security in 2026: public incidents, disclosed CVEs, OWASP MCP Top 10 mapping, and control coverage across scanners, gateways, and runtime inspection.https://pipelab.org/blog/claude-mythos-agent-security/Wed, 08 Apr 2026 00:00:00 +0000https://pipelab.org/blog/claude-mythos-agent-security/Anthropic’s Mythos model finds zero-day vulnerabilities autonomously. That same capability, running inside a coding agent with your credentials, is a different kind of threat.https://pipelab.org/blog/pipelock-gauntlet-public-benchmark/Mon, 06 Apr 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-gauntlet-public-benchmark/Every score published. Pipelock runs the gauntlet before every release and posts the results for anyone to inspect.https://pipelab.org/blog/linkedin-browsergate-agent-fingerprinting/Sat, 04 Apr 2026 00:00:00 +0000https://pipelab.org/blog/linkedin-browsergate-agent-fingerprinting/LinkedIn’s BrowserGate scandal exposed mass extension fingerprinting via first-party JavaScript. The same technique works against headless Chromium browsers running AI agents, and DNS blocking can’t stop it.https://pipelab.org/blog/what-happens-when-your-agent-makes-http-request/Wed, 25 Mar 2026 00:00:00 +0000https://pipelab.org/blog/what-happens-when-your-agent-makes-http-request/You gave your AI agent your secrets and network access. Three things can go wrong, and none of them look like traditional security problems.https://pipelab.org/blog/cross-request-exfiltration/Wed, 11 Mar 2026 00:00:00 +0000https://pipelab.org/blog/cross-request-exfiltration/Per-request DLP scans each request in isolation. An agent that splits a secret across five requests gets five clean scans and a successful exfiltration. Cross-request detection fixes that.https://pipelab.org/blog/agent-egress-bench-benchmark-corpus/Sun, 08 Mar 2026 00:00:00 +0000https://pipelab.org/blog/agent-egress-bench-benchmark-corpus/72 attack cases across 8 categories. Secret exfiltration, prompt injection, MCP tool poisoning, chain detection. Any security tool can run against it. No vendor lock-in.https://pipelab.org/blog/secrets-in-post-bodies/Fri, 06 Mar 2026 00:00:00 +0000https://pipelab.org/blog/secrets-in-post-bodies/URL scanning catches secrets in hostnames and query strings. But agents also make POST requests. Secrets in JSON bodies, form fields, multipart uploads, and HTTP headers bypass URL-level DLP entirely.https://pipelab.org/blog/tool-poisoning-mcp-attack-surface/Thu, 05 Mar 2026 00:00:00 +0000https://pipelab.org/blog/tool-poisoning-mcp-attack-surface/MCP tool descriptions go straight into your agent’s context window. A malicious server hides instructions in them. Your agent reads them and obeys. Here’s the attack, three variants, and what catches it at the network layer.https://pipelab.org/blog/guardrails-deleted-now-what/Thu, 05 Mar 2026 00:00:00 +0000https://pipelab.org/blog/guardrails-deleted-now-what/OBLITERATUS and similar tools remove safety guardrails from open-weight models using weight ablation. When the model won’t refuse, your only defense is the network layer.https://pipelab.org/blog/openclaw-cve-2026-25253/Tue, 03 Mar 2026 00:00:00 +0000https://pipelab.org/blog/openclaw-cve-2026-25253/A CVSS 8.8 vulnerability in OpenClaw lets attackers hijack agent sessions via cross-site WebSocket. The attack chain, what each step does, and how to add defense-in-depth.https://pipelab.org/blog/dns-exfil-ai-agent/Tue, 03 Mar 2026 00:00:00 +0000https://pipelab.org/blog/dns-exfil-ai-agent/Most DLP tools scan HTTP bodies. Your secrets leak before that, in the DNS lookup. Here’s the attack, the proof, and why scan ordering matters.https://pipelab.org/blog/every-protocol-your-agent-speaks-scanned/Tue, 24 Feb 2026 00:00:00 +0000https://pipelab.org/blog/every-protocol-your-agent-speaks-scanned/AI agents talk over HTTP, MCP, and WebSocket. Each protocol has its own attack surface. Here’s what can go wrong on each one.https://pipelab.org/blog/your-agent-just-leaked-your-aws-keys/Sun, 22 Feb 2026 00:00:00 +0000https://pipelab.org/blog/your-agent-just-leaked-your-aws-keys/A prompt injection tells your coding agent to exfiltrate credentials via HTTP. No malware. Here’s the attack, the output, and the config that stops it.https://pipelab.org/blog/what-is-an-agent-firewall/Sat, 21 Feb 2026 00:00:00 +0000https://pipelab.org/blog/what-is-an-agent-firewall/An agent firewall sits between an AI agent and everything it talks to, scanning traffic in both directions. Here’s what it is, what it catches, and how it differs from older network security tools.https://pipelab.org/blog/eu-ai-act-runtime-security/Sat, 14 Feb 2026 00:00:00 +0000https://pipelab.org/blog/eu-ai-act-runtime-security/The EU AI Act’s high-risk requirements take effect August 2, 2026. The compliance standard won’t land until Q4. Here’s what to build now if you’re running AI agents.https://pipelab.org/blog/first-ai-agent-espionage-campaign/Fri, 13 Feb 2026 00:00:00 +0000https://pipelab.org/blog/first-ai-agent-espionage-campaign/Anthropic disclosed GTG-1002, the first AI agent espionage campaign. A state actor jailbroke Claude Code for autonomous hacking. What happened and which defenses work.https://pipelab.org/blog/pipelock-v02-roadmap/Wed, 11 Feb 2026 00:00:00 +0000https://pipelab.org/blog/pipelock-v02-roadmap/GitHub Actions, MCP input scanning, smart DLP, and what Pipelock Pro will look like.https://pipelab.org/blog/securing-claude-code-with-pipelock/Tue, 10 Feb 2026 00:00:00 +0000https://pipelab.org/blog/securing-claude-code-with-pipelock/Claude Code has shell access, API keys, and MCP servers feeding directly into its context window. Here’s what can go wrong and how to lock it down.https://pipelab.org/blog/leaky-clawhub-skills/Mon, 09 Feb 2026 00:00:00 +0000https://pipelab.org/blog/leaky-clawhub-skills/Snyk found 283 ClawHub skills leaking API keys through the LLM context window. Static scanning can’t catch runtime exfiltration. Here’s what can.https://pipelab.org/blog/lateral-movement-multi-agent-llm/Sun, 08 Feb 2026 00:00:00 +0000https://pipelab.org/blog/lateral-movement-multi-agent-llm/When one compromised agent can pivot to others through shared context, MCP servers, or tool delegation, a single injection compromises the entire mesh.