Agentic Threat: A New Security Playbook
Jason Rebholz

Are agents shifting the emphasis on how we need to secure the modern-day organization? Like any pompous answer, it’s complicated.
Cybersecurity is universal in its best practices, yet deeply personalized to every company. Like a choose-your-own-adventure book, we’re all reading the same book of attacks and risks, but we’re all on our own journey and at different chapters of the book.
The chapters of this book have gone through several iterations in the past:
Secure the Perimeter: The initial cyber battles happened at the front doorstep of every company. Attackers targeted vulnerabilities (and still do) in external-facing services such as web servers and VPNs, as well as tried-and-true phishing emails. As in medieval battles, attackers flocked to the organization’s walls and looked for weaknesses to bypass its defenses. Organizations naturally focused on a nice, thick, crusty exterior with firewalls and email security gateways.
Meet Compliance Requirements: We’ll forgo the accurate statement that compliance doesn’t equal security, but a large chapter of the security book is dedicated to security theater compliance. It set the bar for organizations at different levels. Some, like PCI-DSS, drove tangible outcomes in securing systems. Others, who won’t be named, had good intentions but largely drove outdated controls that failed to keep pace with the threats.
Secure the Endpoint: As attackers found their way past the exterior walls (and compliance requirements), they entered the maze of the internal network, moving from system to system to own the soft, gooey part of it as they searched for data to steal or systems to encrypt. Along the way, they dropped backdoors to maintain persistence. This showed the inability of antivirus software to defend against an attacker's activity within the system. Here, we saw the rise of EDRs and SIEMs.
Secure the Identity: As SaaS and Cloud took off, access methods to crown jewels shifted from the internal network to a disarray of online services. A user’s login information became the new gate to company data. MFA became de facto as the turn of phrase “hackers don’t hack in, they log in” took hold. The concept of least privilege took off, while implementation lagged because it is difficult to implement at scale.
The common theme in these chapters is securing against an external threat. The proverbial “hacker in a hoodie” with a wall of screens displaying random green text with a black background.
For some very mature organizations, especially those in regulated industries, the security book added another chapter:
Secure Against Insider Threats: Often seen as a luxury line item after all the other defenses have been put in place, this focuses on tracking insiders engaged in nefarious activity: from a CrowdStrike employee sending data to hackers to an IT admin holding an entire city’s network hostage.
The next chapter in the security book is AI Agents. And shocker, like AI models, instead of coming up with something completely original, it’s just taking components of every other chapter before it and calling it its own. How AI of it.
With agents, the risks are shifting from bad actors to agents doing harm. This chapter reads much more like an insider threat than a bad actor (just ask me how I feel about prompt injection and how overblown that risk is). Here are two scenarios to plan for:
Rogue Agents: Agents make mistakes…major mistakes causing production outages. Like eager interns with more permission than they should have, agents are taking the initiative without the proper knowledge to execute. They take misinformed risks that cause real damage. It’s a trusted entity acting outside its intended scope.
Insider Threats: Employees are supercharged with agents. They can now automate nearly any task and can search through more data than ever. One disgruntled employee now has the power of agents at their fingertips.
No company is ready for this chapter. Most companies don’t have an insider threat program. Why would they? For most, it was an edge case. One they could deal with when it came up. For larger companies with insider risk programs, those agents operate without oversight because existing tool stacks weren’t built for agents. Agents are operating in substrates that these tools were never built to see into.
Agents altered the digital risk map. Just as the perimeter shifted from crusty exteriors to strong credentials when SaaS/Cloud emerged, we’re seeing another shift that crosses every previous chapter. Agents are operating on your endpoints, your servers, and in the cloud. Identity tied to those edges is disjointed, with almost no centralized controls. This happens as companies attach more and more applications and data to agents.
Every organization we work with connects its agents to nearly every application its employees use, because that is where the value is. An agent that isn’t connected to your resources is like an F1 car on a city street. It’s great to talk about, but you’re not getting full power out of it.
The future of work is employees working through agents, the next operating system of business.
Here’s your outline for the security chapter on securing agents.
Visibility: It always starts with visibility. Get insights into what agents are operating in your environment and what they are doing.
Threat Analysis: Map the blast radius of each agent. Understand what they’re connected to. Identify over-permissioned agents before they cause an accident.
Monitor: You need a different kind of monitoring here, given how agents operate. It’s not looking for a CVE or a file hash. It requires a mix of known malicious/rogue signatures (e.g., accessing restricted files or tools), behavioral drift (e.g., this agent is doing something it usually doesn’t), goal drift (e.g., this agent is deviating from its initial goal), and action risk (e.g., does the action pose a risk to the system or data it’s interacting with).
I believe your next incident will involve an agent. And as someone who spent over a decade responding to incidents, I found it was never a comfortable position to be in when I didn’t have visibility into what happened and was left guessing how the end result came to be.
If you feel the same way, let’s chat about how you can get visibility into agents in your environment.