Living-Off-the-Agent: An Attackers' New Best Friend

Early in my incident response career, when I investigated hacks, the malicious activity stood out like a tourist in Times Square. Attackers used custom malware. They placed their tools in the most obvious locations. Their file names screamed, “I don’t belong here.” They weren’t going for style or subtlety. And yet it worked, at least for a while. Defenders eventually caught up.

Then attackers evolved.

They figured out they didn't need custom malware to move through an environment. The operating system already had everything they needed: built-in utilities, scripting engines, and remote management tools. Why bring your own gear when the victim's environment comes fully stocked?

This technique became known as living-off-the-land. Suddenly, that tourist became a local. The attacker’s activity started to blend in with legitimate user activity. Same tools. Same commands. Same account. Trying to tell the two apart became harder than finding the perfect ripeness of an avocado.

That’s why I always told companies, “The easier it is for your employee to do their job, the easier it is for an attacker to do theirs.” That’s not to say you should make employees’ jobs harder. Quite the opposite. It’s more to highlight that attackers use an employee’s access to accomplish their own goals.

The user's agent is about to become the most valuable target in the environment. Think about it from an attacker's perspective. If they compromise a user's credentials today, they still have to do a lot of manual work. Find the data, navigate systems, and move carefully enough to fly under the radar. It takes time, and time creates exposure.

But if that user's agent is already connected to everything, has context about the business, and is authorized to act on the user's behalf without friction?

An attacker doesn’t need to learn the environment. They just need to talk to the agent.

Here’s the next challenge that security teams are about to face. Every day, the finance team asks its agent to pull financial data. An attacker compromises a finance employee’s credentials and gets access to their agent. The attacker then asks for financial data.

How do you tell them apart?

Most security teams don't yet have an answer. Because right now, all of this can happen without anyone noticing, because no one is watching yet.

That's not a policy gap. That's a visibility gap.

When you want to find bad activity, you have to start with visibility. Here's what I've learned from doing incident response and later from sitting in the CISO chair: you cannot respond to what you cannot see. That sounds obvious. But most organizations deploying agents right now are sitting in the dark.

They don't know what their agents are doing. What data are they accessing? What MCPs are connected? What Skills are loaded? When all you can do is shrug, that’s a really uncomfortable spot to be.

The organizations that get ahead of it are the ones building visibility now. Here's what that actually looks like.

1. Inventory everything. You can’t protect what you don't know exists. That means understanding every agent deployed in your environment, the tools and skills they have loaded, the MCP servers they're connected to, and the data they can access. This isn't a one-time audit. Agents change. New skills get added. Configurations drift. You need continuous inventory, not a spreadsheet from last quarter.

2. Threat model before runtime. Once you know what you have, you need to understand the blast radius if any of it gets compromised, because it will. What's the worst-case scenario if an attacker gets access to that agent? What data could they reach? What actions could they take? Proactive threat modeling: scanning skills and MCPs for risks before they ever load into an agent. That’s how you catch problems before they become incidents.

3. Monitor every prompt, every tool call, every action. This is the part most organizations are missing entirely. Agents are running, executing tasks, touching sensitive data, and nobody's watching. You need session-level visibility: what was the user prompt? What did the agent do in response? What tools did it call? What did it read or write?

And critically, you need to be able to distinguish between user-initiated actions and agent-initiated actions. That distinction is exactly what separates a legitimate request from an attacker using a compromised agent to do their dirty work.

4. Build detection logic for agent behavior. Rules that fire on a single prompt aren't enough. Living-off-the-agent attacks will appear normal in isolation. You need behavioral baselines, session-level correlation, and the ability to detect patterns that only become suspicious when viewed together. What's the normal behavior for this user's agent? Is this request consistent with their role? Does this sequence of tool calls make sense in context? This is the new detection path required in the agentic age.

5. Be ready to respond. Detection without response is just a very expensive log. When something fires, you need to block it before the agent acts. Quarantine the session. Preserve the audit trail. Provide investigators with the full timeline, including prompts, responses, tool calls, and actions.

History doesn't repeat, but it does rhyme. The organizations that got ahead of living-off-the-land were the ones that started watching before it became a problem. The ones that didn't scrambled through the response efforts, trying to understand what hit them.

Don't be the ones scrambling.