Skip to main content
Home/Blog/Agentjacking: The AI Attack Your Security Team Hasn't Planned For
Agentic AI

Agentjacking: The AI Attack Your Security Team Hasn't Planned For

A newly classified attack called 'agentjacking' is hitting AI-connected developer tools with an 85% success rate. Here's what it means for your business and what to do about it.

June 18, 2026·6 min read

Your developers are probably using AI coding assistants right now. GitHub Copilot, Cursor, Claude, Gemini — the tools are everywhere, and they're genuinely productive. But there's a new attack class targeting those tools that most security teams haven't caught up with yet. It's called agentjacking, and the numbers are alarming.

Researchers this week classified agentjacking as a technique where attackers inject malicious instructions into the error events that AI coding agents automatically retrieve and process. Here's how it works: many AI development tools connect to platforms like Sentry, a popular error-tracking service, to pull in context about bugs and crashes. Attackers have learned to plant hidden instructions in those error logs — instructions that the AI agent executes with developer-level privileges. The success rate? Roughly 85 percent across nearly 2,400 organizations tested.

Read that again. An attack vector your firewall can't see, exploiting the trust relationship between your AI tools and your data sources, with an 85 percent success rate.

This Is Prompt Injection at Enterprise Scale

Agentjacking is a real-world evolution of what security researchers call prompt injection — manipulating an AI system by embedding malicious instructions in content it's designed to read and act on. For the last two years, this was mostly a research curiosity. Now it's an operational attack hitting production environments.

The reason it works so effectively is architectural. AI agents are built to be helpful. They fetch context, process instructions, and take action — that's the whole point. When the data source they trust has been poisoned, they faithfully execute whatever they find. The agent doesn't know the difference between a legitimate instruction from a developer and a malicious one embedded in a Sentry error event. Trust is inherited, not verified.

And AI coding agents typically run with significant privileges. They need access to your codebase, your repositories, sometimes your deployment pipelines. That access is what makes them useful. It's also what makes agentjacking dangerous.

The Readiness Gap Is Stark

Here's what makes this particularly urgent: organizations are deploying AI agents far faster than they're securing them. Cisco's latest State of AI Security report found that 83 percent of organizations plan to deploy agentic AI into business functions — but only 29 percent feel prepared to secure those deployments. Separate research found that just 11 percent of production AI agents currently meet a baseline security standard.

That's not a small gap. That's an industry-wide exposure.

Microsoft's security team, after 12 months of red-team engagements against agentic AI systems, just released version 2.0 of their failure-mode taxonomy — adding seven new attack categories including tool abuse, excessive agency, supply-chain compromise, and what they call autonomy escalation, where an agent exceeds its intended scope of action. These aren't hypotheticals from a research lab. These are patterns they observed in real enterprise deployments.

Three Things Business Leaders Should Act On Now

You don't need to understand the technical mechanics to make smart decisions here. You need to ask the right questions and put the right controls in place.

First, build your AI agent inventory. You almost certainly have AI agents running in your environment already — in your development tools, your customer service platforms, your IT operations. Most organizations don't have a complete list. That list is now a security asset. You need to know what agents are running, what data sources they access, and what privileges they hold. Treat every agent as an attack surface that needs to be tracked.

Second, apply least-privilege to AI tools. The same principle that governs human access — users get only the access they need to do their job — applies to AI agents. An AI coding assistant doesn't need write access to your production infrastructure. An AI support bot doesn't need access to your financial systems. Scope those permissions down now, before an incident forces you to.

Third, treat the data your AI consumes as a trust boundary. Agentjacking works because AI agents blindly trust the data they retrieve. Your security architecture needs to account for this. Data sources that feed into AI agents — error logs, ticketing systems, knowledge bases, email — should be treated with the same scrutiny as any other privileged input. This is new territory for most security policies, but it needs to be addressed.

The Honest Assessment

I've spent 25 years watching the security industry react to new attack surfaces after the damage is done. Agentjacking follows a familiar pattern — a powerful new technology deployed at scale before anyone fully mapped the risks, and attackers who moved faster than defenders.

The difference this time is that the warning signs are unusually clear. We have real-world data showing how these attacks work, what the success rates look like, and which controls reduce risk. The research is ahead of the exploitation curve for once — but that window won't stay open long.

If your organization is deploying AI agents without a security framework built specifically for agentic architectures, now is the time to close that gap. Not next quarter. Now.

TrustPoint Cyber works with organizations to assess AI agent risk and build controls that match how these systems actually behave. If you're not sure where your exposure is, that's exactly where we start.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.