Hey {{first name | there}},

The more capable an agent gets, the more useful it becomes, and the more interesting a target it becomes.

The thing that makes agents useful is the same thing that makes them dangerous.

You give them an objective, they break it down into steps, execute those steps, and report back. As capabilities improve, the sequences become longer and more complex. Much of the work involved in building agent systems today revolves around structuring those workflows effectively.

The problem is that this same property also creates a security challenge.

The attack pattern that concerns me most is not brute force but decomposition. A clearly malicious request is often easy to identify and reject. A sequence of requests that each appears legitimate is much harder to reason about. The agent evaluates one step at a time and responds to the instruction in front of it. Understanding the intent behind the entire sequence is a much harder problem.

Researchers have repeatedly shown that agents can be influenced through the information they consume, whether from documents, web pages, emails, or connected tools. The technique is called prompt injection, and it works precisely because agents are designed to treat their inputs as instructions.

The properties being exploited here come directly from what makes agents useful, since the ability to follow instructions and execute multi-step tasks independently is exactly what allows them to complete complex work without supervision.

An agent that has to question every instruction or pause for approval at each step would lose much of that usefulness in practice.

Traditional security models do not map neatly onto this environment. Most systems establish trust at a clear entry point through authentication, validation, and access controls. Agent systems often process untrusted content as part of their normal operation.

For teams deploying agents in production, a few questions are worth answering:

Agents are becoming an increasingly important part of modern software systems, which means they need to be treated like infrastructure.

The threat model for an agent that reads external content and writes to internal systems is fundamentally different from the threat model for a read-only API.

Most security teams already know how to protect systems from direct access. The harder challenge is protecting systems that can be influenced indirectly through the information they consume. As agents become more capable and more connected, that distinction will matter a lot more than it does today.

This is a problem I don't think the industry has a clean answer to yet. If you're dealing with it or have found an approach that's actually worked, feel free to reply to this email. I'd genuinely love to hear how you're handling it.

Divine also asked me to pass along that if this was useful, sharing this link with a colleague who'd find it valuable would mean a lot.

Claude.ai is one thing. Agentic workflows, MCP connections, ungoverned skills taking actions across your data? That's a different conversation — and most security teams aren't equipped for it.

Harmonic Security gives your CISO the visibility and controls to say yes confidently.

Share this Claude guide with security.

Help Security Say Yes