Blog
>
Your EDR can't see agent attacks

Your EDR can't see agent attacks

Agents are being weaponized and hijacked, and the orchestration that makes them dangerous is invisible to the telemetry your SOC runs on. The fix is discovery and runtime monitoring of the agent sessions.

Agent as a weapon: This month, Anthropic's threat intelligence team published a year-long study of how attackers use AI. Across 832 banned accounts, adversaries used Claude across all fourteen MITRE ATT&CK tactics, and the share at medium risk or higher jumped from 33% to 56% in under a year. What separated the most dangerous actors wasn't skill or technique count. It was orchestration: the scaffolding that let the model chain attack stages and act on its own. Their clearest case, an espionage campaign tracked as GTG-1002, wired Claude Code to penetration-testing tools as MCP servers and let it run. It exploited an SSRF flaw, harvested credentials, and moved laterally, with no operator in the loop.

Agent as a victim: The mirror image is just as dangerous. Your own agent gets hijacked, fed a malicious instruction it can't differentiate from a legitimate one. In May 2026, Microsoft found two flaws in its own agent framework, Semantic Kernel, that let a single injected prompt reach remote code execution on the host. A month earlier, three coding agents from Anthropic, Google, and GitHub leaked their own API keys to nothing but a malicious string in a pull-request title or comment, posted back through the platform's own API: no anomaly, no CVEs.

Hostile or hijacked, the danger is identical: an AI chaining decisions autonomously through tool calls faster than anyone's watching.

Prevention won't save you

Once an agent has tools, a successful injection is an action, and how far it goes depends on what the agent can reach. And not surprisingly, you can't fully prevent this behavior, because prompt injection isn't a bug you can patch. It's how the models work. In October 2025, fourteen researchers from OpenAI, Anthropic, and Google DeepMind ran adaptive attacks against twelve published defenses. All fell, with over 90% success for most and 100% success by human red-teamers. The reason is structural: a transformer reads everything as one stream of tokens (system prompt, user request, retrieved document, pull-request title), with nothing marking โ€œthis is data, do not obey it.โ€ This problem is similar to CPU instructions laid out in memory, where looking at the bytes alone makes it impossible to tell code from data. That's why hardware added the NX bit and operating systems built DEP on top of it, enforcing that data regions can't execute as code. Possibly, this might be the way model inputs would go in the long term. Until then, it's a problem staring security practitioners in the face.

Your operational controls don't solve this problem either. You should still keep them though. Least agency, scoped permissions, and input filtering all raise the cost. But apply the test Anthropic proposes: does a control make the attack impossible, or just tedious? An agentic attacker has unlimited patience and near-zero cost per attempt, and grinds through friction at scale. So plan for the run where the model is fooled. Detection and response becomes the load-bearing layer, if it can see the attack at all.

Why none of your telemetry sees it

It can't. Your telemetry still has no record of it. When one of your agents is steered into an action, walk the layers you run.

Process logs see a routine child process: a shell spawned, a command run, a clean exit. Agents do that constantly.

Network logs see traffic to an expected destination. When exfiltration rides the same service the agent legitimately uses, there's no rare domain, no beacon, no callback.

EDR has a chance only if the agent does something loud, such as spawning a shell or dropping a file in a startup folder. Even then, it records the action, not the instruction behind it. Quiet exfiltration through a sanctioned channel fires nothing.

Identity logs see the agent's own token doing what it's allowed to do. It's used in place, by its legitimate holder, for an illegitimate purpose.

Every layer answers the wrong question. They tell you what happened, never why, or what content shaped it. A SOC could run every scan in the catalog and, for the quiet attacks, find zero alerts for a critical compromise, because the event doesn't live where it's looking.

The agent session versus the telemetry layers it slips past.

The attack lives inside the session

It lives in the agent's run, across four moments, all internal: the untrusted content that entered the prompt, the reasoning that treated it as an instruction, the tool or MCP call that executed, and the action that caused harm. One at a time, every step is benign. The attack is visible only in the correlation: content in, the decision to act, the call, where it went. That chain is content and intent, not syscalls and packets, which is why your telemetry stack can't reconstruct it.

This isn't a hunch. The same answer is converging from every direction: an enterprise detection framework (ADR), Microsoft's guidance to correlate the model layer with the host layer, and Anthropic's own Zero Trust framework all call for reconstructing the full agent session, input to output. The gap is agreed. What's missing is making the view runnable.

The work ahead

You can't put a sensor on an adversary's box. But you can instrument the agents your own teams run, the ones in CI and production, wired to tools and secrets. Capture the session, not just the system events, and correlate the four moments: the attack invisible to your other logs becomes a single record you can alert on. The bar is simple: would you know within an hour if one of your agents went rogue?

That kind of record barely exists in the tooling most teams run. It's the problem we built Metano to solve. We make the agent run the unit of detection, reconstructing the session end to end so the causal chain behind every action is visible.

The session view is the work ahead, and we're building it.

Sources

If it can call a tool
,
it can be turned into one.