Hey 👋,

I've been building a cybersecurity AI agent locally — a 35B model running fully air-gapped on consumer hardware, no external API calls, no data leaving the machine. The hardest part isn't the model. It's the permission model. When you wire an agent to real tools — filesystem, shell, APIs — the first question that needs an answer is: who is allowed to call what, and how do you know it's who you think it is?

That question turns out to be the one MCP still hasn’t figured out. New research this week confirmed it.

THIS WEEK IN AI SECURITY

Most MCP servers trust every caller. New research documents exactly what that enables.

A large-scale analysis published on arXiv this week examined how MCP servers handle caller identity in production deployments. The finding: most don't. Requests are accepted and executed regardless of origin — no mutual TLS, no signed tokens, no per-caller access controls. Any process that can reach the server can invoke any tool it exposes.

A single misconfigured server is bad enough. The real problem is how this propagates in multi-agent systems.

When agents chain calls across multiple MCP servers, a compromised agent in the chain can impersonate any other agent downstream. The blast radius of a prompt injection or credential theft isn't bounded by the compromised agent's own permissions — it's bounded by whatever the farthest MCP server in the chain will execute for any request that arrives looking legitimate.

Immediate check: For every MCP server in your environment — ask whether it verifies who is calling it, or trusts any request that arrives on the right port. If it's the latter, add mutual TLS or a signed token requirement before connecting it to any agent with real permissions. An unauthenticated MCP server in a multi-agent chain is a lateral movement path, not just a misconfiguration.

arXiv research →

FortiClient EMS zero-day — CVE-2026-35616, exploited in the wild now

A critical vulnerability in Fortinet's Endpoint Management Server is in the wild. Fortinet issued emergency hotfixes.

FortiClient EMS matters here because endpoint management servers sit at the center of managed infrastructure — compromise gives an attacker admin-equivalent access across enrolled endpoints. That's the same network position your agent services, MCP backends, and orchestration layers run on. A compromised EMS gives an attacker a direct, credentialed path to everything the agents can reach. Patch the EMS first. Then check what agent APIs are reachable from that network position.

BleepingComputer →

OWASP LLM AI Governance Checklist: the fastest triage tool available right now

OWASP published a practical governance checklist for LLM and agentic deployments, mapped directly to the failure patterns seen in Q1 2026 incidents. It covers four controls that address the majority of the documented attack surface: scoped API keys, per-agent identity, revocation paths, and audit trails.

It's an audit instrument you can run against your deployment in under an hour.

If you're trying to prioritize hardening work and don't know where to start, run this checklist against your current deployment. Most teams will find gaps in under an hour.

OWASP via CSO →

TOOLING WORTH KNOWING

  • Sentinely — runtime security gate for AI agents. Scores each action against a behavioral model before execution and fails closed. I’ve seen it catch prompt injection in staging within minutes. Designed to deploy in staging without requiring harness rewrites. Right tool if you need runtime visibility now and can't wait for protocol-level fixes. sentinely.ai →

  • MCPSec — open-source static scanner for MCP configurations. Flags missing authentication, unscoped API keys, and tool handlers that accept filesystem paths or raw SQL. Run it against every MCP config you own. The caller identity research published this week shows exactly what an unscanned config enables. github →

ONE THING TO CHECK THIS WEEK

Run MCPSec against every MCP configuration in your environment — local development, CI pipelines, and any cloud-hosted endpoints. Specifically: missing caller authentication, tool handlers that accept filesystem paths, unscoped keys attached to agent identities. The arXiv paper published this week documents what those gaps enable in a multi-agent chain. This is not a "schedule for next sprint" finding — it's a lateral movement path that exists right now in most MCP deployments.

WHAT I'M WATCHING

  1. → Anthropic and the MCP SDK fix — a protocol-level change (manifest-only execution, command allowlists) still hasn't shipped. The design decision stands. Whether community pressure moves it is the open question.

  2. → The behavioral baseline gap — authenticated sources account for 99% of attack attempts against agent environments (Salt Security, 1H 2026). No vendor ships a behavioral baseline. Detection is the missing layer. Someone will build it.

  3. → Agent governance standards — Open Agent Passport and pre-action authorization specs are gaining traction. Enterprise AI deployments will eventually require per-agent identity and revocation. Worth tracking before it becomes a compliance requirement.

  4. → The cybersecurity agent build — next issue: the Executor permission model, what the memory architecture looks like with real filesystem access, and the first results from running a local 35B model as the agent backbone.

Questions, pushback, something I missed — reply directly, I read everything.

Cheers,

Amine
https://aminrj.com | https://aminrj.com/subscribe

Keep reading

© 2026 AI Security Intelligence.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv