As AI agents transition from experimental systems to production-scale applications, their growing autonomy introduces novel security challenges. In a comprehensive new report, “AI Agents Are Here. So Are the Threats,” Palo Alto Networks’ Unit 42 reveals how today’s agentic architectures—despite their innovation—are vulnerable to a wide range of attacks, most of which stem not from the frameworks themselves, but from the way agents are designed, deployed, and connected to external tools.
To evaluate the breadth of these risks, Unit 42 researchers constructed two functionally identical AI agents—one built using CrewAI and the other with AutoGen. Despite architectural differences, both systems exhibited the same vulnerabilities, confirming that the underlying issues are not framework-specific. Instead, the threats arise from misconfigurations, insecure prompt design, and insufficiently hardened tool integrations—issues that transcend implementation choices.
Understanding the Threat Landscape
The report outlines ten core threats that expose AI agents to data leakage, tool exploitation, remote code execution, and more:
- Prompt Injection and Overly Broad Prompts
Prompt injection remains a potent vector, enabling attackers to manipulate agent behavior, override instructions, and misuse integrated tools. Even without classic injection syntax, loosely defined prompts are prone to exploitation. - Framework-Agnostic Risk Surfaces
The majority of vulnerabilities originate not in the frameworks (e.g., CrewAI or AutoGen), but in application-layer design: insecure role delegation, improper tool access policies, and ambiguous prompt scoping. - Unsafe Tool Integrations
Many agentic applications integrate tools (e.g., code execution modules, SQL clients, web scrapers) with minimal access control. These integrations, when not properly sanitized, dramatically expand the agent’s attack surface. - Credential Exposure
Agents can inadvertently expose service credentials, tokens, or API keys—allowing attackers to escalate privileges or impersonate agents across environments. - Unrestricted Code Execution
Code interpreters within agents, if not sandboxed, permit execution of arbitrary payloads. Attackers can use these to access file systems, networks, or metadata services—frequently bypassing traditional security layers. - Lack of Layered Defense
Single-point mitigations are insufficient. A robust security posture demands defense-in-depth strategies that combine prompt hardening, runtime monitoring, input validation, and container-level isolation. - Prompt Hardening
Agents must be configured with strict role definitions, rejecting requests that fall outside predefined scopes. This reduces the likelihood of successful goal manipulation or instruction disclosure. - Runtime Content Filtering
Real-time input and output inspection—such as filtering prompts for known attack patterns—is critical for detecting and mitigating dynamic threats as they emerge. - Tool Input Sanitization
Structured input validation—checking formats, enforcing types, and limiting values—is essential to prevent SQL injections, malformed payloads, or cross-agent misuse. - Code Executor Sandboxing
Execution environments must restrict network access, drop unnecessary system capabilities, and isolate temporary storage to reduce the impact of potential breaches.
Simulated Attacks and Practical Implications
To illustrate these risks, Unit 42 deployed a multi-agent investment assistant and simulated nine attack scenarios. These included:
- Extracting Agent Instructions and Tool Schemas
By leveraging prompt engineering, attackers could enumerate all internal agents, retrieve their task definitions, and understand tool APIs—facilitating downstream attacks. - Credential Theft via Metadata Services
Using malicious Python scripts injected into code interpreters, attackers accessed GCP metadata endpoints and exfiltrated service account tokens. - SQL Injection and BOLA Exploits
Agents relying on unvalidated input for database queries were susceptible to both SQL injection and broken object-level authorization (BOLA), allowing attackers to read arbitrary user data. - Indirect Prompt Injection
Malicious websites embedded instructions that caused agents to send user conversation histories to attacker-controlled domains, highlighting risks tied to autonomous browsing or reading tools.
Each of these scenarios exploited common design oversights, not novel zero-days. This underscores the urgent need for standardized threat modeling and secure agent development practices.
Defense Strategies: Moving Beyond Patchwork Fixes
The report emphasizes that mitigating these threats requires holistic controls:
- Prompt hardening should limit instruction leakage, restrict tool access, and enforce task boundaries.
- Content filtering must be applied both pre- and post-inference, detecting anomalous patterns in agent interactions.
- Tool integrations should be rigorously tested using static (SAST), dynamic (DAST), and dependency (SCA) analysis.
- Code execution environments must employ strict sandboxing, including network egress filtering, syscall restrictions, and memory capping.
Palo Alto Networks recommends its AI Runtime Security and AI Access Security platforms as part of a layered defense approach. These solutions provide visibility into agent behaviors, monitor for misuse of third-party generative AI tools, and enforce enterprise-level policies on agent interactions.
Conclusion
The rise of AI agents marks a significant evolution in autonomous systems. But as Unit 42’s findings reveal, their security must not be an afterthought. Agentic applications extend the vulnerability surface of LLMs by integrating external tools, enabling self-modification, and introducing complex communication patterns—any of which can be exploited without sufficient safeguards.
Securing these systems demands more than robust frameworks—it requires deliberate design choices, continuous monitoring, and layered defenses. As enterprises begin to adopt AI agents at scale, now is the time to establish security-first development practices that evolve alongside the intelligence they’re building.
Check out the Full Guide. Also, don’t forget to follow us on Twitter and join our Telegram Channel and LinkedIn Group. Don’t Forget to join our 90k+ ML SubReddit.
Asif Razzaq is the CEO of Marktechpost Media Inc.. As a visionary entrepreneur and engineer, Asif is committed to harnessing the potential of Artificial Intelligence for social good. His most recent endeavor is the launch of an Artificial Intelligence Media Platform, Marktechpost, which stands out for its in-depth coverage of machine learning and deep learning news that is both technically sound and easily understandable by a wide audience. The platform boasts of over 2 million monthly views, illustrating its popularity among audiences.
