al-ice.ai

Sysdig: Runtime Security Is the Missing Layer in Agentic AI Tooling

Security by al-ice.ai Editorial

AI relevance: agentic AI tooling (MCP, skills, SDKs, managed platforms, orchestration layers) spans five infrastructure layers, each with distinct attack vectors that traditional runtime security baselines cannot detect because agent behavior is inherently non-deterministic.

Key findings

  • MCP tool poisoning. MCP tool descriptions are free-text fields read by the LLM to decide how to use a tool. A malicious MCP server can embed adversarial instructions in those descriptions — invisible to the human user, silently processed by the model. Descriptions are fetched dynamically, meaning they can change after the user approves a tool. A cross-server variant, tool shadowing, injects descriptions that modify agent behavior toward trusted tools on other connected servers.
  • Indirect prompt injection via tool responses. When an agent calls a legitimate tool (browser, file reader, database query), the returned content can carry hidden adversarial instructions. Tool outputs and system instructions share the same context window, turning prompt injection from an information leak into an action execution vulnerability.
  • EchoLeak (CVE-2025-32711). Aim Security's June 2025 disclosure demonstrated exactly this pattern: a crafted email injected instructions into Microsoft 365 Copilot, which exfiltrated sensitive data via markdown rendering to an attacker-controlled server, bypassing Content Security Policy through a Microsoft-approved domain.
  • Credential theft via coding agents. AI coding agents in CI/CD pipelines routinely have shell access and run with CI system credentials. A demonstrated attack used a prompt injection in a support ticket to cause a Cursor agent (running with Supabase service_role privileges) to read private tables and exfiltrate integration tokens back through the same channel.
  • Traditional baselines fail for agents. Container security relies on deterministic profiling — a web server always calls the same syscalls. AI agents break this model: the same agent given the same task takes different action sequences each run due to temperature randomness and unbounded prompt variability. The decision-making lives in model weights and a context window that security tools cannot inspect.
  • MITRE ATLAS extension.** MITRE ATLAS, extended through a 2025 collaboration with Zenity Labs, now catalogs agent-specific techniques AML.T0080 through AML.T0086, mapping each ecosystem layer to detection strategies including tool-call auditing, runtime syscall monitoring inside sandboxes, and agent memory store auditing.

Why it matters

As organizations deploy coding agents, MCP-connected toolchains, and multi-agent orchestration, the gap between what agents can do and what security tooling can observe is widening. Traditional EDR and network monitoring assume deterministic behavior; agents are non-deterministic by design. The Sysdig analysis provides a concrete threat model linking each infrastructure layer to specific MITRE ATLAS techniques and detection approaches.

What to do

  • Audit MCP tool descriptions at registration; monitor for sensitive file reads unrelated to the agent's task.
  • Implement tool-call auditing at the SDK layer with input/output sanitization.
  • Deploy runtime syscall monitoring inside agent sandboxes with capability-scoped containers.
  • Monitor agent-to-agent credential passing and enforce delegation scope limits in orchestration layers.
  • Version-control skills and detect runtime modification of skill files.

Sources