Adopt Agentic AI in Software Development FAST! (Spoiler: You Probably Shouldn't.)
Do you ever get the feeling as a cybersecurity professional that right now, everyone is entering hyperdrive on agentic AI, when maybe it’s time to go slow and reflect? Well, what many of us have been seeing in our AI security crystal balls is now suddenly reality.
On Friday, the 14th of November, Anthropic (one of the world's most well-known vendors for LLMs, thanks to its popular Claude Code tool) released a groundbreaking paper on a cyber incident they observed in September 2025, that targeted everyone from large tech companies, financial institutions, and chemical manufacturing companies, to government agencies.
So, what’s all the fuss about, and what makes this so concerning? In layman's terms, a highly advanced threat actor (allegedly a nation-state) used Claude Code and a range of tools in the developer environment, leveraging Model Context Protocol (MCP) systems, to almost autonomously, at scale, use benign open-source hacking tools to target carefully selected companies. There were over 30 attempted attacks; several were successful, proving that AI agents could indeed execute devastating breaches with very little human intervention.
Last month, GlassWorm, a first self-propagating worm targeting VS Code extensions, was identified by Koi Security. While the latter is not a new attack vector, there is a new wave of coding extensions (including MCP servers) that, at first glance, have benign functionality, but under the hood host a range of malicious activities that could compromise a developer’s endpoint quickly.
Maybe it’s time we slowed down, took a deep breath, and put our heads together to work out how best to defend against this new threat profile.
Securing systems against high-velocity AI agents
The recent paper by Anthropic highlights a potent new threat, one that confirms the long-held fears of many in the security community, by showing how AI can dramatically accelerate and amplify distributed risk. This development gives malicious actors further advantage, which is maddening considering the head start they already have over burnt-out, stretched security personnel managing the tech sprawl in the average enterprise.
In essence, state-sponsored attackers managed to "jailbreak" the Claude Code model. They successfully tricked the AI into circumventing its sophisticated security protocols to execute hostile operations. Once compromised, the rogue AI agent, utilizing its MCP access, rapidly infiltrated various corporate systems and tools. It located and pinpointed highly sensitive databases within the target organizations in a timeframe that would be impossible for even the most advanced human hacking collectives.
This breach unleashed a terrifying cascade of actions: comprehensive vulnerability testing, the automated generation of malicious code, and even the self-documentation of the attack, complete with system scan logs and the Personally Identifiable Information (PII) it successfully nabbed.
For security veterans, this is a genuine nightmare scenario. How can human teams possibly match the sheer speed and destructive capability of an attack vector powered by this kind of AI?
A developer’s endpoint and this new AI ecosystem offer new attack vectors
Every developer prefers their own IDE, whether it's the classic VSCode, JetBrains’ IntelliJ or Eclipse, or the newer Cline, Windsurf or Cursor, and most of these have App marketplaces offering extensions to download and install. These extensions are rarely scrutinized for malicious activity, typically ship over-permissioned and have access to a sandboxed environment where they can access files.
These environments are now all integrating AI capabilities, AI agents and a range of new tools these agents can use (MCP servers, for example). Often, these are all published through marketplaces where any developer can release their new tools. And yes, you guessed it, these MCP servers can often read, write and execute commands on a system all through an AI environment that is most likely vulnerable to prompt injections. What possibly could go wrong?
The non-negotiable need for AI tool traceability and observability
It’s all at once complex yet simple: If a CISO has no idea which developers are using which AI tools, what code is being committed, or which repositories are augmented by human-AI collaboration, then a huge dataset is missing, and observability needs to improve yesterday.
The rapid integration of AI coding assistants and MCP servers, now leveraged by a vast majority of developers, has created a critical security blind spot within the SDLC. The data is alarming: up to 50% of functionally correct LLM-generated code has been found to contain security bugs, yet without proper observability, CISOs and AppSec teams lack actionable insight into the sheer volume and sources of this high-risk code being introduced. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.
To safely maximize the immense productivity gains offered by AI, organizations must mandate solutions that provide complete, deep visibility into the AI attack surface. Secure Code Warrior has SCW Trust Agent: AI in closed beta with a select number of our customers. This capability provides deep observability by actively monitoring AI-generated code traffic (including MCP servers) in real-time on the developer’s local machine, and IDE tracking it through pull requests and commits to actual software repositories. Accurate security traceability is achieved only by correlating three vital signals: the specific AI coding tool and LLM model used, the targeted code repository, and, most critically, the contributing developer's measured secure coding proficiency.
Only by establishing this verifiable chain of correlation can an organization accurately benchmark the actual security risk being introduced, automate robust policy enforcement, and ensure that AI-enabled developers meet mandatory secure coding standards before their contributions successfully bypass existing guardrails.
Get in touch with us if you’d like to know more or see a demo of supercharged AI governance in action, or just send a message to join the beta program.
Is the cybersecurity world moving too fast on agentic AI? The future of AI security is here, and it's time for experts to move from reflection to reality.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Do you ever get the feeling as a cybersecurity professional that right now, everyone is entering hyperdrive on agentic AI, when maybe it’s time to go slow and reflect? Well, what many of us have been seeing in our AI security crystal balls is now suddenly reality.
On Friday, the 14th of November, Anthropic (one of the world's most well-known vendors for LLMs, thanks to its popular Claude Code tool) released a groundbreaking paper on a cyber incident they observed in September 2025, that targeted everyone from large tech companies, financial institutions, and chemical manufacturing companies, to government agencies.
So, what’s all the fuss about, and what makes this so concerning? In layman's terms, a highly advanced threat actor (allegedly a nation-state) used Claude Code and a range of tools in the developer environment, leveraging Model Context Protocol (MCP) systems, to almost autonomously, at scale, use benign open-source hacking tools to target carefully selected companies. There were over 30 attempted attacks; several were successful, proving that AI agents could indeed execute devastating breaches with very little human intervention.
Last month, GlassWorm, a first self-propagating worm targeting VS Code extensions, was identified by Koi Security. While the latter is not a new attack vector, there is a new wave of coding extensions (including MCP servers) that, at first glance, have benign functionality, but under the hood host a range of malicious activities that could compromise a developer’s endpoint quickly.
Maybe it’s time we slowed down, took a deep breath, and put our heads together to work out how best to defend against this new threat profile.
Securing systems against high-velocity AI agents
The recent paper by Anthropic highlights a potent new threat, one that confirms the long-held fears of many in the security community, by showing how AI can dramatically accelerate and amplify distributed risk. This development gives malicious actors further advantage, which is maddening considering the head start they already have over burnt-out, stretched security personnel managing the tech sprawl in the average enterprise.
In essence, state-sponsored attackers managed to "jailbreak" the Claude Code model. They successfully tricked the AI into circumventing its sophisticated security protocols to execute hostile operations. Once compromised, the rogue AI agent, utilizing its MCP access, rapidly infiltrated various corporate systems and tools. It located and pinpointed highly sensitive databases within the target organizations in a timeframe that would be impossible for even the most advanced human hacking collectives.
This breach unleashed a terrifying cascade of actions: comprehensive vulnerability testing, the automated generation of malicious code, and even the self-documentation of the attack, complete with system scan logs and the Personally Identifiable Information (PII) it successfully nabbed.
For security veterans, this is a genuine nightmare scenario. How can human teams possibly match the sheer speed and destructive capability of an attack vector powered by this kind of AI?
A developer’s endpoint and this new AI ecosystem offer new attack vectors
Every developer prefers their own IDE, whether it's the classic VSCode, JetBrains’ IntelliJ or Eclipse, or the newer Cline, Windsurf or Cursor, and most of these have App marketplaces offering extensions to download and install. These extensions are rarely scrutinized for malicious activity, typically ship over-permissioned and have access to a sandboxed environment where they can access files.
These environments are now all integrating AI capabilities, AI agents and a range of new tools these agents can use (MCP servers, for example). Often, these are all published through marketplaces where any developer can release their new tools. And yes, you guessed it, these MCP servers can often read, write and execute commands on a system all through an AI environment that is most likely vulnerable to prompt injections. What possibly could go wrong?
The non-negotiable need for AI tool traceability and observability
It’s all at once complex yet simple: If a CISO has no idea which developers are using which AI tools, what code is being committed, or which repositories are augmented by human-AI collaboration, then a huge dataset is missing, and observability needs to improve yesterday.
The rapid integration of AI coding assistants and MCP servers, now leveraged by a vast majority of developers, has created a critical security blind spot within the SDLC. The data is alarming: up to 50% of functionally correct LLM-generated code has been found to contain security bugs, yet without proper observability, CISOs and AppSec teams lack actionable insight into the sheer volume and sources of this high-risk code being introduced. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.
To safely maximize the immense productivity gains offered by AI, organizations must mandate solutions that provide complete, deep visibility into the AI attack surface. Secure Code Warrior has SCW Trust Agent: AI in closed beta with a select number of our customers. This capability provides deep observability by actively monitoring AI-generated code traffic (including MCP servers) in real-time on the developer’s local machine, and IDE tracking it through pull requests and commits to actual software repositories. Accurate security traceability is achieved only by correlating three vital signals: the specific AI coding tool and LLM model used, the targeted code repository, and, most critically, the contributing developer's measured secure coding proficiency.
Only by establishing this verifiable chain of correlation can an organization accurately benchmark the actual security risk being introduced, automate robust policy enforcement, and ensure that AI-enabled developers meet mandatory secure coding standards before their contributions successfully bypass existing guardrails.
Get in touch with us if you’d like to know more or see a demo of supercharged AI governance in action, or just send a message to join the beta program.
Do you ever get the feeling as a cybersecurity professional that right now, everyone is entering hyperdrive on agentic AI, when maybe it’s time to go slow and reflect? Well, what many of us have been seeing in our AI security crystal balls is now suddenly reality.
On Friday, the 14th of November, Anthropic (one of the world's most well-known vendors for LLMs, thanks to its popular Claude Code tool) released a groundbreaking paper on a cyber incident they observed in September 2025, that targeted everyone from large tech companies, financial institutions, and chemical manufacturing companies, to government agencies.
So, what’s all the fuss about, and what makes this so concerning? In layman's terms, a highly advanced threat actor (allegedly a nation-state) used Claude Code and a range of tools in the developer environment, leveraging Model Context Protocol (MCP) systems, to almost autonomously, at scale, use benign open-source hacking tools to target carefully selected companies. There were over 30 attempted attacks; several were successful, proving that AI agents could indeed execute devastating breaches with very little human intervention.
Last month, GlassWorm, a first self-propagating worm targeting VS Code extensions, was identified by Koi Security. While the latter is not a new attack vector, there is a new wave of coding extensions (including MCP servers) that, at first glance, have benign functionality, but under the hood host a range of malicious activities that could compromise a developer’s endpoint quickly.
Maybe it’s time we slowed down, took a deep breath, and put our heads together to work out how best to defend against this new threat profile.
Securing systems against high-velocity AI agents
The recent paper by Anthropic highlights a potent new threat, one that confirms the long-held fears of many in the security community, by showing how AI can dramatically accelerate and amplify distributed risk. This development gives malicious actors further advantage, which is maddening considering the head start they already have over burnt-out, stretched security personnel managing the tech sprawl in the average enterprise.
In essence, state-sponsored attackers managed to "jailbreak" the Claude Code model. They successfully tricked the AI into circumventing its sophisticated security protocols to execute hostile operations. Once compromised, the rogue AI agent, utilizing its MCP access, rapidly infiltrated various corporate systems and tools. It located and pinpointed highly sensitive databases within the target organizations in a timeframe that would be impossible for even the most advanced human hacking collectives.
This breach unleashed a terrifying cascade of actions: comprehensive vulnerability testing, the automated generation of malicious code, and even the self-documentation of the attack, complete with system scan logs and the Personally Identifiable Information (PII) it successfully nabbed.
For security veterans, this is a genuine nightmare scenario. How can human teams possibly match the sheer speed and destructive capability of an attack vector powered by this kind of AI?
A developer’s endpoint and this new AI ecosystem offer new attack vectors
Every developer prefers their own IDE, whether it's the classic VSCode, JetBrains’ IntelliJ or Eclipse, or the newer Cline, Windsurf or Cursor, and most of these have App marketplaces offering extensions to download and install. These extensions are rarely scrutinized for malicious activity, typically ship over-permissioned and have access to a sandboxed environment where they can access files.
These environments are now all integrating AI capabilities, AI agents and a range of new tools these agents can use (MCP servers, for example). Often, these are all published through marketplaces where any developer can release their new tools. And yes, you guessed it, these MCP servers can often read, write and execute commands on a system all through an AI environment that is most likely vulnerable to prompt injections. What possibly could go wrong?
The non-negotiable need for AI tool traceability and observability
It’s all at once complex yet simple: If a CISO has no idea which developers are using which AI tools, what code is being committed, or which repositories are augmented by human-AI collaboration, then a huge dataset is missing, and observability needs to improve yesterday.
The rapid integration of AI coding assistants and MCP servers, now leveraged by a vast majority of developers, has created a critical security blind spot within the SDLC. The data is alarming: up to 50% of functionally correct LLM-generated code has been found to contain security bugs, yet without proper observability, CISOs and AppSec teams lack actionable insight into the sheer volume and sources of this high-risk code being introduced. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.
To safely maximize the immense productivity gains offered by AI, organizations must mandate solutions that provide complete, deep visibility into the AI attack surface. Secure Code Warrior has SCW Trust Agent: AI in closed beta with a select number of our customers. This capability provides deep observability by actively monitoring AI-generated code traffic (including MCP servers) in real-time on the developer’s local machine, and IDE tracking it through pull requests and commits to actual software repositories. Accurate security traceability is achieved only by correlating three vital signals: the specific AI coding tool and LLM model used, the targeted code repository, and, most critically, the contributing developer's measured secure coding proficiency.
Only by establishing this verifiable chain of correlation can an organization accurately benchmark the actual security risk being introduced, automate robust policy enforcement, and ensure that AI-enabled developers meet mandatory secure coding standards before their contributions successfully bypass existing guardrails.
Get in touch with us if you’d like to know more or see a demo of supercharged AI governance in action, or just send a message to join the beta program.
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Do you ever get the feeling as a cybersecurity professional that right now, everyone is entering hyperdrive on agentic AI, when maybe it’s time to go slow and reflect? Well, what many of us have been seeing in our AI security crystal balls is now suddenly reality.
On Friday, the 14th of November, Anthropic (one of the world's most well-known vendors for LLMs, thanks to its popular Claude Code tool) released a groundbreaking paper on a cyber incident they observed in September 2025, that targeted everyone from large tech companies, financial institutions, and chemical manufacturing companies, to government agencies.
So, what’s all the fuss about, and what makes this so concerning? In layman's terms, a highly advanced threat actor (allegedly a nation-state) used Claude Code and a range of tools in the developer environment, leveraging Model Context Protocol (MCP) systems, to almost autonomously, at scale, use benign open-source hacking tools to target carefully selected companies. There were over 30 attempted attacks; several were successful, proving that AI agents could indeed execute devastating breaches with very little human intervention.
Last month, GlassWorm, a first self-propagating worm targeting VS Code extensions, was identified by Koi Security. While the latter is not a new attack vector, there is a new wave of coding extensions (including MCP servers) that, at first glance, have benign functionality, but under the hood host a range of malicious activities that could compromise a developer’s endpoint quickly.
Maybe it’s time we slowed down, took a deep breath, and put our heads together to work out how best to defend against this new threat profile.
Securing systems against high-velocity AI agents
The recent paper by Anthropic highlights a potent new threat, one that confirms the long-held fears of many in the security community, by showing how AI can dramatically accelerate and amplify distributed risk. This development gives malicious actors further advantage, which is maddening considering the head start they already have over burnt-out, stretched security personnel managing the tech sprawl in the average enterprise.
In essence, state-sponsored attackers managed to "jailbreak" the Claude Code model. They successfully tricked the AI into circumventing its sophisticated security protocols to execute hostile operations. Once compromised, the rogue AI agent, utilizing its MCP access, rapidly infiltrated various corporate systems and tools. It located and pinpointed highly sensitive databases within the target organizations in a timeframe that would be impossible for even the most advanced human hacking collectives.
This breach unleashed a terrifying cascade of actions: comprehensive vulnerability testing, the automated generation of malicious code, and even the self-documentation of the attack, complete with system scan logs and the Personally Identifiable Information (PII) it successfully nabbed.
For security veterans, this is a genuine nightmare scenario. How can human teams possibly match the sheer speed and destructive capability of an attack vector powered by this kind of AI?
A developer’s endpoint and this new AI ecosystem offer new attack vectors
Every developer prefers their own IDE, whether it's the classic VSCode, JetBrains’ IntelliJ or Eclipse, or the newer Cline, Windsurf or Cursor, and most of these have App marketplaces offering extensions to download and install. These extensions are rarely scrutinized for malicious activity, typically ship over-permissioned and have access to a sandboxed environment where they can access files.
These environments are now all integrating AI capabilities, AI agents and a range of new tools these agents can use (MCP servers, for example). Often, these are all published through marketplaces where any developer can release their new tools. And yes, you guessed it, these MCP servers can often read, write and execute commands on a system all through an AI environment that is most likely vulnerable to prompt injections. What possibly could go wrong?
The non-negotiable need for AI tool traceability and observability
It’s all at once complex yet simple: If a CISO has no idea which developers are using which AI tools, what code is being committed, or which repositories are augmented by human-AI collaboration, then a huge dataset is missing, and observability needs to improve yesterday.
The rapid integration of AI coding assistants and MCP servers, now leveraged by a vast majority of developers, has created a critical security blind spot within the SDLC. The data is alarming: up to 50% of functionally correct LLM-generated code has been found to contain security bugs, yet without proper observability, CISOs and AppSec teams lack actionable insight into the sheer volume and sources of this high-risk code being introduced. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.
To safely maximize the immense productivity gains offered by AI, organizations must mandate solutions that provide complete, deep visibility into the AI attack surface. Secure Code Warrior has SCW Trust Agent: AI in closed beta with a select number of our customers. This capability provides deep observability by actively monitoring AI-generated code traffic (including MCP servers) in real-time on the developer’s local machine, and IDE tracking it through pull requests and commits to actual software repositories. Accurate security traceability is achieved only by correlating three vital signals: the specific AI coding tool and LLM model used, the targeted code repository, and, most critically, the contributing developer's measured secure coding proficiency.
Only by establishing this verifiable chain of correlation can an organization accurately benchmark the actual security risk being introduced, automate robust policy enforcement, and ensure that AI-enabled developers meet mandatory secure coding standards before their contributions successfully bypass existing guardrails.
Get in touch with us if you’d like to know more or see a demo of supercharged AI governance in action, or just send a message to join the beta program.
시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
