News
June 25, 2026
7 min read

The Trust Collapse: Agentjacking Proves Agent Security Gateways Are Not Optional

Agentjacking proves coding agents can be hijacked via MCP in 85% of attempts. Here is what it means for agent security gateway design in 2026.

#agent security gateway#MCP prompt injection#agentjacking attack#AI agent runtime security#MCP security#Sentry

On June 24, 2026, a security research team emerged from stealth with a finding that stopped the agentic AI world cold. Tenet Threat Labs, the research arm of Tenet Security (a startup founded by veterans of Cisco AI Defense and Israel's Unit 8200), published a technique they called Agentjacking.

The concept is deceptively simple and devastating in practice: anyone who holds a public Sentry DSN can inject malicious "remediation instructions" into Sentry error events. When a developer asks their AI coding agent (Claude Code, Cursor, or OpenAI Codex) to "fix unresolved Sentry issues," the agent queries Sentry via the Sentry MCP server. The server faithfully returns the poisoned event as trusted system output. The agent then executes attacker instructions with the developer's full local privileges.

The success rate? 85%. The exposure? 2,388 organizations with discoverable Sentry DSNs.

This is not a theoretical threat. It was demonstrated in a controlled lab environment against three of the most-used AI coding agents in production today. Sentry reviewed the vulnerability and declined to fix it at the ingestion layer, stating the issue was "technically not defensible" on their side. The problem lives in the architectural seam between MCP servers and the agents that trust them.

The same week, Microsoft Security Research disclosed AutoJack: a three-flaw chain in AutoGen Studio letting a single web page achieve host-level RCE against any machine running a web-browsing agent alongside a local MCP WebSocket server. No credentials required. The fix lives in GitHub main; no patched stable release exists yet.

We are not at the beginning of agent security as a concept. We are at the inflection point where it becomes mandatory.

How Agentjacking Works (and Why It Is Hard to Patch)

MCP (the Model Context Protocol, standardized by Anthropic in 2024) lets AI agents connect to external tools and data sources through a standardized interface. From the agent's perspective, data arriving through an MCP server carries implicit trust: it came through an authenticated, structured channel, not the raw internet.

Agentjacking exploits that trust at the data layer. Here is the attack path:

  1. An attacker obtains the target organization's Sentry DSN, often public in client-side JavaScript, README files, or CI/CD configs.
  2. The attacker crafts a fake Sentry error event containing a malicious instruction disguised as a stack trace comment or metadata field.
  3. A developer (or an automated pipeline) asks the coding agent to address open Sentry issues.
  4. The agent queries Sentry through the Sentry MCP server, which returns all open events, including the poisoned one.
  5. The agent interprets the malicious instruction as legitimate guidance and executes it.

The attack bypasses EDR tooling (no malicious binary executes at the OS layer), bypasses IAM controls (the agent uses the developer's existing credentials), and bypasses VPN checks (the request originates from the developer's own machine). It is a trusted-path attack.

The deeper problem is architectural. MCP servers were designed to give agents structured access to data, not to sanitize adversarially crafted content before presenting it. A security posture that relies on each MCP server individually handling input validation is not a security posture. It is a hope.

CSA Research found the pattern extends well beyond Sentry: 43% of MCP server implementations in a surveyed sample contained command injection flaws, and 30% permitted unrestricted URL fetching. Any MCP-connected service that surfaces externally-controlled content (issue trackers, support queues, code-review platforms, log aggregators) carries the same structural exposure.

The Week That Built the Agent Security Gateway Category

Agentjacking did not emerge in isolation. This week produced a cascade of signals that collectively define where the market is heading.

WitnessAI GA'd Agentic Control (June 17, 2026). The product auto-discovers agents across IDEs, chat apps, and custom frameworks; enforces org-wide MCP allow-lists; and inspects agentic conversations in-flight at runtime. WitnessAI has raised $85M total. They are not building a concept. They are shipping a product.

Databricks entered the agent gateway market at Data + AI Summit 2026, launching Unity AI Gateway: MCP policy enforcement, runtime guardrails, spend controls, and a partner ecosystem. For organizations already on the Lakehouse, this bundles agent governance directly into the data plane.

AWS announced Continuum at AWS Summit New York: an AI-native code vulnerability discovery and remediation pipeline that continuously discovers vulnerabilities, ranks them by business impact, proves exploitability, and drives a fix through existing CI/CD pipelines. Gated preview, GA pending. Even the hyperscalers now treat AI-aware security as a product-level investment.

Tenet Security raised $6M seed the same week it disclosed Agentjacking. Their platform models an agent's next action before execution and blocks dangerous paths in sub-millisecond latency with no SDK changes required.

Gravitee's State of AI Agent Security 2026 report found only 24.4% of organizations have full visibility into which AI agents are communicating with each other, and more than half of all agents run without any security oversight or logging at all.

What a Real Agent Security Gateway Must Enforce

The market is converging on the term "agent security gateway" but the definition is still contested. Agentjacking gives us a concrete test: whatever your gateway does, does it prevent this attack?

A gateway that only rate-limits LLM API calls fails this test. A gateway that only monitors token spend fails this test. A gateway that only enforces system prompt policies fails this test.

Preventing MCP-based input poisoning requires enforcement at the execution layer, specifically:

MCP input inspection. Before the agent receives content from any MCP server, the gateway must parse and inspect that content for adversarial payloads. This is the WAF equivalent for MCP traffic: not blindly trusting what flows through a structured channel just because the channel is authenticated.

Action pre-authorization. Tenet's own product blocks at the "next action" level. The gateway evaluates what the agent is about to do before it does it. This is the only defense against prompt injection attacks that don't carry a signature: the injected payload doesn't have to look malicious; it just has to get the agent to take a harmful action.

MCP server allow-listing. Which MCP servers is this agent permitted to connect to? WitnessAI enforces org-wide MCP allow-lists. Without allow-listing, a compromised machine can redirect agent traffic to a rogue MCP server that the gateway never sees.

Conversation-level audit logging. Sentry declined to fix Agentjacking at ingestion. That means the proof of attack lives in the agent's tool call history: the sequence of MCP queries, the content returned, the actions taken. Without conversation-level logging, incident response is reconstruction from fragments.

Identity-aware enforcement. The Gravitee report found only 21.9% of teams treat AI agents as independent, identity-bearing entities. When an agent acts with a developer's credentials and no record of what the agent did exists, the blast radius of a compromised agent equals the blast radius of a fully compromised human account.

Where This Leaves Engineering Teams Right Now

The AutoJack patch is in GitHub main but not in a stable release. Agentjacking has no patch. The Tenet researchers identified 2,388 exposed organizations. WitnessAI is GA. Tenet just raised. Databricks just entered.

The category is not waiting.

For engineering leaders evaluating agent security posture today, the pragmatic starting point is not "which security vendor should I buy?" It is: do I have any visibility into what my agents are doing? Most teams don't. Most don't know which agents are running, which MCP servers they're connected to, or what they did last Tuesday.

Visibility precedes policy. You cannot enforce what you cannot see.

The second question is: where are my agents' trust boundaries? Agentjacking works because agents trust MCP server output implicitly. Mapping every MCP server in use, every external data source that feeds into agent context, and every action class agents are permitted to take is the security posture audit that engineering teams need to run today, before the next disclosure.

At Datapace, our agent security gateway sits at this boundary: inspecting MCP traffic, enforcing action pre-authorization policies, and providing full audit trails of agent behavior across every tool integration. The threat model Agentjacking describes (trusted-path injection through a structured protocol) is exactly the boundary our gateway protects.

The question Agentjacking forces every engineering team to answer is simple: when your coding agent receives a response from an MCP server, does anything check it before the agent acts on it?

If the answer is no, Agentjacking already knows what to do with that.

Schedule a conversation with our team to see how Datapace enforces MCP-level policies across your agent fleet.

Keep reading

Ready to let agents touch production, safely?

Bring a use case. We will show you what agents can do on your live data, inside your guardrails.

Book a callSee how it worksRead more articles