It seems in the great, exhilarating, terrifying race to take advantage of agentic AI technology, a lot of us are flooring it, desperate to overtake competitors, while forgetting there are several hairpin turns in the distance requiring strategic navigation, lest we run out of talent in the pursuit of ambition and wipe out entirely.
One of the major “hairpins” for us to overcome is security, and it feels like cyber professionals have been waving their arms and shouting “watch out!” for the better part of a year. And with good reason: On Friday, the 14th of November, Anthropic, a world-renowned LLM vendor made famous by its popular Claude Code tool, released an eye-opening paper on a cyber incident they observed in September 2025 that targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. This was no garden-variety breach, it was an early holiday gift for threat actors seeking real-world proof that AI “double agents” could help them do serious damage.
An alleged nation-state attacker used Claude Code and a range of tools in the developer ecosystem, namely Model Context Protocol (MCP) systems, to almost autonomously target specific companies with benign open-source hacking tools at scale. Of the over thirty attacks, several were successful, and proved that AI agents could indeed execute large-scale, malicious tasks with little to no human intervention.
Maybe it’s time we went a little slower, stopped to reflect on what is at stake here, and how best to defend ourselves.
Defending against lightspeed machine intelligence and agency
Anthropic’s paper unveils a powerful new threat vector that, as many of us suspected, can supercharge distributed risk, and give the upper hand to bad actors who were already at a significant advantage over security professionals working with sprawling, complex code monoliths and legacy enterprise-grade systems.
The nation-state attackers were essentially able to “jailbreak” Claude Code, hoodwinking it into bypassing its extensive security controls to perform malicious tasks. From there, it was given access via MCP to a variety of systems and tools that allowed it to search for and identify highly sensitive databases within its target companies, all in a fraction of the time it would have taken even the most sophisticated hacking group. From there, a Pandora’s box of processes was opened, including comprehensive testing for security vulnerabilities and the automation of malicious code creation. The rogue Claude Code agent even wrote up its own documentation covering system scans and the PII it managed to steal.
It’s the stuff of nightmares for seasoned security professionals. How can we possibly compete with the speed and potency of such an attack?
Well, there are two sides to the coin, and these agents can be deployed as defenders, unleashing a robust array of mostly autonomous defensive measures and incident disruption or response. But the fact remains, we need skilled humans in the loop who are not just aware of the dangers posed by compromised AI agents acting on a malicious attacker’s behalf, but also how to safely manage their own AI and MCP threat vectors internally, ultimately living and breathing a new frontier of potential cyber espionage and working just as quickly in defense.
At present, there are not enough of these individuals on the ground. The next best thing is ensuring that current and future security and development personnel have continuous support through upskilling, and monitoring of their AI tech stack, to manage it safely in the enterprise SDLC.
Traceability and observability of AI tools are a hard requirement for modern security programs
It’s simple: Shadow AI cannot exist in a world where these tools can be compromised, or work independently to expose or destroy critical systems.
We must prepare for the convergence of old and new tech and accept that current approaches to securing the enterprise SDLC have been rendered, very rapidly, as completely ineffective. Security leaders must ensure their development workforce is up to the task of defending it, along with any shiny new AI additions and tools.
This can only be done through continuous, current security learning pathways, and complete observability over their security proficiency, commits, and tool use. These data points are crucial for building sustainable, modern security programs that eliminate single points of failure and remain agile enough to combat both new and legacy threats. If a CISO does not have real-time data on each developer’s security proficiency, the exact AI tools they are using (and insights into their security trustworthiness), where the code has come from that is being committed, and now, deep dives into MCP servers and potential risk profiles there, then sadly, it’s as good as flying blind. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.
So let’s take a minute to breathe, plan, and approach this boss-level gauntlet with a fighting chance.
