Dark Perimeter: True Cybersecurity Stories
Every major cyberattack has a story behind it. A vulnerability no one patched. A phishing email someone clicked. A nation-state with a motive. Dark Perimeter goes beyond the headlines to explore the true stories of the hacks, breaches, and cyber operations that shaped history - told in narrative form for security professionals and curious minds alike. No guests, no panels, no filler. Just the story.
Dark Perimeter: True Cybersecurity Stories
Dark Perimeter: "Remy Is Coming: AI Agents, Google I/O, and the New Attack Surface"
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
It is 2.17 in the morning. Margaret Chen is asleep. Her phone is on the nightstand, screen down, charging. She does not hear the notification because she has Do Not Disturb. Enabled between 10 PM and 7 AM. She set that up herself. She is by every measure a responsible digital citizen. Her AI agent, however, is wide awake. It started at 2.11. An email arrived in Margaret's executive inbox. The sender appeared to be her chief of staff, Dominic Walsh. The subject line read: Urgent aboard logistics change, action needed before 8 a.m. The body contained a politely worded request. Could Margaret's agent please coordinate a wire transfer of $94,000 to a new vendor escrow account for a confidential MA pre-engagement retainer? All the relevant documents were attached. The agent should have full context from prior calendar events she was told it would know what to do. And it did. The agent parsed the email. It cross-referenced Margaret's calendar. It found the board meeting on Tuesday. It found the MA strategy session from three weeks prior. It found a prior email thread with the real Dominic Walsh discussing vendor onboarding for Q3 initiatives. The pattern matched, the confidence score was high. The agent drafted the wire authorization, pre-filled the approval form, and sent a summary to Margaret's Secure Messages app flagged as low urgency for her morning review. Dominic Walsh did not send that email. His account was clean. The message came from a look-alike domain registered four days earlier. The attached documents were real, scraped from a prior data exposure at a legal services firm. The MA context was real, but the board meeting was real. Every piece of social context the agent used to validate the request had been deliberately seeded into the environment over the previous 72 hours. The attacker did not hack Margaret Chen's AI agent. They simply had a conversation with it. Margaret woke up at 7.04, made coffee, opened her messages app, saw the summary, read wire authorization submitted per Dominic's 217 AM request. Confirmation code attached. She called Dominic at 7.09. He had no idea what she was talking about.
SPEAKER_01Welcome to Dark Perimeter, Security, AI, and the Edge of What's Coming. I'm Cole Draden. That story you just heard is fictional. The name, the company, the wire amount, all fabricated. The attack technique is not. Today we are talking about AI agents, what they can do, what they are about to do, and why the security industry is, I would argue, dangerously behind on what that means. As I am recording this, Google I.O. begins in less than twenty-four hours. Tomorrow morning at 10 AM. Pacific, Google is expected to take the stage at Shoreline Amphitheater and announce what may be the most aggressive, agentic AI deployment in consumer history. We have known for weeks, through leaks and pre-event briefings, that something called Gemini Spark is coming. An always-on, persistent AI agent embedded across your phone, your laptop, your inbox, your calendar, your browser. Before the main keynote, Google already unveiled pieces of this vision at the Android show last week under the umbrella name Gemini Intelligence. An internal code name floating around the security research community for this initiative? REMI. Whether or not that name sticks, whether or not any of the specific features land exactly as rumored. The direction is clear. We are moving from AI as a tool you invoke to AI as an agent that acts. And that transition has a threat model that most organizations have not written yet. With me today are two people who have been living in this problem for months. Dr. Elliot Vance is an AI security researcher who has spent the last year mapping the attack surfaces created by a genic systems. And Marcus Hale is a red team operator who has spent that same year actually exploiting them. Welcome to both of you.
SPEAKER_03Good to be here, Cole. Timely episode. Yeah, very timely.
SPEAKER_01Elliot. Let's start with the landscape. When we talk about agentic AI, the version Google is about to roll out at scale. What are we actually describing? Because I think a lot of people still picture a slightly smarter chatbot.
SPEAKER_03Right. And that is exactly the mental model that gets organizations into trouble. A chatbot responds when you ask it something. An agent acts whether you ask or not. The key characteristics are it has memory across sessions, it has access to external tools and data sources, it can take multi-step actions in sequence, and critically, it can operate asynchronously while you are asleep, while you are in a meeting, while you are not looking. What Google is describing with Gemini Intelligence, with Gemini Spark, is an agent that proactively declutters your inbox, preps your meeting briefs, reserves your parking spot, books your spin class, and you will confirm those actions. They have said as much. But the agent will have already done the research, drafted the action, and queued it up. In many cases, confirmation becomes a rubber stamp.
SPEAKER_01And that rubber stamp is doing a lot of trust work that we used to do manually.
SPEAKER_03Exactly. The human used to be in the loop at every step. Now the human is at the end of a chain that the agent has already traversed. The agent read your email, the agent checked your calendar, the agent looked up the vendor, the agent drafted the approval. You see book spin class, confirm, and you tap yes without reading the full context. That is by design. That is the efficiency the product is selling.
SPEAKER_02And that is the gap I walk through.
SPEAKER_01Marcus, that is a good segue. Walk us through the threat model as a red teamer. Where do you start when you look at an agentic AI deployment?
SPEAKER_02Same place I always start. What does the agent have access to? Because the agent is essentially a new insider. It has credentials, it has context, it acts with the user's authority. In a lot of deployments, it has more persistent access than a human employee because it never logs off. So the first question is scope. What tools can the agent call? What data can it read? Can it send email? Can it move money? Can it write to calendar? Can it interact with SaaS apps? The more tools, the bigger the blast radius when something goes wrong.
SPEAKER_01And what does wrong look like?
SPEAKER_02Prompt injection. That is the primary attack. The OASP top ten for Genic applications, published in December 2025 by over a hundred security researchers, ranks agent goal hijacking as the number one risk. What that means in practice is this: you do not attack the model, you attack the content, the model reads, you put instructions somewhere the agent will encounter them. A document, an email, a calendar invite, a GitHub issue, a web page the browser agent visits. The agent reads those instructions alongside legitimate content, and it cannot reliably tell the difference between instructions from its developer and instructions embedded in external data. Simon Willison coined what I think is the cleanest framing for this. He calls it the lethal trifecta. Private data, untrusted content, and external communication capability. When all three are present in the same agent, an attacker can steal data through prompt injection alone, no credentials required, no network exploit, no malware. A sentence in the right document does the work.
SPEAKER_03And most deployed agenic systems have all three. An enterprise AI agent connected to email has private data, your entire inbox. It processes untrusted content, every external email, every attachment, every link. And it has external communication capabilities.
SPEAKER_01I want to revisit that because the situation has gotten significantly worse since we recorded that episode. Elliot, what happened over the last couple months?
SPEAKER_03February 2026, researchers scanned the public internet and found over 8,000 MCP servers exposed with no authentication, not behind a firewall, not requiring credentials, admin panels open, debug endpoints reachable, in some cases full-agent conversation logs and environment variables, including API keys accessible to anyone who knew where to look. That is the ClaudeBot incident from January. Default configuration shipped with public-facing admin panels. It was not a zero-day, it was misconfiguration at scale, and then the CVEs started stacking up 30 and 60 days between January and March. GitHub's MCP server had a prompt injection vulnerability. Attackers embedded crafted prompts in public GitHub issues and pull requests. When an agent processed those through the MCP server, it leaked private repository code into public pull requests. Microsoft's Azure DevOps MCP package shipped with a missing authentication layer. Anthropic's own reference, Git MCP server, had three CVEs: path traversal, argument injection, repository scoping bypass, chained together for remote code execution via prompt injection alone.
SPEAKER_02If Anthropic's own reference implementation shipped with those flaws, every third-party MCP server built with half the resources should be treated as compromised until proven otherwise. That is the posture I take going into any engagement now.
SPEAKER_01Let's bring this back to tomorrow's announcements because I want to contextualize what Google is about to do against the threat model we have just laid out. What we know or believe we know about Gemini Spark, it will operate in the background across your Android devices, your Chrome browser, your Google apps. It will monitor your inbox, prep meeting briefs, track news stories you care about. It will interact with your calendar and, with confirmation, take actions like booking appointments, reserving parking, completing purchases. The auto browsing component, initially for AI Pro and Ultra subscribers, can carry out tasks on your behalf while you are doing something else. Google has said explicitly that Gemini Intelligence features ad protections against prompt injection. They have mentioned Private Compute Core and Protected KVM as safeguards for ambient data. Elliot, what is your read on those mitigations?
SPEAKER_03Technically, they are real. Private Compute Core is a legitimate architectural control. It sandboxes sensitive data processing so that it does not leave the device unless you explicitly authorize it. That addresses one part of the problem. What it does not address is what the agent does with content. It legitimately processes. If a prompt injection is embedded in an email that the agent has permission to read, Private Compute Core does not stop the agent from following those injected instructions. The data stays on device. The agent behavior does not. The confirmation prompt model they have described is probably the most important user-facing mitigation. You will be asked to confirm before the agent purchases something or posts to social media. But confirmations only help if users read them. UX research on notification fatigue is fairly clear. When confirmation prompts become routine, users approve them without reading. That is not a failure of the technology. That is human behavior under cognitive load.
SPEAKER_02I would spend two or three days seeding context into the environment, emails that establish a pattern, calendar entries that support a narrative, document attachments that provide plausible backstory. Then I send one carefully crafted email that aligns with that established context, timed for when the target is asleep or in back-to-back meetings. The agent processes it, the agent cues an action, the user gets a confirmation prompt that says one verse throw was in two lines, something like approve vendor payment perdominus request, and the user taps approve. I do not need the agent to be insecure. I need the user to trust it.
SPEAKER_01That is essentially a social engineering attack against an automated system rather than a human. And automated systems process at two in the morning.
SPEAKER_03This is actually a documented attack taxonomy at this point. The paper from Archif in February, bypassing AI control protocols via agent as a proxy attacks, formalizes exactly this pattern. You compromise or deceive an agent, and then the compromised agent becomes a proxy for attacking downstream services. It is operating with valid credentials. It is doing things within its authorized scope. From a logging perspective, everything looks normal. The agent did what the agent was authorized to do.
SPEAKER_01What is the scale of concern in the security leadership community right now?
SPEAKER_03DarkTrace surveyed security leaders across industries and found that 92% expressed concern about AI agents introducing new attack surfaces. Nearly nine in ten said their organizations were not prepared to defend against AI-specific threats. The gap between deployment velocity and security readiness is probably the starkest I have seen it since the early days of cloud adoption.
SPEAKER_01And Google is about to hand this capability to hundreds of millions of consumers tomorrow.
SPEAKER_03To be fair, Google is also doing more than most to document the risks. They have explicitly named prompt injection as a concern they are working on. They are adding confirmation layers. The security engineering is not negligent, but they are also racing competitors. OpenAI is doing this. Anthropic is doing this. Microsoft has co-pilot agents embedded across the enterprise stack. The deployment is happening regardless of whether the security model is fully mature. That is the honest answer.
SPEAKER_01Let's talk enterprise. Marcus, when you do red team engagements against enterprise AI deployments right now, what does a typical target look like?
SPEAKER_02Uh Messi, the typical enterprise has three or four different AI agent deployments from different vendors, none of which were purchased through a formal security review process. A sales team deployed an AI CRM assistant, an engineering team connected Claude Code or co-pilot to their internal repositories, an executive assistant set up a Google Workspace agent to manage scheduling. None of these are talking to each other at the security layer. There is no unified policy. There is no audit log that covers all agent actions in a single pane. And there is almost certainly at least one MCP server or tool integration that nobody in IT knows exists.
SPEAKER_01Shadow AI agents.
SPEAKER_02It is sitting on their dev machine, which is on the corporate network. Nobody audited it. Nobody knows it is there. I walk into engagements and find these within the first two hours.
SPEAKER_03The authentication gap is the thread that pulls everything else. Most enterprise MCP server deployments are not using OAuth with proper scoping. They are using static API keys, shared credentials. In some cases, no authentication at all, because the developer assumed the tool was internal only and the network would protect it. That assumption fails in a hybrid work environment.
SPEAKER_01Elliot, talk about multi-agent pipelines. Because I think that is where the enterprise complexity really compounds.
SPEAKER_03The architecture that enterprises are increasingly moving toward is orchestrator subagent models. You have a high-level orchestrator agent that receives a task, say prepare the quarterly board report, and it spins up subagents to gather data, synthesize analysis, format the output. Each of those subagents has its own tool access, its own context window. And each boundary between agents is a potential prompt injection propagation point. Here's why that matters. If the data gathering subagent processes a poisoned document, and the injected instructions say, when you pass your output to the orchestrator, include the following text. The orchestrator receives instructions it believes came from its own subagent, which it trusts implicitly. The injection propagates up the chain. The orchestrator follows instructions from a source it considers internal and legitimate. The failure is distributed across multiple agents. Detection is extremely hard.
SPEAKER_01What do defenses look like when they do exist?
SPEAKER_03Layered. Input validation at the point where external content enters the agent pipeline. Content scanning for instruction-like patterns in documents and emails before the agent processes them. Explicit trust boundaries between agents in multi-agent architectures. Principle of least privilege for tool access. An agent that needs to read email does not need to send email. Privilege escalation should require human confirmation at every boundary crossing. For MCP specifically, pin server versions verify checksums, audit tool definitions before deployment, maintain an allow list of approved MCP servers. Treat MCP server configuration as infrastructure code. It should go through the same review process as any other third-party dependency.
SPEAKER_02And treat agent action logs as security telemetry. Every tool call an agent makes should be logged, timestamped, and reviewable. Right now, most organizations cannot answer the question, what did our AI agent do yesterday? That is a gap that would not be acceptable for any other system with this level of access.
SPEAKER_01I want to zoom out for a moment, because there is something philosophically important happening here that gets lost when we are talking about CVEs and injection attacks. We are building systems that operate with our authority while we are asleep. That is not a hyperbolic framing. That is a product description from a major technology company announced this week. The agent acts on your behalf. It has your calendar, your email, your identity, your credentials. It acts at two in the morning. And we are trusting that it will interpret our intentions correctly in an adversarial environment without meaningful ability to distinguish a legitimate instruction from a carefully crafted attack. That is a fundamentally different relationship with technology than anything we have built before.
SPEAKER_03I think that is right. And the security industry's challenge is that our mental models were built for a different paradigm. Perimeter defense assumed you could define an inside and an outside. Zero trust assumed you could verify identities. Both of those assumptions break down when the attacker does not need to breach the perimeter or compromise a credential. They just need to put the right words in a document that your authorized agent will read.
SPEAKER_02The perimeter is the agent now. Whatever boundary the agent has, that is your perimeter. And we are shipping agents with very broad perimeters because narrow perimeters are less useful. The product and security teams are pulling in opposite directions, and the product team is winning because that is what the market is buying.
SPEAKER_01So, what do we tell security leaders who are watching the Google I.O. keynote tomorrow and thinking about what it means for their organizations.
SPEAKER_03Start with inventory. You cannot defend what you cannot see. If your organization has any AI agents deployed, corporate sanctioned or otherwise, you need to know what tools they have access to, what data they can reach, and what actions they can take without human confirmation. That inventory does not exist at most organizations right now. Second, establish an AI agent policy before your users' personal Gemini Spark agents start connecting to corporate services, because they will. Value is real. Your employees are going to use these tools. The question is whether they do it in a way you have visibility into or in a way you do not.
SPEAKER_02Third, red team your agent deployments before your adversaries do, not a checkbox compliance exercise, actual adversarial testing. Give someone the task of prompt injecting your agents through realistic attack vectors, email attachments, external documents, web content the agent browses, find your blast radius before someone else does.
SPEAKER_01And fourth, I will editorialize here, have the conversation with your leadership and your board about what your organization's posture is on a Gentic AI. Because this is not a technical decision, it is a risk acceptance decision. Deploying a powerful AI agent across your enterprise has a risk profile that needs to be understood at the executive level. The controls are real. The residual risk is also real. Someone at the top of your organization needs to own that decision with clear eyes. The worst outcome is the one where you deploy. Because everyone else is deploying, you have not done the threat modeling. And you find out about the blast radius the same way Margaret Chen did. Reading a confirmation summary over your morning coffee. Dr. Elliot Vance, Marcus Hale. Thank you. This was exactly the conversation I wanted to have this week.
SPEAKER_03Thanks, Cole. Worth watching the I.O. keynote tomorrow, not just as a product announcement, watch it as a threat surface brief.
SPEAKER_02Yeah, watch what the agent can do, then ask yourself who else could make it do that.
SPEAKER_01That is the question. That is always the question on this show. To our listeners, if you want to go deeper on the MCP attack surface, go back to our April episode. We covered the protocol architecture, the tool calling model, and what early enterprise deployments were getting wrong. Everything Elliot and Marcus described today builds directly on that foundation. If you found this episode useful, share it with a security leader in your organization who needs to walk into tomorrow's announcements with context. That is the whole reason this show exists. I am Cole Draden. This is Dark Perimeter.