Top Agentic AI security resources — July 2026
July 2026’s agentic AI security roundup: agentic zero trust whitepapers, AutoJack & other new exploits, and the newest agent defenses.
MCP Security + MCP Security Digest Sergey todayJuly 6, 2026
The Model Context Protocol (MCP) rapidly became a widely adopted enterprise standard, opening a massive new attack surface. July highlighted the severe risks of this architecture, punctuated by the NSA’s release of official MCP hardening guidelines and the discovery of critical auto-execution vulnerabilities in tools like Amazon Q. As AI agents seamlessly pull contexts from third-party services, attackers are actively weaponizing these pathways via threshold poisoning and fake diagnostic events, proving that context providers can no longer be blindly trusted.
Total resources: 10
Category breakdown:
| Category | Count |
|---|---|
| MCP vulnerability | 2 |
| Attack technique | 3 |
| CISO resources on MCP | 1 |
| MCP red teaming | 1 |
| MCP defense | 1 |
| Threat modelling | 1 |
| MCP incident | 1 |
The MCPPrivacyDetector framework uses cross-language static and taint analysis to expose severe protocol-induced privacy leakage in MCP tool handlers. After analyzing over 10,000 real-world servers, researchers found that credentials, API keys, and PII leak at alarming rates exceeding 10%.
A critical CVSS 8.5 vulnerability where Amazon Q auto-loaded MCP configs directly from workspace directories without user consent. Opening a malicious repository allowed attackers to instantly execute code and exfiltrate AWS credentials before the flaw was patched in June 2026.
An additional flaw in Amazon Q Developer caused directly by the implicit trust of MCP tool output. This vulnerability demonstrates how easily an AI agent can be compromised when it blindly accepts MCP-returned content as executable instructions.
Attackers are leveraging Mid-Session Tool Injection (MSTI) to hijack the tools a WebMCP agent utilizes during active sessions. By using third-party scripts for AbortSignal hijacking and registration races, this runtime manipulation achieves exceptionally high attack success rates.
ShareLock introduces a sophisticated method of multi-tool poisoning that uses Shamir’s threshold secret-sharing logic. It splits malicious instructions across multiple benign-looking MCP tool descriptions, effectively evading automated detection while sustaining over 90% attack success.
Tenet Security discovered that attackers can inject fake Sentry error events through a public DSN, which the Sentry MCP server then blindly returns as trusted diagnostics. This allows attackers to achieve an 85% success rate when tricking coding agents into executing arbitrary commands across thousands of vulnerable organizations.
This NSA Cybersecurity Information Sheet offers an essential baseline for securing MCP deployments in the enterprise. It details structural risks like the inverted client-server pattern, unverified task propagation, and severe arbitrary-code-execution exposure.
Tencent Zhuque Lab released AI-Infra-Guard, an open-source multi-layer red-teaming framework designed specifically for agent architectures. It provides structured methodologies for the LLM-driven auditing of MCP servers and agent-skill packages.
Microsoft Incident Response researchers demonstrated a severe MCP tool-poisoning attack chain against a Copilot Studio finance agent. They successfully mapped existing Microsoft security controls, like Prompt Shields and Entra Agent ID, to effectively mitigate each stage of the kill chain.
Akamai analyzes the security implications embedded within the new MCP specification changes. The research models the expanding threat surface that enterprise security teams must immediately address as widespread adoption accelerates.
Microsoft documents a highly effective tool-poisoning and description-injection attack pattern recently observed in the wild. This production enterprise agent exploit successfully targeted fintech MCP servers, prompting the release of a detailed defensive playbook.
The vulnerabilities exposed this month prove that the Model Context Protocol is rapidly becoming a primary vector for AI agent hijacking. Security teams can no longer afford to treat MCP servers as inherently trusted internal utilities. You must enforce strict output validation on all MCP responses, mandate explicit user consent for loading workspace configurations, and implement rigid zero-trust boundary checks between agents and context providers to prevent catastrophic code execution and data leaks.
Written by: Sergey
Agentic AI Security Sergey
July 2026’s agentic AI security roundup: agentic zero trust whitepapers, AutoJack & other new exploits, and the newest agent defenses.
(c) Adversa AI, 2026. Continuous red teaming of AI systems, trustworthy AI research & advisory
Privacy, cookies & security compliance · Security & trust center