By Mateo Rojas-Carulla, Head of Research, AI Agent Security, Check Point Software
Early attacks – As AI moves from controlled experiments into real-world applications, we are entering an inflection point in the security landscape. The transition from static language models to interactive, agentic systems which are capable of browsing documents, calling tools, and orchestrating multi-step workflows, is already underway. But as recent research reveals, attackers are not waiting for maturity: they are adapting at the same rapid pace, probing systems as soon as new capabilities are introduced.
In the fourth quarter of 2025, our team at Lakera analyzed real attacker behavior across systems protected by Guard and within the Gandalf: Agent Breaker environment — a focused, 30-day snapshot that, despite its narrow window, reflects broader patterns we observed throughout the quarter. The findings paint a clear picture: as soon as models begin interacting with anything beyond simple text prompts (for example: documents, tools, external data) the threat surface expands, and adversaries adjust instantly to exploit it.
This moment may feel familiar to those who watched early web applications evolve, or who observed the rise of API-driven attacks. But with AI agents, the stakes are different. The attack vectors are emerging faster than many organizations anticipated.
From Theory to Practice: Agents in the Wild
For much of 2025, discussions around AI agents largely centered on theoretical potential and early prototypes. But by Q4, agentic behaviors began appearing in production systems at scale: models that could fetch and analyze documents, interact with external APIs, and perform automated tasks. These agents offered obvious productivity benefits, but they also opened doors that traditional language models did not.
Our analysis shows that the instant agents became capable of interacting with external content and tools, attackers noticed and adapted accordingly. This observation aligns with a fundamental truth about adversarial behavior: attackers will always explore and exploit new capabilities at the earliest opportunity. In the context of agentic AI, this has led to a rapid evolution in attack strategies.
Attack Patterns: What We’re Seeing in Q4 2025
Across the dataset we reviewed, three dominant patterns emerged. Each has profound implications for how AI systems are designed, secured, and deployed.
1. System Prompt Extraction as a Central Objective
In traditional language models, prompt injection (directly manipulating input to influence output) has been a well-studied vulnerability. However, in systems with agentic capabilities, attackers increasingly target the system prompt, which is the internal instructions, roles, and policy definitions that guide agent behavior.
Extracting system prompts is a high-value objective because these prompts often contain role definitions, tool descriptions, policy instructions, and workflow logic. Once an attacker understands these internal mechanics, they gain a blueprint for manipulating the agent.
The most effective techniques for achieving this were not brute force attacks, but rather clever reframing:
- Hypothetical Scenarios: Prompts that ask the model to assume a different role or context — e.g., “Imagine you are a developer reviewing this system configuration…” — often coaxed the model into revealing protected internal details.
- Obfuscation Inside Structured Content: Attackers embedded malicious instructions inside code-like or structured text that bypassed simple filters and triggered unintended behaviors once parsed by the agent.
This is not just an incremental risk — it fundamentally alters how we think about safeguarding internal logic in agentic systems.
2. Subtle Content Safety Bypasses
Another key trend involves bypassing content safety protections in ways that are difficult to detect and mitigate with traditional filters.
Instead of overtly malicious requests, attackers framed harmful content as:
- Analysis Tasks
- Evaluations
- Role-Play Scenarios
- Transformations or Summaries
These reframings often slipped past safety controls because they appear benign on the surface. A model that would refuse a direct request for harmful output might happily produce the same output when asked to “evaluate” or “summarize” it in context.
This shift underscores a deeper challenge: content safety for AI agents isn’t just about policy enforcement; it’s about how models interpret intent. As agents take on more complex tasks and contexts, models become more susceptible to context-based reinterpretation — and attackers exploit this behavior.
3. Emergence of Agent-Specific Attacks
Perhaps the most consequential finding was the appearance of attack patterns that only make sense in the context of agentic capabilities. These were not simple prompt injection attempts but exploits tied to new behaviors:
- Attempts to Access Confidential Internal Data: Prompts were crafted to convince the agent to retrieve or expose information from connected document stores or systems — actions that would previously have been outside the model’s scope
- Script-Shaped Instructions Embedded in Text: Attackers experimented with embedding instructions in formats resembling script or structured content, which could flow through an agent pipeline and trigger unintended actions
- Hidden Instructions in External Content: Several attacks embedded malicious directives inside externally referenced content — such as webpages or documents the agent was asked to process — effectively circumventing direct input filters
These patterns are early but signal a future in which agents’ expanding capabilities fundamentally change the nature of adversarial behavior.
Why Indirect Attacks Are So Effective
One of the report’s most striking findings is that indirect attacks — those that leverage external content or structured data — required fewer attempts than direct injections. This suggests that traditional input sanitization and direct query filtering are insufficient defenses once models interact with untrusted content.
When a harmful instruction arrives through an external agent workflow — whether it’s a linked document, an API response, or a fetched webpage — early filters are less effective. The result: attackers have a larger attack surface and fewer obstacles.
Implications for 2026 and Beyond
The report’s findings carry urgent implications for organizations planning to deploy agentic AI at scale:
- Redefine Trust Boundaries
Trust cannot simply be binary. As agents interact with users, external content, and internal workflows, systems must implement nuanced trust models that consider context, provenance, and purpose.
- Guardrails Must Evolve
Static safety filters aren’t enough. Guardrails must be adaptive, context-aware, and capable of reasoning about intent and behavior across multi-step workflows.
- Transparency and Auditing Are Essential
As attack vectors grow more complex, organizations need visibility into how agents make decisions — including intermediate steps, external interactions, and transformations. Auditable logs and explainability frameworks are no longer optional.
- Cross-Disciplinary Collaboration Is Key
AI research, security engineering, and threat intelligence teams must work together. AI safety can’t be siloed; it must be integrated with broader cybersecurity practices and risk management frameworks.
- Regulation and Standards Will Need to Catch Up
Policymakers and standards bodies must recognize that agentic systems create new classes of risk. Regulations that address data privacy and output safety are necessary but not sufficient; they must also account for interactive behaviors and multi-step execution environments.
The Future of Secure AI Agents
The arrival of agentic AI represents a profound shift in capability and risk. The Q4 2025 data is an early indicator that as soon as agents begin operating beyond simple text generation, attackers will follow. Our findings show that adversaries are not only adapting — they are innovating attack techniques that traditional defenses are not yet prepared to counter.
For enterprises and developers, the message is clear: securing AI agents is not just a technical challenge; it’s an architectural one. It requires rethinking how trust is established, how guardrails are enforced, and how risk is continuously assessed in dynamic, interactive environments.
In 2026 and beyond, the organizations that succeed with agentic AI will be those that treat security not as an afterthought, but as a foundational design principle.
