Lab · Prompt Injection

Prompt Injection to Tool Misuse: A 60-Line Lab

A hands-on lab: an agent obeys an instruction hidden in a support ticket and emails data to an attacker — then a policy gate at the tool boundary blocks the same attack.

8 min read Read Article
Topic · Primer

What Is Agent Security?

The practice of protecting AI agents from unsafe tool use, prompt injection, data leakage, privilege misuse, and uncontrolled automation when they interact with SIEM, SOAR, and EDR.

8 min read Read Article
Topic · Primer

What Is MCP Security?

Policy, scoping, and audit controls applied to Model Context Protocol servers so AI agents can only call sanctioned tools, with validated arguments and tamper-evident logs.

7 min read Read Article
Threat · Pattern

How AI Agents Can Be Abused in SOC Workflows

A practical inventory of how a tool-calling agent can be manipulated inside a SOC — scope escalation, exfil through tool args, and approval-flow bypass.

11 min read Read Article
Threat · Pattern

Prompt Injection in Tool-Calling Agents

How prompt injection manifests when an agent has tools, and how to layer detection across input, output, and tool arguments rather than rely on a single filter.

9 min read Read Article
Architecture

Designing Guardrails for AI-SOC Automation

A reference architecture for the guardrail layer between an agent and a SOC stack — policy engine, scoping, redaction, approval modes, and audit.

10 min read Read Article
Workflow

Human-in-the-Loop SOAR Workflows

Where humans stay essential in a SOAR pipeline, and how to surface exactly enough context for an analyst to authorize containment in seconds.

8 min read Read Article
Integration

Securing AI Agents Connected to SIEM and SOAR Tools

A walk-through for integrating an agent with QRadar, Sentinel, and XSOAR safely — credential scoping, query allow-lists, and the audit fields you must capture.

12 min read Read Article
Operations

Building Audit Trails for AI Agent Actions

What a tamper-evident audit log for AI-driven actions actually needs — keyed identity, structured tool args, approval lineage, and replay-ready records.

9 min read Read Article
Build with these patterns

From notes to systems.

The Projects and Case Studies pages show how these patterns land in production — guardrails, playbooks, and approval flows you can read end-to-end.