5 Security Alarms Ringing at Once
Here’s a shift in cybersecurity showing up in five separate places at once, independently.
The security firm Sysdig, in reporting covered by Business Insider, documented what it calls the first real case of AI-agentic ransomware — an attack it named Jade Puffer. The word that matters is “agentic.” This wasn’t a human just using AI to move faster. Sysdig found the model itself drove the intrusion from end to end — chaining reconnaissance, credential theft, and destruction on its own — while a person only set it up and pointed it. The part that used to take a skilled operator at the keyboard, the software did. First of its kind, now on the record.
And the detail that shows what “agentic” really means: the agent fired more than six hundred separate payloads in a rapid burst, and when one step failed, it read the error, rewrote its own approach, and was working again thirty-one seconds later. Sysdig’s own line is the one to sit with — the skill floor for running ransomware has dropped to about the cost of running the model.
And the pressure is already showing at the top of the industry. ZDNet reported that Apple pushed out an urgent round of security fixes — patching more than two dozen flaws at once — and named AI as the reason for the speed. The company that sets the bar for locked-down devices is suddenly patching in a hurry.
Now look at whether the defense is keeping up. ITPro reported that attackers typically remain inside a network for about two and a half weeks before anyone notices. And nearly half of the organizations surveyed only found out they’d been breached after the data was already gone. That’s discovered, after the fact, by the damage, not caught in the act.
Then, from the top of government defense. TechCrunch reported that CISA, the United States’ own cybersecurity agency, admitted it had no incident-response playbook ready when a breach hit. Its people had to write the plan in the middle of the emergency. The agency whose whole job is readiness wasn’t ready.
And underneath all of it, a door unwatched. The New Stack laid out the AI agent identity problem: businesses are deploying AI agents that have no identity of their own. The agent acts using a person’s credentials, and there’s no standard way to say what an agent even is, or what it’s allowed to touch.
Here’s the five. An attack run by software. The most secure hardware company on earth patching in a hurry. Intruders sitting undetected for weeks. The national cyber agency improvising mid-breach. And new agents operating on borrowed credentials nobody can see. That’s the picture — before we’ve said a word about why.
Why Hacking No Longer Takes Skill
The reason all of that is landing at the same moment isn’t five problems. It’s one — and it’s about something that used to be scarce.
For as long as security has existed, the expensive ingredient on both sides of it was a capable human. An attack took skill — someone who knew how to find the flaw and move through a network without tripping anything. And the insider you worried about was, whatever else, a person: fallible, but able to judge, and impossible to copy a thousand times over. Security was quietly built on one assumption — that doing something capable required a trustworthy human to do it. That assumption just broke.
Start with the attacker’s side. Bruce Schneier, writing in The Guardian, put it plainly: cyber-attacks used to require real skill, and AI is changing that. He’s pointing at what the Five Eyes intelligence alliance is now warning about — that AI lets attacks run at a speed and scale a human operator never could, and increasingly without a person running each step. Here’s the fair objection: attackers have automated for years — scripts, kits, botnets. True. But those still needed a skilled person to build them and aim them. What’s new is that the skill itself is automated now, not just the execution. The competence got cheap.
And that same shift has a second face — this one inside the building. The Hacker News reported on Microsoft research showing an attacker can poison the descriptions that tell an AI agent how to use its tools, and the agent will quietly follow them, handing over data on command. Sit with what that takes. The agent has every bit of capability to act. What it doesn’t have is the judgment to ask whether it should. It reads an instruction from an untrusted place and does the work, because doing the work is the only thing it knows how to do.
So strip it down. AI didn’t just make attackers cheaper. It made capable action cheap everywhere — and cut it loose from the trustworthy human that judgment used to require. On the outside, that’s an attacker who no longer needs skill. On the inside, it’s an agent that has power but no judgment. Same shift, both walls. And that changes where the only defensible line can sit.
Your Agents Became the New Insiders
So put the MSP in that picture, because the line you’re paid to defend just moved.
The whole managed-security model is built around the human perimeter: the logins, the endpoints, the people. But the thing acting inside your clients’ environments now isn’t only the people. It’s the agents they’ve stood up, each one carrying real access and doing what it’s told. That’s the boundary that matters now — and here’s the tell that the industry already knows it: there’s a scramble on to invent identity for agents from scratch. The New Stack reported on efforts like a new Agent Name Service — an attempt to give an AI agent a verifiable identity, the way the internet’s naming system gave every machine a name. Read what that admission means. We are building, right now, the thing that was supposed to already exist: a way to say what an agent is and what it’s allowed to do. It doesn’t exist yet. That gap is open ground.
And it’s not a small gap. In AvePoint’s own research — and that’s a vendor survey, so weigh it accordingly — the share of organizations that can’t see the AI tools running inside them has nearly tripled, while close to half of employees now lean on AI agents every day or every week. Put those together. The agents are already everywhere, doing daily work — and the ability to see them, name them, and account for them has fallen further behind, not caught up. Almost nobody owns this. Which is exactly why it’s worth owning.
So here’s the choice: where you decide the boundary is. You can move the line to the agent — inventory every AI agent in a client’s environment as what it actually is, a privileged identity; scope what it’s allowed to touch; and treat every instruction it receives as untrusted until it’s proven otherwise. Or you can keep defending the human perimeter with a prevention stack priced for a threat that no longer works that way — and find out, the hard way, that the thing that got in was never a person at all.
Why Do We Care?
Because “inventory the agents and scope what they can touch” is work you’re about to do for free — unless you name it and price it before a client asks. Add it as a recurring line item, the way you already bill for user identity and MFA, and quote it as an ongoing service rather than a one-time cleanup, because the agents keep multiplying. Price it now, while you’re the only one in the room who’s noticed the boundary moved — the shop that waits will be discounting it as a favor after a client’s agent has already done something nobody scoped.
What to Consider
- Name the line item before the next renewal, next to the identity services you already bill. You charge for user identity, MFA, and access reviews today; add agent identity as its parallel — an inventory of every AI agent in the environment, what it’s scoped to reach, and a check on what instructions it will accept. Put it on the renewal while you’re the one who noticed the boundary moved, not after a competitor or an incident names it for you.
- Price it as an ongoing service, not a one-time audit, because the agent count only grows. A single cleanup is stale within weeks — every employee who turns on a new tool adds another agent with standing access. Price recurring re-inventory and scope review the way you price patch cycles or vulnerability scanning, so it renews on its own instead of being resold from scratch each time.
- Anchor the number to the risk you’re absorbing, not the hours it takes. Inventorying agents is a short job, so priced by labor it looks cheap and gets cut. Price it as risk transfer — you’re taking on the class of event where an agent with a person’s access does something nobody scoped — and justify the figure with the client’s own exposure map, so it reads as indemnification, not a markup.
If this trend continues: Within the next twelve to eighteen months, “which AI agents run here, who scoped them, and what does that line cost” becomes a standard question on the security renewal — and the shops still bundling it for free will be explaining, after an incident, why nobody was paid to watch the agent that caused it — while the MSP who named and priced it first is the one setting the number every competitor now has to match.

