Agent-to-Agent Lateral Movement Is the New East-West Traffic

Probably Secure — Thu, 07 May 2026 20:25:34 GMT

Until a few years ago I took it for granted that you could tell from traffic logs what was happening on your network and why. It used to be that the perimeter of an enterprise network was the defensive moat, and everything inside was, as John Kindervag called it when he introduced the concept of Zero Trust, the “chewy center.” The threat actors learned ways to attack that chewy center directly, and the industry had to pivot to secure the chewy center in what came to be known as east-west security or microsegmentation. This was a tall order for sure - the number of internal devices on any network far exceeds the number of perimeter devices, so effective security policies and their enforcement points had to grow, sometimes exponentially. The transition took years, and by some accounts still isn’t complete.

The one saving grace we didn’t appreciate enough at the time was that the behavior of these internal devices was known. They were known devices communicating with other known devices over known protocols and accessing known data through known flows. The policy necessary to secure such a network might be enormous and complicated but it was definable. It was deterministic. As a defender you could spot deviations on your network because you could define what your network was supposed to be doing and measure against that definition.

Those days are long gone.

The recent Unit42 Incident Response report shows that 87% of intrusions now span multiple attack surfaces, up from 70% last year. A full 67% of those intrusions span three or more attack surfaces. Things get even worse when we look at what kind of entities make up this new attack surface. It’s increasingly made up of AI Agents, which behave not in a deterministic way but instead in a probabilistic way that is often hard to predict.

Take for instance the recent attack on AWS’s Bedrock AgentCore: the starter toolkit’s default IAM gave every agent in an AWS account the ability to read other agents’ memory, trigger runtimes, etc. Any single compromised agent in such an environment has the power to exfiltrate all of its data and disrupt the entire environment. It’s tempting to call this a one-off human error instead of a systemic difficulty but there’s an emerging pattern that suggests otherwise. The effective permissions and controls were set up under the assumption that the entity with the role would behave predictably, in a deterministic way. Agents break that assumption in potentially catastrophic ways because the agent’s behavior is affected by its prompt, its memory, and its upstream instructions, and each of these is a new and unique attack surface. A prompt injection doesn’t change the agent’s credentials - it changes the agent’s actions and its intent, and the agent executes that new intent using its existing, legitimate access. If we miss that initial prompt injection attack, we’re left with a malicious insider with broad access powers that behaves in probabilistic ways against defenses that are looking for deterministic malice.

The Bedrock AgentCore incident might be one of the first of this type but it certainly won’t be the last, and sooner than any of us would like these kinds of incidents won’t even be unique or noteworthy. We’ve built decades of best practices and compliance and strategy for deterministic policy, and are now aggressively embedding probabilistic actors in our networks and granting them broad access rights to get the job done. We know what we want agents to do and not do, but knowing what the agents themselves intend to do and not do and writing that policy is becoming as urgent as it is strange to seasoned practitioners.

Thomas Laugle is a cybersecurity specialist at Palo Alto Networks. The opinions expressed here are his own.

Subscribe now

The Future of Agentic Security

Probably Secure — Wed, 15 Apr 2026 01:48:32 GMT

Lee Klarich, Chief Product & Technology Officer of Palo Alto Networks, recently observed that “AI agents operate with access to critical systems and sensitive data, creating the ultimate insider threat.”

The compromised insider has always been one of the hardest threats to detect and prevent, and with the rapid adoption of agentic AI for everything from coding assistance to distributed-systems task automation the price we must all pay for such productivity catalysts is that the new malicious insider - the compromised AI agent - can now move at machine speed, and doesn’t care about getting fired or going to prison.

To address the unique risks of agentic AI on the endpoint, Palo Alto Networks acquired Koi Security today. Koi (now branded Agentic Endpoint Security - AES) provides an enforcement layer specific to AI Agents on endpoints, controlling for what traditional EDR solutions have been largely blind to.

This threat vector didn’t exist five years ago, this level of visibility didn’t exist three years ago, and the promise of a unified policy to secure it up and down the stack didn’t exist until today.

But now comes the hard part: using the tools to build and enforce policy that takes into account the entire situation the agent is in: its identity, its host machine’s posture, its network posture, its access rights, and its business purpose.

The old-school policy said something like, “This device is allowed to communicate with this other device on these protocols and applications.”

The next generation of policies needed to secure agents might read more like, “This type of agent is allowed to perform the following actions within this decision space in order to accomplish these goals for these specific purposes.”

Thomas Laugle is a cybersecurity specialist at Palo Alto Networks. The opinions expressed here are his own.