🚨 Container Escape + AI Agent Risk: Lessons from Box’s Security Lead

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Securing AI Agents in Production: From LLM Applications to Autonomous Systems (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week's Cloud Security Newsletter.

As AI agents move from experimentation to production deployments, security teams face an entirely new threat landscape, one where traditional monitoring falls short and autonomous systems create "covert channels" we never anticipated. This week, we're joined by Mohan Kumar, Production Security Lead at Box with over 14 years in cybersecurity, who breaks down the critical security challenges of agentic AI and shares practical threat modeling approaches for organizations deploying autonomous agents.

Meanwhile, the security news cycle has been dominated by critical infrastructure vulnerabilities: three high-severity runC container escape flaws affecting every major cloud provider, active exploitation of Cisco firewall zero-days, and a China-linked APT breach of the U.S. Congressional Budget Office.

📰 TL;DR for Busy Readers

• Container breakout risk: Patch runC CVEs immediately affects Docker, Kubernetes across AWS, Azure, GCP

• AI agents ≠ LLMs: Autonomous agents create new attack surfaces through dynamic tool use and memory poisoning

• Active exploitation: Cisco ASA/FTD zero-days now weaponized for both RCE and DoS attacks

• Nation-state escalation: Chinese APT Silk Typhoon breached Congressional Budget Office systems

• Identity remains critical: Granular access controls and session isolation are foundational for AI agent security

📰 THIS WEEK'S SECURITY HEADLINES

1. Bugcrowd Acquires Mayhem Security for AI-Driven Offensive Security Testing

What Happened: Bugcrowd announced the acquisition of Mayhem Security on November 4, 2025, adding AI-driven offensive security testing capabilities to its crowdsourced vulnerability testing platform. The acquisition aims to augment human security researchers with AI-powered automation for discovering and exploiting vulnerabilities at scale.

Why This Matters: This M&A signals a significant shift in the offensive security market toward AI-augmented testing. As AI agents become more sophisticated, security testing must evolve beyond human-only approaches. The combination of crowdsourced human expertise with AI-driven automation could dramatically increase vulnerability discovery rates and testing coverage. Security teams should monitor how this affects the bug bounty landscape and consider whether their vulnerability disclosure programs are prepared for AI-augmented researcher capabilities.

• Signals a shift toward AI-augmented bug bounties and offensive testing

• Increases the volume and sophistication of findings your teams will see

• Forces security orgs to ask: “Are we ready for researchers who come with AI agents out of the box?”

Read More: BugCrowd Press Release

2. Critical runC Container Vulnerabilities Enable Escape Across All Major Cloud Providers

What Happened: Three high-severity vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in runC, the underlying container runtime powering Docker, Kubernetes, and containerized workloads across AWS, Azure, and Google Cloud. These flaws enable container escape attacks, allowing attackers to break out of isolated containers and access the host system. AWS, Azure, and GCP all issued security bulletins with patches on November 5, 2025.

Why This Matters: Container escape represents one of the most serious threats in cloud-native environments. These vulnerabilities affect the foundational layer of container orchestration, meaning any organization running containerized workloads is potentially at risk. The swift disclosure and patching demonstrates the maturity of the container security ecosystem, but organizations must prioritize immediate patching across their Kubernetes clusters and container hosts. This isn't just a Kubernetes problem any Docker-based deployment is vulnerable.

• This is a foundational runtime issue, not “just” a Kubernetes misconfig

• Any Docker-based deployment (including CI runners and self-hosted services) is in scope

• The window between “patch available” and “weaponised PoC” is typically measured in days

Read More: Sysdig Threat Research, AWS Security Bulletin

3. Google Mandiant Exposes Ongoing Gladinet Triofox Zero-Day Exploitation

What Happened: Google Mandiant revealed that threat actor UNC6485 has been exploiting a critical authentication bypass vulnerability (CVE-2025-12480) in Gladinet Triofox file-sharing platform since August 2025. This marks the third Triofox vulnerability exploited in 2025, indicating sustained attacker interest in the platform. The flaw enables authenticated remote code execution, providing attackers with deep access to enterprise file-sharing infrastructure.

Why This Matters: Enterprise file-sharing platforms are treasure troves of sensitive data and often have broad access to cloud storage systems. The sustained exploitation since August suggests this may be part of a broader campaign targeting file-sharing infrastructure. Organizations using Triofox or similar platforms should audit access logs, verify patch levels, and review authentication mechanisms. The pattern of multiple exploited vulnerabilities in one platform within a year raises questions about the vendor's security posture.

• File-sharing platforms sit close to crown-jewel data and often bridge on-prem and cloud

• Three exploited vulns in a year suggest a structural maturity problem at the vendor

• Auth bypass + RCE = full platform takeover and stealthy data exfil

Read More: The Hacker News, Google Mandiant Threat Intelligence Report

4. Microsoft Publishes Azure Blob Storage Attack Chain Analysis with AI-Powered Detection

What Happened: Microsoft released detailed analysis of attack chains targeting Azure Blob Storage, accompanied by new AI-powered detection capabilities in Defender XDR. The guidance covers cloud misconfiguration exploitation, unauthorized access patterns, and lateral movement techniques specific to Azure storage infrastructure. The updates enhance Microsoft's ability to detect and respond to cloud storage threats using machine learning models.

Why This Matters: Cloud storage is often the final destination for data exfiltration campaigns and frequently suffers from misconfiguration issues. Microsoft's investment in AI-powered detection for storage attack chains reflects the evolving threat landscape where traditional signature-based detection falls short. Security teams should review their Azure Blob Storage configurations against Microsoft's attack chain analysis, enable Defender XDR enhancements, and ensure storage access logging feeds into their SIEM. This is particularly relevant for organizations storing AI/ML training data in cloud object storage.

• Blob/S3/GCS are often the final stop for data exfil

• Storage buckets also underpin AI/ML training data – poisoning and theft risks are high

• AI-assisted detections can help close blind spots around subtle access patterns

Read More: Microsoft Security Blog

5. Google Cloud Forecasts Surge in AI Agent Exploitation and Prompt Injection for 2026

What Happened: Google Cloud released its Cybersecurity Forecast 2026, predicting a significant increase in prompt injection attacks, AI agent exploitation, and cyber-physical attacks targeting European infrastructure. The report emphasizes how adversaries are weaponizing AI capabilities and developing new attack vectors specific to autonomous agent systems. Google's threat intelligence team identifies AI agent security as a critical emerging risk for 2026.

Why This Matters: This forward-looking intelligence directly connects to our main topic this week AI agent security. Google's prediction isn't speculative; it's based on observed threat actor behavior and the rapid adoption of AI agents in enterprise environments. As Mohan Kumar discusses in detail below, AI agents introduce fundamentally new attack surfaces including memory poisoning and tool misuse. Organizations deploying or planning to deploy AI agents should incorporate these threat predictions into their 2026 security roadmaps and investment decisions.

• Attackers already experiment with indirect prompt injection into RAG pipelines

• Early agent-to-agent abuse patterns are emerging

• Enterprises are rolling out agents faster than guardrails

Read More: Google Cloud Security Blog

🎯 Cloud Security Topic of the Week:

Securing AI Agents in Production: From LLM Applications to Autonomous Systems

The transition from single-shot LLM applications to goal-driven AI agents represents one of the most significant architectural shifts in cloud security since the move to containers.

Unlike traditional LLM applications that process a prompt and return a response, AI agents operate autonomously thinking, acting, observing, and adapting their behavior in runtime. They connect to external tools, maintain memory across sessions, communicate with other agents, and make decisions without human intervention. This autonomy creates entirely new attack surfaces that traditional security controls weren't designed to address.

Featured Experts This Week 🎤

• Mohan Kumar - Production Security Lead, Box

• Ashish Rajan - CISO | Co-Host AI Security Podcast , Host of Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• AI Agent vs. LLM Application: An LLM application provides one-shot responses to prompts (like ChatGPT's basic chat interface). An AI agent is dynamic and goal-driven, following a think-act-observe cycle, accessing external tools, maintaining memory, and making autonomous decisions to achieve objectives.

• Memory Poisoning: An attack technique where adversaries inject malicious information into an AI agent's long-term, short-term, or entity memory stores. Since agents trust their own memory when making decisions, poisoned memory can alter future behaviors and decisions without the agent's awareness.

• Tool Misuse: Exploitation of an AI agent's access to external tools and APIs. Even legitimate tools (like calendar APIs or file systems) can be abused if agents don't have proper permission scoping and validation.

• MCP (Model Context Protocol): An emerging standard for connecting AI agents to external tools and services. When configured incorrectly (particularly the "sender identification" flag), MCP can enable attackers to impersonate trusted users.

• Agentic Orchestration: The central coordination layer that manages task delegation between multiple specialized AI agents, similar to how Kubernetes orchestrates containers. This layer is becoming a critical security control point.

• Maestro Framework: Cloud Security Alliance's seven-layer threat modeling framework specifically designed for agentic AI systems, covering foundation models, data operations, agent frameworks, infrastructure, observability, security controls, and the agent ecosystem..

This week's issue is sponsored by Brinqa

What If You Could See Risk Differently?

On Nov 19, Brinqa experts will show how a shift in perspective, adding context, can change everything about how you prioritize risk. Fast-paced, real, and surprisingly fun.

📤 Register here

💡Our Insights from this Practitioner 🔍

Threat Modeling the AI Agent: Architecture, Threats & Monitoring (Full Episode here)

The Fundamental Shift: Why AI Agents Aren't Just Better LLMs

Mohan Kumar opens with a critical distinction that many security teams miss: "A typical LLM application is different than an AI agent. Think of more LLM applications as a one shot response to a prompt... it cannot make autonomous decisions or any actions on our behalf. But whereas an agent in contrast is pretty dynamic. They're goal-driven."

This isn't semantic nitpicking, it's the foundation of an entirely new security paradigm. Traditional LLM applications operate within bounded interactions: you send a prompt, the model processes it, you receive a response. The attack surface is relatively contained. AI agents, however, operate in a continuous think-act-observe loop, adapting their behavior in runtime, connecting to external tools, and persisting context across sessions.

Kumar explains the three-step process that defines agent behavior: "You give some query to the agent and then the agent thinks and then acts, and then does some observation and how things are going." This seemingly simple loop creates profound security implications. Each "act" phase might involve calling external APIs, accessing databases, modifying files, or communicating with other agents all based on dynamic runtime decisions rather than predetermined workflows.

For enterprise security architects, this means rethinking threat models from the ground up. You're no longer securing a stateless API endpoint; you're securing an autonomous system that makes real-time decisions about what tools to use, what data to access, and how to achieve goals you've only described in natural language.

The Top Three AI Agent Threats Enterprise Teams Must Address

Kumar identifies three critical threat categories that keep him up at night, starting with what he considers the highest risk:

1. Memory Poisoning and Context Manipulation

"Memory poisoning... involves exploiting the three kinds of memory that I laid out [long-term, short-term, and entity memory]. And the context manipulation involves the agent's context window," Kumar explains. The attack vector is particularly insidious: "Agent typically trust its memory, because it's its own memory... if its own memory is being compromised, then, these agents think, hey, you know, I'm just doing the job that I'm intended to do. But the goal or the context itself has been changed."

This is fundamentally different from traditional injection attacks. You're not exploiting input validation, you're poisoning the agent's knowledge base so it believes it's operating correctly while actually executing attacker-defined objectives. Kumar points to indirect prompt injection as the primary vector: malicious information inserted into RAG (Retrieval Augmented Generation) pipelines that the agent consumes as trusted context.

For production deployments, this demands implementing memory content validation, session isolation, and robust authentication specifically for memory access controls that don't exist in traditional application security frameworks.

2. Tool Misuse Through Inadequate Permission Scoping

Kumar uses a practical example to illustrate the risk: "I rely on a copilot that has access to calendar tool to book my meetings. What if an attacker are able to abuse this processes and misuse the tools here. The tools is a calendar. So instead of sending a regular calendar invite... we could misuse the same Calendar tool to exfiltrate data."

The problem isn't that the calendar API is vulnerable, it's that the agent has legitimate access to it for one purpose (scheduling meetings) but lacks the contextual boundaries to prevent abuse for another purpose (data exfiltration). Traditional API security focused on authentication and authorization at the endpoint level. AI agents require contextual authorization understanding not just who is calling the API, but why and whether that aligns with the agent's intended goal.

Kumar's mitigation guidance is clear: "We have to scope like a minimal scope with short duration as much as possible. And then if there is like high risk action that has to be like a human in the loop involved." This represents a significant shift from "set it and forget it" API keys to dynamic, context-aware permission grants with built-in time limits.

3. Privilege Compromise Through Misconfiguration

While this threat applies broadly across security domains, Kumar emphasizes its particular relevance to AI agents: "This privileged compromise will be a huge threat... mostly through the misconfiguration in the agent. An attacker executes queries and RAG databases to access files and data that it shouldn't be able to access."

The challenge here is that AI agents, by their nature, need broader access than traditional applications to be useful. An agent designed to help with data analysis might legitimately need read access to many databases. The security control isn't binary (access or no access) it's about granular, conditional access that adapts based on the specific task and context.

The Monitoring Gap: Traditional Tools Won't Cut It

When asked how security teams can detect these new threats, Kumar's response underscores a hard truth: "Traditional tooling today is not gonna fully flag these all the behaviors. That's why we need more of these either in-house or from vendors that can dynamically listen and observe the actions and flag the risky operations."

The fundamental challenge is that AI agents operate faster than human review cycles and make decisions in ways that don't align with traditional signature-based detection. Kumar suggests an innovative approach: "We could have some secondary agent who can help in monitoring that can follow the behaviors... over the time there has to be some baseline said, hey, for these kind of goal-driven actions, these are the new norm."

This represents AI-powered security for AI systems using one agent to monitor another's behavior against learned baselines. Kumar emphasizes the need for "granular access control, which means getting into more granular, as much as possible, and when the identity shift, those log has to be in place."

For production operations, this translates to:

• Implementing comprehensive logging of all agent actions, tool calls, and identity shifts

• Taking regular snapshots of agent memory for forensic analysis

• Establishing behavioral baselines for normal agent operations

• Deploying secondary monitoring agents to detect anomalies in real-time

• Ensuring human-in-the-loop authorization for high-risk actions

The Architecture of AI Agent Security: Six Critical Components

Kumar breaks down AI agent architecture into six components that security teams must threat model:

1. Role Playing: The specialized function the agent is trained to perform

2. Focus: The specific goal or objective driving agent decisions

3. Tools: External APIs and services the agent can access

4. Cooperation: How agents communicate and coordinate with each other

5. Guardrails: Both operational and security-focused controls

6. Memory: Long-term, short-term, and entity-specific information stores

Each component presents unique security considerations. Kumar emphasizes that "when we do threat model these agents, there are various frameworks that can be adopted. OWASP Top 10 LLM applications and Agent AI is a great list. And then Agentic AI threat modeling framework, which is dubbed as Maestro by the Cloud Security Alliance, is a great one."

The Maestro framework provides a seven-layer approach covering foundation models, data operations, agent frameworks, deployment infrastructure, evaluation and observability, security and compliance, and the broader agent ecosystem. Kumar stresses this systematic approach: "Security teams can use that as a blueprint to systematically analyze where controls are needed."

The Model-Agnostic Reality of AI Vulnerabilities

A common misconception is that premium AI providers like OpenAI and Anthropic are immune to the vulnerabilities affecting open-source models. Kumar dispels this myth: "I would say it's vendor agnostic at this point. All the models out there can spill credential leaks... any model is susceptible for those kind of tricks."

He explains the fundamental vulnerability through the "Grandma Trick" example, a prompt engineering technique where attackers manipulate the model by framing harmful requests as benign storytelling. "Models are generally non-deterministic in nature, so no matter if it's OpenAI model or Claude model, most of them because there are few guardrails at the model layer but they're just basic... it's easy to trick those models in a way they can get into those bias nature and follow the things that you would ask for."

This has critical implications for enterprise deployment decisions. You can't simply outsource AI agent security by choosing premium providers you must implement controls at the orchestration, data, and tool-access layers regardless of which foundation model you're using.

The Path Forward: Three Layers of Security Evolution

Looking ahead, Kumar predicts security improvements will concentrate in three critical layers:

The Orchestration Layer

"There will be a lot of guardrails which will be introduced because these orchestrations are the central brain that delegate tasks... perhaps inspired by Kubernetes in cloud. Kubernetes started adding lot of security features once it became a standard orchestration. Similarly, agent orchestration platforms will come up with more security features."

The Data Layer

"We talked about memory poisoning and how can we ensure this memory is not poisoned... that boils down to verifying the trust source or the source information. We might be able to see better those detections if those memories indeed poisoned, if the knowledge base is being poisoned."

The Interface Layer

"More from the UI the user will be able to see more of these under-hood actions visibly so that they can intervene if needed... more transparency are, hey, you know, ask me before doing X, Y, Z kind of interface."

This evolution mirrors the maturity curve we saw with container security starting with minimal controls and gradually building comprehensive security frameworks as the technology moved to production at scale.

Practical Implementation Guidance for Security Leaders

Based on Kumar's insights, security teams deploying AI agents should prioritize these immediate actions:

1. Implement Memory Protection Controls

• Validate all data entering agent memory stores

• Isolate sessions to prevent cross-contamination

• Implement authentication specifically for memory access

• Take regular snapshots for forensic analysis

2. Enforce Granular, Time-Limited Permissions

• Replace static API keys with dynamic, context-aware grants

• Implement minimum necessary scope for each tool

• Set automatic expiration on permissions

• Require human approval for high-risk actions

3. Deploy Multi-Layer Monitoring

• Log all agent actions, tool calls, and identity shifts

• Establish behavioral baselines for normal operations

• Consider deploying monitoring agents to watch production agents

• Integrate agent logs into existing SIEM platforms

4. Adopt Systematic Threat Modeling

• Use frameworks like CSA's Maestro or OWASP Top 10 for LLM Applications

• Threat model all six agent architecture components (role, focus, tools, cooperation, guardrails, memory)

• Don't assume premium AI providers eliminate security risks

• Plan for model-agnostic security controls

5. Prepare for the Evolution

• Invest in orchestration-layer security as it matures

• Develop capabilities for detecting poisoned memory and knowledge bases

• Design interfaces that provide visibility into agent decision-making

• Build human-in-the-loop workflows for critical operations

The transition to AI-augmented operations isn't optional; organizations that don't deploy these capabilities will fall behind competitors who do. But rushing into production without addressing these fundamental security concerns creates risks that traditional security tools can't detect or prevent. Kumar's guidance provides a roadmap for navigating this transformation strategically.

RELATED RESOURCES

• OWASP Top 10 for LLM Applications

• Cloud Security Alliance Maestro Framework for Agentic AI Threat Modeling

• Anthropic Research on AI Agent Security

• AWS Container Security Best Practices

• Sysdig Container Escape Techniques

• Kubernetes Security Hardening Guide

• Google Mandiant Threat Reports

• CrowdStrike Threat Intelligence

• Microsoft Defender for Cloud Blog

• Azure Blob Storage Security Best Practices

• AWS S3 Security Configuration Guide

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

 🤖 Are your AI agents auditable? (Yes/No/Maybe)
Could you reconstruct their decision chain after a security incident?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast