Why AI Agent Security Needs a Platform, Not Another Tool

The attack taxonomy is now public

In March 2026, Google DeepMind published *AI Agent Traps: A Taxonomy of Adversarial Attacks on Autonomous Agents* (SSRN 6372438). Six attack categories. 80-86% attack success rate on production agents. A public case: Microsoft 365 Copilot scoring 10/10 on Remote Control across every category the team tested.

This is not hypothetical. It is documented, reproducible, on live agents.

Every CISO who deploys an agent after March 2026 now has a taxonomy their board can point to and ask: what do we have against this?

The problem with current tools

We have spent the last month mapping what the agent-security market actually ships. The honest picture:

• ●Gen Digital Sage — runtime guardrails (Layer 3)
• ●Rubrik SAGE — runtime + behavioral detection (Layers 3, 4)
• ●Cisco AI Defense — pre-deploy skill scanning + runtime (Layers 2, 4)
• ●Microsoft Agent Governance Toolkit — policy + honeypot examples (Layers 2, 5)
• ●Straiker — detection + response (Layers 4, 6)
• ●Apono — authorization + governance (Layers 6, 7)

Every vendor covers one or two layers. Every CISO ends up buying four or five SKUs with gaps between them. This is not anyone's fault — agent security is too broad a problem for a single point product. But the buyer is left integrating the pieces themselves.

The 7-layer architecture

We borrow the shape from how endpoint security evolved. Antivirus → EDR → XDR was the same journey: start narrow, consolidate, then own the category. Agents need a 7-layer stack:

L1 Discover  →  central inventory of every agent, skill, MCP tool
L2 Audit     →  pre-deploy scanning of skills and configs
L3 Protect   →  runtime prompt / tool / output defense
L4 Detect    →  behavioral anomaly detection
L5 Deceive   →  honeypot traps for attacker profiling
L6 Respond   →  auto-block, alert, playbook execution
L7 Govern    →  AIAM + 4-framework compliance reporting

Each layer has its own budget line and its own buyer. Miss a layer and a category of attacks walks through. The 6 DeepMind categories map cleanly across L2-L6; L1 and L7 are what enterprise procurement has been asking for and no one has shipped end-to-end yet.

Our honest 5/7 coverage

We will not pretend to be complete. Here is PanGuard today, by layer, with the gaps:

• ●L1 Discover — 🟡 Gap. Central inventory dashboard ships Phase 2 (Q2 2026).
• ●L2 Audit — 🟢 Shipped. pga scan on MCP configs + SKILL.md, 311 ATR rules, 97.1% recall on NVIDIA Garak (666 adversarial prompts), 0.48% FP on 3,115 real-world samples.
• ●L3 Protect — 🟢 Shipped. Guard daemon, 11 response actions, 50ms median latency.
• ●L4 Detect — 🟢 Shipped. 3-layer funnel (rules → local AI → cloud AI), 90/7/3% split.
• ●L5 Deceive — 🟢 Shipped. Honeypot integrated in Guard daemon (trap-bridge.ts) — converts attacker sessions into security events without running a separate process.
• ●L6 Respond — 🟢 Shipped. Auto-block, IP quarantine, Slack/email alerts, playbook execution.
• ●L7 Govern — 🟡 Partial. Audit log + Threat Cloud are live today. 4-framework compliance mapping (EU AI Act / Colorado / NIST AI RMF / ISO 42001) lands Q2 2026. AIAM (Phase 5) Q3 2026.

We plan 7/7 coverage by Q3 2026. The timeline is on panguard.ai. No fake checkmarks.

Numbers that matter

The 311 ATR detection rules are not ours. They are the community's. We maintain the standard, the pipeline, and the benchmarks:

• ●311 rules, MIT-licensed, in the Agent Threat Rules repo
• ●97.1% recall on NVIDIA Garak (666 adversarial prompts)
• ●96.9% recall / 100% precision / 0% FP on 498 real-world skills
• ●Merged upstream into Microsoft Agent Governance Toolkit and Cisco AI Defense as of April 2026
• ●Plus five community security catalogs carrying ATR as the canonical detection reference
• ●NVIDIA Garak, SAFE-MCP, IBM mcp-context-forge, Meta PurpleLlama, Promptfoo, and OWASP LLM Top 10 PRs pending review

Seven ecosystem merges in six weeks — two Tier-1 upstreams (Microsoft, Cisco) and five community catalogs — is not us getting lucky. It is evidence that the detection layer wants a protocol, and ATR is filling that slot.

Why consolidation wins

In 2010, every endpoint had four agents: AV, firewall, IDS, DLP. CISOs hated it. CrowdStrike launched EDR, consolidated the stack, and now owns the category worth $100B+ in market cap. Consolidation won not because of a better product, but because of a better architecture. One agent, one console, seven functions.

Agent security in 2026 looks like endpoint security in 2010. Five vendors, five dashboards, five contract renewals, gaps between them that attackers find first. The Agent Security Platform category is about to consolidate in the same shape.

We are not predicting this. We are building it.

What to do next

If you ship agents:

• ●Community — npm install agent-threat-rules and run it in CI. Free. MIT.
• ●Team — panguard.ai/early-access to join the Team tier waitlist (Q2 2026, $500/mo, hosted).
• ●Business / Enterprise — [email protected] for on-prem, compliance reporting, AIAM, SLA.

Whatever protocol wins — MCP, ACP, A2A, something else — your defense rules should not have to be rewritten. The attack taxonomy is about the agent, not the transport. That is why we open-sourced the rules and build the platform on top.

KUAN-HSIN LIN is the founder of PanGuard and maintainer of the Agent Threat Rules open standard. Paper: [Zenodo DOI 10.5281/zenodo.19178002](https://doi.org/10.5281/zenodo.19178002). Contact: [email protected].