VULNCON

Framing the problem. Why January 15, 2026 was the moment AI agent security became an enterprise IR discipline. Walkthrough of CVE-2026-21520 and the architectural confused-deputy problem at the heart of the agent vulnerability class. Introduction of OWASP ASI01 (Agent Goal Hijack) and the lethal-trifecta model.

No demo in this module — this is the conceptual scaffold for the rest of the session.

Hands-on reproduction of CVE-2026-2256 against a vulnerable MS-Agent v1.5.2 deployment running in a sandboxed container. We walk the attack chain in five stages:

1. Initial influence: attacker-controlled content delivered via a document the agent is asked to summarise.
2. Tool selection manipulation: content crafted to push the agent's planning loop into selecting the Shell tool.
3. Parameter injection: how the agent constructs a shell command string containing attacker text without ever recognising it as a command.
4. Execution: arbitrary command runs as the agent process.
5. Post-exploitation: persistence via workspace state modification, lateral movement to cloud metadata endpoints, supply-chain impact through poisoned artifacts.

Attendees following along reproduce the chain in their own container.

15-minute structured break. Attendees who hit lab issues get one-on-one help. Open questions on Modules 1–2 answered.

We take the compromised lab from Module 2 and ask: now what? Walkthrough of the six telemetry gaps that block effective incident response in current agent deployments:

1. Prompt provenance: which content in the context window came from which source?
2. Tool invocation justification: why did the agent decide to call this tool?
3. Model state at decision time: what was in memory, what was retrieved from RAG, what was in conversation history?
4. Tool output handling: was the result shown to the user truthfully, or summarised in a way that hid an action?
5. Session boundary integrity: did instructions from a previous session persist into this one?
6. Side-channel actions: did the agent take an action that left evidence only outside the agent's own logs?

For each gap, we show the corresponding artifact in the compromised lab, what is captured today, and what is missing.

The constructive half of the talk. We present a structured playbook covering:

1. Evidence preservation: the seven-item checklist for snapshotting agent state at incident detection — full conversation history, system prompt, tool registry, RAG retrievals, model and version, environment variables, and external resource fetches.
2. Containment without forensic destruction: how to halt an agent in a way that preserves volatile state, including memory dumping techniques for in-process agent runtimes.
3. Attribution decision tree: distinguishing prompt injection from model error from legitimate-but-misjudged action using log triangulation.
4. Root cause reconstruction: mapping a confirmed malicious action backwards through tool calls, retrievals, and prompts to identify the injection vector.
5. Recovery and trust restoration: what must be rotated, what must be replayed, what must be redesigned before the agent returns to production.

The playbook is delivered as a single-page reference card distributed to all attendees.

Five-minute close: three concrete detection engineering recommendations for SOC teams running agents in production today. Q&A continues offline at the BlackPerl table in the village area.