STAR Labs Threat Report · Volume I · July 2026
The Year Agents Entered The Workforce
AiPT, LAVA, and the STAR Framework for agentic security. Thousands of real-world exploits run against coding, productivity, and first-party agents, and the model defenders need to act on what we found.
Agents Are the New Attack Surface
Two years ago, enterprises were simply blocking genAI sites like ChatGPT. Today agentic AI is core to corporate strategy. Productivity agents read inboxes and browse the web. Enterprises build their own agents on Microsoft Foundry, Amazon Bedrock AgentCore, Google Gemini Enterprise, Databricks, and Snowflake. Coding agents like Cursor, Claude Code, and GitHub Copilot ship code straight to production. Each wave moved faster than the last, and each opened an attack surface the old controls were never built to see.
Adversaries ride the same wave. STAR Labs tracks a new class of attacker we call AiPT: AI-powered persistent threats that run reconnaissance automatically, generate exploits for the specific target, and hide persistence in the semantic layer traditional defenses cannot read. The vulnerability they exploit is what we call LAVA: Language-Augmented Vulnerabilities in Applications. Securing an agent means watching what it watches, at the speed it moves, across four layers: application, model, tools and MCP, and data. That is the Straiker STAR Framework (STAR = Straiker AI Security Research), and this report is the data behind it.
"Defenders prepared for a hostile model and a trusted user. Here the model behaves and the context is the weapon."
36%
of successful coding-agent attacks reached remote code execution
91%
of successful productivity-agent attacks ended in silent data exfiltration
28.6%
of cataloged MCP tools are dangerous on their face
4,242
tracked MCP servers carry at least one vulnerability
17,651+
MCP servers under continuous monitoring
1,700+
distinct exploits documented against production AI agents
Read the Report
Eight Sections, One Threat Model
Start anywhere. Each section is a standalone read with its own data, defender playbook, and answers to the questions security leaders are asking.
the STAR Framework
01
A Map of Where Attacks Happen
The STAR Framework: four architectural layers, plus AiPT, LAVA, and indirect prompt injection.
Agent Types
02
Three Roles, Three Blast Radii
Coding, productivity, and first-party agents: same attack, three very different outcomes.
Coding Agents
03
The Highest-Risk Deployment
Coding agents, 36% RCE, the five-step chain, and the Claude Code source leak.
Productivity Agents
04
The Quiet Failure Mode
Productivity agents, 91% silent exfiltration, and the connected-app cascade.
First-Party Agents
05
The Internal Blast Radius
Custom enterprise agents and the compromise that spans the data fabric.
MCP supply chain
06
The Supply Chain Under Every Agent
MCP as an unmanaged supply chain: 4,242 vulnerable servers, dangerous tools.
For Defenders
07
Adopt the STAR Framework
Five controls that break the chain, and agent-on-agent runtime security.
Methodology
08
How We Know This Is Real
Methodology, glossary, and the full source list behind every number.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






