Who's watching the agents?
- H Peter Alesso
- 3 days ago
- 3 min read
ThreatPulse is live at threatpulse.dev — a daily, read on how agents are being attacked.
This site keeps returning to one question: not what AI agents can do, but what they should be allowed to do — and who is watching when they do it. Today we're adding something to that second part. We built the watch.
ThreatPulse, now live at threatpulse.dev, tracks the security threats specific to the agent era. Not the abstract worry that "AI might be dangerous," but the concrete, already-documented ways that agents get turned against their owners and against each other.
The threats are already here
It is tempting to treat agent security as tomorrow's problem. It isn't. In the past year, a proxy tool that connects agents to their capabilities — downloaded hundreds of thousands of times — shipped a flaw that let a malicious server run code on any developer's machine that connected to it. A popular agent-inspection tool exposed an unauthenticated port that a web page could quietly reach to do the same. Researchers have shown that instructions hidden inside a tool's description — text the model reads but the human approving it never sees — can hijack an agent more than eight times out of ten when auto-approval is on.
These are not thought experiments. They are the agent-era equivalent of the early web's first worms: small, specific, and a preview of the shape of things to come. The difference is that almost no one is producing a readable, current account of them for the people actually deploying agents.
What ThreatPulse does
Every morning, ThreatPulse reads the day's security advisories, vulnerability disclosures, and research — from CISA, the national vulnerability databases, the advisory feeds of the major agent frameworks, and the researchers who break this news first. It then does the one thing that closes the gap between raw disclosure and useful knowledge: it turns each item into a plain-English briefing. What happened. How serious it is. Whether it can spread from one agent to the next. What a defender should do about it.
The threats are organized around a shared vocabulary — prompt injection, tool poisoning, memory poisoning, insecure agent-to-agent communication, rogue agents — that maps to the taxonomy security teams are beginning to standardize on. Conventional vulnerabilities are there too, because your classic perimeter still matters. But the emphasis is deliberate: this is a watchtower built to face the agent economy first.
The picture
We'll say the same thing here we said about agent payments: this is early. The tooling is young, the incident count is still small next to the wider security world, and much of the danger is still potential rather than realized. ThreatPulse is not a finished product; it's a working piece of infrastructure that has started to do its job, which is a more modest and more useful thing than a revolution.
But early is exactly when a watch is worth setting. The web grew safe in fits and starts, one hard-learned incident at a time, and usually the people who fared best were the ones paying attention before they had to. If agents are going to hire, pay, and instruct one another at any scale, someone has to be keeping track of how that trust gets abused.
That's the part we've taken on. A payment rail decides how money moves; it doesn't decide whether it should. A watchtower is the same. It won't tell you what your agents ought to be allowed to do — that part is still ours to decide. But it will tell you, every morning, where the ground is shifting.
See it live: threatpulse.dev
Comments