Preamble

This week marks Preamble’s 5-year anniversary! From discovering prompt injection in 2022 to securing and testing complex, autonomous AI agents in 2026, our mission has only grown more critical. Read our latest retrospective from our CEO and Cofounder, @jer_mchugh

Functional AI & Secure AI are not the same. If you are not actively red-teaming your LLMs and agents before deployment, you're taking on extra risk. Preamble closes this gap with AI red teaming services. preamble.com/services

Traditional cybersecurity controls do not catch AI specific threats. Announcing a suite of AI Security services: AI Red Teaming, Agentic AI Security Consulting, Patent Licensing, and fractional AI security. Secure your agentic AI today! preamble.com/services

Most AI red teaming tools test the wrong thing. They check if an AI will say something harmful. The real enterprise risk is whether it can be manipulated into doing something harmful. Most tools in AI security are not built for that.

Which AI agent accessed your production data? Can you prove it? 10 frameworks analyzed. Zero have cryptographic agent identity. New research + open-source AIA tool: github.com/j-mchugh/AIA linkedin.com/posts/preamble…

We've been saying this since we discovered prompt injection in GPT-3 Davinci. The research is catching up. The question is whether defenses will catch up before the next wave of agent deployments ships without them.

If you're still treating prompt injection as a prompt engineering problem, you're fighting automated weapons with duct tape. Defense needs to happen at every layer. Not just the model. Not just the prompt. Every boundary where untrusted data meets agent behavior.

Two papers dropped this week that should change how you think about LLM security. One automates the attacks. The other maps them to a full malware kill chain. Here's what you need to know. 🧵

Every major LLM release is now a security event. Our CEO @jer_mchugh explains why your last pen test is already obsolete and what security leaders need to do about it. linkedin.com/pulse/your-las…

Permiso documented AI agents attacking other AI agents in the wild Bot-to-bot prompt injection. Account deletions. Crypto scams. No human involved. "Prompt Infection" (Lee & Tiwari, 2024) discussed this, malicious prompts self-replicating across agents like a virus. Now it's real

Skill file poisoning is the new supply chain attack vector for AI agents. Our CEO @jer_mchugh just updated the Super AI Markets testing ground to measure exactly how deeply agents react to malicious behavioral instructions. Test your agents before attackers do.

@msftsecurity Runtime checks are a good start. The gap we keep seeing: most teams test for expected misuse but not adversarial manipulation. Prompt injection, confused deputy attacks, tool chain hijacking. These need red teaming, not just monitoring. You have to think like the attacker.

Are you pressure-testing your AI agents? Verifying and controlling agent behavior during runtime matters. Here are 3 scenarios where threat actors attempt to manipulate agents... and how webhook-based runtime checks catch it: msft.it/6011QMXC7

An AI just found 500+ zero-days in open-source software autonomously. The harder question: what happens when that capability gets pointed at your AI system? Models that find vulnerabilities in code can find vulnerabilities in other models. Offense and defense are the same tool.

@HedgieMarkets $285B wiped out and everyone is debating disruption. Nobody is asking the scarier question: who is securing the replacement? Every AI plugin processing sensitive data is a new attack surface. AI eats SaaS means AI inherits its security obligations with none of its hardening.

🦔 Wall Street is calling it the "SaaSpocalypse." The S&P North American software index dropped 15% in January, its worst month since October 2008. Anthropic's Claude Cowork legal plugin this week sent Thomson Reuters down 16%, LegalZoom down 20%. Microsoft had its worst month in over a decade despite beating earnings. A Jefferies trader: "People are just selling everything and don't care about the price." Apollo cut its direct lending funds' software exposure almost by half last year. Private equity firms are hiring consultants to check portfolios for vulnerable businesses. My Take I've been writing about the AI bubble for months. The circular funding. The capex that doesn't match demand. The infrastructure being built for adoption that hasn't materialized. This is what it looks like when that story starts to crack. One trader compared software's future to print media and department stores. I don't know if it's that bad, but I can't dismiss it either. When Apollo is cutting exposure by half and PE firms are scrambling to audit their portfolios, smart money is genuinely worried about which companies survive this. Microsoft beat earnings and still dropped 10%. If they can't convince the market, what chance do smaller companies have? Some of these stocks are legitimately on sale. Some are headed toward irrelevance. The market is selling first and sorting it out later. I don't blame them. Hedgie🤗

@OpenAIDevs The Preparedness Framework is one of the better things to come out of an AI lab. Honest question though: who audits "High capability" classifications independently? What happens when the model builder is also the model evaluator?

GPT-5.3-Codex is the first model we treat as High capability for cybersecurity-related tasks under our Preparedness Framework, and the first we've directly trained to identify software vulnerabilities. Read more about our mitigations in the system card: openai.com/index/gpt-5-3-…

GPT-5.3-Codex is here. It advances both frontier coding performance and professional knowledge capabilities together in a single model. openai.com/index/introduc…

@TheHackersNews MCP is the attack highway for AI agents. Exposed servers + prompt injection + tool poisoning = perfect storm. Attackers chain these — inject via untrusted content, then leverage MCP for lateral movement. Infra security alone won't cut it.

Bitsight TRACE found ~1,000 MCP servers exposed online with no authorization in place, revealing new AI-related security gaps. These Model Context Protocol instances can expose tools, data, or even allow remote execution if reached by attackers, expanding the risk surface for AI systems built on MCP. 🔗 Read about exposed MCP servers → #exposed-ai-servers-risk" target="_blank" rel="nofollow noopener">thehackernews.com/2025/12/threat…