AI Coding Tools Must Prioritize Built-In Security for Agentic Era
▼ Summary
– AI agents enabling hundreds of daily code changes require security to be embedded into the act of coding, not added as a later stage.
– AI agents introduce four attack surfaces: input, tools, execution, and output, which traditional security tools cannot handle.
– The exploitation window has collapsed due to powerful frontier models like Mythos, reducing time-to-exploit to minutes.
– AppSec must use security agents working alongside coding agents for continuous, autonomous pentesting, review, and fixes.
– The goal is to reduce mean time to resolve vulnerabilities from weeks to hours and achieve 100% autonomous security checks for merged changes.
Security must be built directly into AI coding tools to address the growing dangers of agentic development, according to Ox Security. Speaking at Infosecurity Europe on June 4, the vendor’s field CTO, Boaz Barzel, argued that traditional application security was designed for human-paced workflows. That model relied on pen testing at the end of a monthly delivery cycle. But now, AI agents enable hundreds of code changes per day in a continuous loop, making security a feature that can no longer be added as an afterthought.
“The idea is that security isn’t a stage in the pipeline; it’s a property of the act of creation itself,” Barzel told attendees. “We’re trying to shift left, but there’s no longer ‘left’ left to shift to. We have to shift into the agent.”
Barzel identified four distinct attack surfaces introduced by AI agents that conventional tools cannot manage. The first is input, covering any instructions like prompts, guidelines, or protocols entering the agent from developers, upstream agents, or threat actors. Next are tools, including MCP servers, models, skills, and external SaaS connections, both shadow and authorized, which could be weaponized to exfiltrate data, inject instructions, or pivot laterally. The third surface is execution, involving both human-triggered and autonomous agents running without visibility, enforcement, or accountability. Finally, output refers to vulnerable or destructive code leaving the agent at machine speed without human review, such as path traversal, injection, backdoors, or exfiltration logic.
These risks are amplified by the collapse of the exploitation window. Powerful frontier models like Mythos can reduce time-to-exploit to minutes, while the sheer volume of code generated by AI tools overwhelms traditional defenses.
To make application security fit for the agentic AI era, Barzel said it must be embedded in the building loop, contextual, and operating continuously. This means security agents work alongside coding agents, with every commit pentested and every fix reviewed and validated autonomously. The system reasons about what has changed, what is exposed, and what risk it introduced, making it predictive rather than reactive.
“In this case, security stops being a department. It becomes a behavior of the system,” Barzel added.
The goals include reducing mean time to resolve (MTTR) vulnerabilities from weeks to hours, achieving 100% coverage of autonomous security checks for merged changes, and cutting the time a known risky path remains reachable in production before being gated or fixed. Most issues should be autonomously fixed and validated, with humans only needed for more complex or novel problems.
New agentic coding risks continue to surface. In May 2026, for instance, a critical vulnerability was discovered in the Cline Kanban server that could allow threat actors to silently hijack AI coding tools.
(Source: Infosecurity Magazine)
