The State of AI Agent Security 2026

We built the largest independent audit of AI agents published to date. The goal was simple: stop guessing what the agentic AI ecosystem actually ships with, and measure it. The audit let us surface the real, significant, and re-occurring misconfiguration patterns that every team working with agents quietly suffers from. We paired the codebase analysis with an internet-wide exposure analysis, so we could see not just what agents look like in code but how they end up reachable from the public internet and why.

We analyzed the code of the most popular (and the most obscure) agents, the tools they invoke, the MCP servers that connect them, and the skills that extend them. 206,435 agent skill files. 164,692 code files across roughly 86,000 public repositories. And those numbers were our starting point. Throughout the research we kept pulling fresh data from across the ecosystem, tracking new frameworks, new campaigns, and new infrastructure as they appeared. Thousands of RAG pipelines analyzed across the ecosystem. Two internet-wide scanners, cross-verified.

Here are our top findings. The complete numbers, the stories behind them, and the methodology are in Download The State of AI Agent Security 2026.

Top findings

1. Exposure is surprisingly high, and it is driven by dangerous defaults.

We dual-verified 402,599 unique AI agent hosts directly reachable from the public internet across 36 services. Most ship without authentication by default, because their shipping defaults are “make deployment easy” rather than “make deployment safe”. Most live on infrastructure that enterprise security tools cannot see. The count is not the result of one mistake by one team; it is the natural output of a group of popular platforms each shipping a slightly insecure baseline and adding up.

2. Prompt injection is an industry-wide problem, and nobody has fixed it.

We analyzed thousands of RAG pipelines on GitHub at ecosystem scale to measure whether the defenses the industry cites are actually deployed. They are not. Only about 5% of prompt-building repositories show any structural sanitization near their prompt code. The root cause is mechanical: untrusted content is string-interpolated straight into the system prompt with no boundary markers and no escaping.

3. There are no runtime guardrails.

Cost controls. Audit logging. Human approval for destructive actions. Every runtime guardrail that the industry formally agrees on. We measured adoption of each of them across the 13,145 code files in our dataset that actually grant agents dangerous capabilities. Adoption of every single one is effectively zero. We say “effectively” because the real number for several of them is below 0.1%. Between an LLM’s decision and system-level execution, there is nothing.

4. The lethal trifecta is quietly going mainstream in skills and tools.

When a single skill or tool bundles code execution, credential access, and external communication into one install, it contains a complete exfiltration chain by itself. No prompt injection required. No second bug required. The attacker’s job is already done at install time. We measured how often that combination ships today across the skill and tool registries. It is not rare, and it is growing.

5. AI dependencies fan out six times faster than traditional ones.

We pulled the lock files of major AI agent projects and compared them to non-AI platforms of comparable complexity. AI projects resolve to a median of 14.6 times their declared dependency count. Comparable non-AI platforms: 2.3 times. Each resolved package runs in the same process, under the same identity, with the same credentials. The supply chain attack surface for an agent is six times larger than for any other class of software of similar size.

And we even found proof of a malicious campaign still running.

We tracked the skill-registry ecosystem through our full collection period. One of the campaigns that has been treated in the public record as resolved turned out to still be active ten weeks after its public disclosure. 662 of its skills are live on GitHub. We identified ten distinct actor identities (not the three originally named). We observed the operator refreshing their C2 infrastructure three days before our publication date. We found the operator fingerprint replicated across 193 hosts in a single netblock, which we are documenting publicly for the first time. And we traced the automated pipeline that has been quietly propagating the campaign’s skills into four downstream IDE plugin ecosystems, without rescanning, while all of this was considered a closed case.

The full investigation, including the IOCs and the operator attribution, is in the report.

Why read this report

Agentic AI is moving faster than the security that is supposed to accompany it. Frameworks ship weekly. Protocols become de-facto standards before they have been reviewed. Capabilities get granted to autonomous systems before anyone has agreed on how to govern them.

This report is what the other side of that speed looks like when measured instead of debated. It is a working point of view on the operational reality that security and engineering teams are being asked to protect right now, documented with reproducible queries and a full evidence ledger.

If you are building with agents, you will recognize the patterns in this report from your own code. If you are defending deployments with agents, you will find the real distribution of the risks you are meant to be reducing. Either way, you will finish the report with a clearer picture of which parts of the ecosystem are broken today, which are effectively impossible to detect with the tools available, and which changes at the framework level would close the gaps at scale.

What is in it

• Chapter 1. Executive Summary. The ten findings that define the current state, with the numbers and the evidence behind each.
• Chapter 2. The Attack Surface. The full breakdown of the 402,599 hosts, by service, by deployment region, by CVE exposure.
• Chapter 3. Agent Skills. What 206,435 skill files look like when analyzed at scale, and the campaigns we found inside them.
• Chapter 4. Tools. MCP Server audit and the lethal trifecta findings in agent tools.
• Chapter 5. Ecosystem. What the open-source agentic AI ecosystem is actually made of, who is writing it, and what that means for the next generation of frameworks.
• Chapter 6. Prompt Injection. The ecosystem-scale RAG analysis, our coordinated disclosures, and the defenses that already exist but almost nobody uses.
• Chapter 7. Conclusions and Recommendations. Each major risk mapped to a specific fix.

About Capsule Security

Capsule Security is an AI agent runtime security platform. We continuously monitor AI agent behavior and intervene during runtime at the first sign of anomalous or unsafe activity, across AWS Bedrock, Azure Foundry, GCP Vertex, Claude Code, Cursor, GitHub Copilot, ChatGPT Enterprise, Microsoft Copilot Studio, Salesforce Agentforce, and more. Learn more at capsulesecurity.io.

We publish research like this because the problems we see in agent runtime environments every day are rooted in patterns that are measurable at the ecosystem level. If you are going to defend AI agents at runtime, you need an empirical picture of what they actually ship with.

Get the report

Download The State of AI Agent Security 2026.

Capsule Security, May 2026

‍