Straiker has released the inaugural threat report from its STAR Labs research team, detailing security risks facing enterprise AI agents after researchers conducted thousands of adversarial scenarios across production coding, productivity and first-party agents.
According to the report, the testing resulted in more than 1,700 successful exploits, offering what the company describes as a view of the real-world risks AI agents pose to enterprise organizations.
Among the findings, coding agents emerged as the highest-risk deployment. STAR Labs reported that 36% of successful attacks against coding agents evaluated in the research, including Cursor, Claude Code and GitHub Copilot, achieved remote code execution on a developer's machine. The report noted that those systems often contain source code and cloud credentials. In one proof-of-concept, researchers said they purchased Google Ads to outrank a legitimate installation page and harvest coding-agent credentials.
The research also found that productivity agents frequently failed without alerting users. Across the productivity agents included in the study, such as ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace, Perplexity Comet and Claude for Chrome, 91% of successful attacks resulted in silent data exfiltration, according to STAR Labs. The report said these attacks required no jailbreak, phishing link or malware.
For custom-built enterprise agents, STAR Labs concluded they present the broadest potential impact because they operate within an organization's trust boundary. The report stated that compromising a first-party agent built on platforms such as Amazon Bedrock AgentCore, Microsoft Foundry or Google Gemini Enterprise could provide access to internal systems and enterprise data beyond the reach of coding and productivity agents.
Researchers also examined the emerging AI agent supply chain, reporting that nearly 24% of more than 17,651 tracked Model Context Protocol (MCP) servers contained at least one vulnerability. Additionally, 28.6% of 130,667 cataloged tools were classified as high risk. The report said one marketplace contained approximately 5% malicious or high-risk Skills, warning that a compromised server or Skill could affect multiple agent types simultaneously.
STAR Labs also introduced new terminology to describe emerging threats. The report defines AI-Powered Persistent Threats (AiPT) as adversaries that use AI agents to automate reconnaissance, exploitation and persistence through offensive toolkits. It also identifies Language-Augmented Vulnerabilities in Applications (LAVA) as the class of vulnerabilities these attacks exploit.
The report argues that traditional cybersecurity technologies, including endpoint detection, firewalls and vulnerability scanners, cannot identify these attacks because they analyze code, endpoints and network traffic rather than the semantic reasoning layer used by AI agents. To address that challenge, Straiker developed the Straiker STAR Framework for AI Agent Security, which maps attack surfaces across application, model, tools and MCP, and data layers as well as the three primary enterprise agent types.
"Agents are the new attack surface, and attackers are weaponizing context," said Vinay Pidathala, vice president of AI security research at Straiker. "Context decides whether an agent ships a fix or wipes a drive. Traditional controls were never built to see these attacks, which is why agentic security needs a framework built for both agent architecture and deployment context."
The full STAR Labs research report is available through Straiker, along with a free AI risk assessment.
