The Rise of Agentic AI Pen Testing
Penetration testing has been around for decades. The methodology is well-understood: probe the perimeter, find the cracks, simulate the attacker, write the report. It works. It's saved countless organisations from breaches they never saw coming.
But something fundamental has changed.
The systems we're testing now aren't just servers, APIs, and web applications. They're autonomous agents — software that reasons, makes decisions, and takes actions on behalf of humans. And the traditional pen testing playbook doesn't have a chapter for that.
Why Traditional Pen Tests Miss the Point
When a pen tester assesses a web application, they're looking at well-understood attack surfaces: SQL injection, XSS, authentication bypass, privilege escalation. These are technical vulnerabilities with technical fixes.
AI agents introduce something different entirely. An agent doesn't just process input — it interprets it. It doesn't just follow code paths — it reasons about what to do next. This means the attack surface isn't just technical. It's cognitive.
Consider a simple example: an AI agent that processes customer emails and routes them to the right department. A traditional pen test might check whether the email form is vulnerable to injection, whether the routing API has proper authentication, whether the database is hardened.
An agentic pen test asks a different question: what happens when the email itself contains instructions that the agent interprets as commands?
This is prompt injection — and it's just the beginning.
The Three Attack Vectors That Define Agentic Security
Our work in agentic penetration testing has crystallised around three core attack vectors that traditional security assessments completely miss.
Browser Reasoning Leaks
Research from Guardio Labs demonstrated something troubling: AI agents performing browser-based tasks can leak sensitive information through their reasoning traces. When an agent navigates the web, its chain-of-thought processing can expose internal system details, authentication tokens, business logic, and personally identifiable information — even when the final output appears sanitised.
This isn't a bug in any specific agent. It's a structural property of how reasoning-based AI systems process information. The agent's "thinking" is itself an attack surface.
In our assessments, we deploy controlled scenarios designed to trigger reasoning trace leakage. We test whether sensitive data appears in agent outputs, logs, monitoring systems, or side channels. The results are consistently eye-opening for clients who assumed their agents' internal reasoning was private.
MCP Server SSRF
We've written extensively about this one (and built MCPScan to help address it), but it bears repeating in the context of pen testing.
MCP servers act as bridges between AI agents and external tools. When an agent calls an MCP tool, it's the MCP server that actually makes the request — to a database, an API, a cloud service. If an attacker can manipulate the target of that request through carefully crafted tool parameters, they can use the MCP server's network position to access internal resources.
The Azure CVE proved this isn't theoretical. In our pen testing engagements, we probe every MCP tool endpoint for SSRF vulnerabilities, test internal network access via tool call manipulation, attempt cloud metadata endpoint access, and validate network segmentation. The attack chain from "user input" to "internal network access" through MCP servers is often shorter than organisations expect.
Multi-Vector Prompt Injection
The most sophisticated attacks we test for chain multiple injection techniques across tool boundaries. An attacker doesn't just inject a single prompt — they plant instructions across multiple data sources that the agent will encounter during its workflow.
Imagine an agent that reads emails, checks a CRM, and drafts responses. An attacker sends an email with hidden instructions. Those instructions tell the agent to look up a specific CRM record — which has also been poisoned. The CRM data contains further instructions that direct the agent to exfiltrate information through its email-drafting capability.
Each individual data source looks clean. The attack only materialises when the agent processes them in sequence, chaining the injections into a coherent exploit. Traditional security tools can't detect this because the vulnerability doesn't exist in any single component — it emerges from the agent's reasoning across components.
A New Methodology for a New Threat
Our agentic pen testing methodology has four phases, refined through dozens of engagements.
Phase 1: Reconnaissance. We map every AI agent deployment, inventory MCP servers and tools, trace data flows and trust boundaries, and review system prompts and guardrails. This is more complex than traditional recon because the attack surface is distributed across reasoning, tools, and data sources.
Phase 2: Threat Modelling. We build attack trees specific to the client's agent architecture, identifying which assets are reachable through agent tool chains and where trust boundaries can be crossed.
Phase 3: Active Testing. This is where it gets interesting. We deploy injection payloads across all agent input surfaces, probe MCP servers for SSRF and authentication bypass, test reasoning trace leakage under controlled conditions, and attempt multi-step attack chains that cross tool boundaries.
Phase 4: Remediation. We don't just find problems — we help fix them. Detailed findings with proof-of-concept demonstrations, prioritised remediation roadmaps, and architecture recommendations for defence-in-depth.
Who Needs This?
If your organisation deploys AI agents — and in 2026, most organisations do — you need agentic pen testing. This is especially true if your agents process external data (emails, documents, web content), have access to sensitive systems through MCP tools, make decisions that affect customers, finances, or operations, or operate in regulated industries where demonstrable security assurance is required.
The question isn't whether your agents are vulnerable. Based on our assessment experience, they almost certainly are. The question is whether you discover those vulnerabilities through a controlled assessment — or through an incident.
The Future Is Adversarial
AI agents are the most powerful tools businesses have deployed in a generation. They're also the most novel attack surface we've seen since the dawn of web applications. The security industry is still catching up, but the attackers aren't waiting.
Agentic pen testing isn't optional. It's the cost of deploying autonomous systems responsibly.
If you're ready to find out how your agents hold up under pressure, we should talk.
Next steps
Concerned about your AI agent security?
We help organisations assess and secure their AI agent deployments. Get in touch for a free initial consultation.
Get in touch