Date: September 26, 2025 (GMT +8)

Time: 13:45

As Large Language Models (LLMs) evolve into autonomous agents with memory, tool-use, and goal-driven planning, a new class of AI application has emerged: Agentic AI. These agents go beyond static prompting. They reason, act, and adapt dynamically, often with access to real-world APIs, internal documents, external knowledge bases etc. Increasingly, organizations are integrating such agentic AI systems into their public-facing websites and SaaS platforms - often as support bots, task assistants, or productivity agents designed to operate within tightly scoped, goal-oriented contexts. But what happens when this autonomy becomes a security liability? In this talk, we will present a security-focused exploration of Agentic AI systems as deployed in the wild. One of our novel contributions is the concept of Knowledge Base Hijacking. Unlike traditional prompt injection that influences outputs directly, this technique plants session based persistent influence that bypasses the agents initial guardrails. With the right manipulations, the agents can be coerced into answering questions far beyond their intended scope. In addition, we uncover how malicious actors can abuse public-facing Agentic AI systems, to get answers to queries without paying for their own LLM resources. By manipulating the agent’s objectives or task instructions attackers can offload expensive inference or querying to someone else's AI infrastructure, effectively freeloading compute. This includes techniques such as goal hijacking, clever context switching, and output redirection. In this talk We also briefly touch upon broader threats, including:

- Prompt Injection and chaining to exploit underlying model behaviour
- Sensitive Information Leakage, where agents reveal sensitive task logic, memory traces, or instructions
- Resource Draining, where recursive planning or misused tool invocations cause excessive API calls or compute usage
- Denial-of-Service (DoS) vectors, where agents can be driven into loops or expensive tasks repeatedly


Our research spans multiple open-source and even enterprise grade agents - such as OpenAI, Grok, Gemini. We demonstrate that even companies with good intentions and modern LLMs are vulnerable — because security thinking hasn't caught up with the orchestration layer. We found a lot of small startups and SaaS platforms exposing agentic behaviour via public websites without sufficient guardrails. This field remains largely uncharted. While the AI research community is focused on model alignment, robustness, and safety, the rise of Agentic AI introduces new risks at the application level that aren't being adequately addressed. As the pressure to integrate LLMs into production rises, so does the risk surface. The talk will include:

- The architecture of Agentic AI systems and attack vectors.
- Our discovery and classification of Knowledge Base Hijacking.
- Real-world case studies of AI agents we successfully manipulated or abused.
- Demonstrations showing attacks on public agentic interfaces (masked names).
- Defensive strategies to secure Agentic AI - including context validation, sandboxed execution, throttling logic, memory hygiene, and logic-aware guardrails.

This talk is for red teamers, security engineers, AI developers, and decision-makers integrating LLMs into production systems. We’ll make the case that Agentic AI is not secure by default — and unless defences evolve fast, these systems will become the next critical blind spot in enterprise security.

Speaker

Rakesh Seal
Rakesh Seal is a Senior R&D engineer with the Application & Threat Intelligence Research Center (ATIRC) at Keysight Technologies. He actively works on network application simulation, network steganography, IoT devices and AI vulnerability research. Rakesh likes to automate stuff that needs manual work even though the automation takes more time than doing it manually. Rakesh is a full stack developer with a keen interest in building scalable systems. When he's not tinkering with tech, he enjoys sharing his expertise by writing technical blogs on network security and speaking at security conferences and meetups.

« Back