The WOPR Brief: your monitoring stack is now an attack surface

This month an attacker turned Claude Code into a code-execution engine. On developers' own machines. No malware. No stolen password. No breach.

The vector was a fake error report.

Tenet Security called it agentjacking. A public Sentry key is all it takes. Anyone can write a fake error into Sentry. The agent reads it through MCP, treats it as Sentry's own fix-it guidance, and runs the attacker's command. With the developer's credentials. AWS keys, GitHub tokens, private repo URLs. Gone. Silently.

Here is what makes it a WOPR.

Nobody breached anything. The Sentry key was meant to be public. The MCP call was authorized. The command ran under the developer's own identity. EDR, WAF, IAM, firewall. All blind. Every step was legitimate. The agent was just being helpful in the wrong direction.

Your SOC has never had to tell the difference between a developer running npm install and an agent running it because a poisoned error told it to. That distinction did not exist until agents hit production.

The scale: Tenet found 2,388 organizations with injectable Sentry keys. 85% success rate in testing. Confirmed execution inside a $250B Fortune 100, in an environment holding a live AWS key. Sentry called the attack "technically not defensible" and filtered one payload string. The Cloud Security Alliance classified it as a systemic MCP vulnerability class within days. Datadog. PagerDuty. Jira. Same exposure. Any tool that feeds an agent outside data is now an instruction channel.

This is not one bad integration. OWASP said it three weeks ago. Prompt injection is architectural, not a patchable bug. A model cannot separate trusted commands from untrusted data. Both arrive as the same stream of text.

Watch where the market went. On June 15 CrowdStrike shipped action-level authorization for agents. Not detection. Enforcement. The endpoint incumbent now authorizes every agent action in real time. Their CTO: "The safety net is runtime."

That is the whole point. Soft controls steer. They do not enforce. The only place left to stop an agent is the moment it decides to act.

Authorized does not mean safe. When every step is legitimate, the only thing worth watching is what the agent actually does.


Sources

Craig Alberino
Craig Alberino
Craig Alberino is the Founder and CEO of APERION, which builds the runtime governance layer for AI agents in regulated enterprises. Inline policy enforcement and identity-bound audit, deployable on premises.

Ready to govern your AI infrastructure?

See how SmartFlow gives regulated industries complete AI sovereignty.

Request a Demo View Documentation