Agentjacking and the second AI trust problem

Tenet Security disclosed a new attack class on June 12. 2,388 organizations exposed. 85% success rate against Claude Code, Cursor, and Codex. The story is mostly being read as a security story. It deserves a second reading.

On June 12, security firm Tenet disclosed a new class of attack against AI coding agents. They call it agentjacking.

The setup: a public Sentry DSN — the credential Sentry hands out so any client can submit error events — can be loaded with carefully formatted markdown. When a developer later asks Claude Code or Cursor to investigate an unresolved error, the agent retrieves that payload via Sentry's MCP server and treats it as trusted system output. The injected instructions then execute on the developer's machine.

The numbers are bad:

2,388 Organizations with exposed Sentry DSNs identified by Tenet during a validation window that ended June 17. Includes Fortune 100 companies.

85% Success rate of the exploit across Claude Code, Cursor, and OpenAI Codex. A single HTTP POST using a public credential, no authentication required.

Tenet disclosed to Sentry on June 3. Sentry acknowledged the issue and declined to ship a root-cause fix; their position is that the attack class is "technically not defensible" at the platform layer. Tenet's writeup is here.

The pattern, not just the exploit

What made agentjacking work isn't a Sentry bug. Sentry shipped exactly what its customers asked for: a fast event ingestion endpoint that accepts payloads from anywhere, plus an MCP server that gives AI agents read access to those events. Each part is reasonable on its own.

Composed, they create what Tenet calls an "Authorized Intent Chain" — every step is individually permitted, but the composed outcome is malicious. The AI agent is trusting a data source that the operator can't fully curate.

Wherever an AI system pulls from open inputs and acts on what it finds, the same pattern is in play. Coding agents pulling errors is one surface. Answer engines pulling product information is another.

The second trust problem

Here's the part that's relevant even if you don't run a Sentry-connected agent in production.

When a B2B buyer asks ChatGPT, Claude, or Perplexity "what's the best platform for X?", the answer engine assembles a recommendation from sources you mostly don't curate. Documentation pages. Stack Overflow threads. Third-party comparison posts. A Reddit answer from 2024. A reseller's product brief. A competitor's blog. The model treats those as inputs to a synthesis, weights them by a heuristic nobody at the LLM lab can fully explain, and returns a shortlist.

If you're in the shortlist, you're a contender. If you're not, the buyer asks a follow-up about one of the names that did appear. There's no page two.

This is the same architectural property that made agentjacking work: AI consuming data sources it didn't curate, and acting on what it finds. The blast radius is different. The pattern is the same.

How invisible "invisible" actually is

DevTune.ai tracks AI search visibility across companies in the agent authentication vertical — one of the closest-adjacent categories to the agentjacking story. The numbers are sobering:

Auth0 (category leader): appears in AI responses 27.2% of the time
WorkOS: 26.4%
Composio: 17.6%
Arcade: 8.8%
Descope: 5.6%
Four direct competitors: 0% — entirely invisible

We wrote the dataset up last week: The Visibility Paradox. The headline finding: the category leader appears in roughly one in four queries. Three out of four times a developer asks an AI assistant about this category, the market leader doesn't get named.

Half of B2B software buyers now start product research inside an AI assistant (G2, 2026 buyer research). If you're absent from the AI synthesis, you're absent from half your funnel.

Why this window is unusually open

Companies in AI security — the vertical closest to the agentjacking story — have a specific opening here. The story is searchable. The keyword is current. Buyers are asking AI assistants about AI agent risk right now, today, for the first time.

If your positioning doesn't appear in the queries that follow this disclosure, the recommendation goes to whoever did appear. Once a category settles into a stable AI-recommendation pattern, it's expensive to move.

This is the same compounding effect we wrote about in the Visibility Paradox piece. Companies the model already recommends get more community mentions, which increases their visibility further. The gap between recommended and invisible widens, not closes, without deliberate work.

Three questions for any AI security company today

Three questions, the same three we run on every audit:

1. What does AI actually describe you as?

Not what you wrote on your homepage. What ChatGPT, Claude, and Perplexity return when a buyer asks "what's the best [your category]?" The gap between intended positioning and AI-rendered positioning is almost always larger than founders expect.

2. Where is the model drawing those words from?

If the cited sources are mostly your own marketing pages, the AI hasn't found enough third-party signal yet — and your visibility ceiling is low. If they're mostly competitor comparison posts and forum threads, you're being summarized by other people's framing.

3. Is the recommendation consistent across engines?

If the three big engines describe you differently, your positioning is being averaged into noise. Buyers cross-check. Inconsistency suppresses confidence in the recommendation.

How does AI describe your security product?

Same engine our paid analysis runs on. Score, gap list, and inline card checkout — all in English. Free, runs live, no email required.

Score your site for free →

Prefer a written audit? Email hei@synligdigital.no and we reply within one working day.

The Visibility Paradox · More notes