Security must be embedded directly into AI coding tools to mitigate emerging risks associated with agentic development, Ox Security has claimed.

Speaking at Infosecurity Europe on June 4, the vendor’s field CTO, Boaz Barzel, explained that traditional application security was built for human-paced delivery.

That meant pen testing at the end of the monthly delivery cycle. However, AI agents now enable hundreds of code changes per day in a continuous cycle, meaning security can no longer be a bolt-on, Barzel argued.

“The idea is that security isn’t a stage in the pipeline; it’s a property of the act of creation itself,” he told attendees. “We’re trying to shift left, but there’s no longer ‘left’ left to shift to. We have to shift into the agent.”

Read more on agentic security risk: Threat Actor Uses AI to Build EDR Evasion Tools.

AI agents introduce four distinct attack surfaces that traditional tools are not equipped to handle, Barzel explained:

• Input: Any instructions (eg prompts, guidelines, protocols) entering the agent – be they from developers, upstream agents or threat actors
• Tools: MCP servers, models, skills and external SaaS connections (shadow and authorized) which could be weaponized to exfiltrate data, inject instructions or pivot laterally
• Execution: Both human-triggered and autonomous agents running without visibility, enforcement or accountability
• Output: Vulnerable or destructive code leaving the agent (eg path traversal, injection, backdoors, exfiltration logic) at machine speed without human review

These challenges are compounded by the collapse of the exploitation window thanks to powerful frontier models like Mythos, which could reduce time-to-exploit to minutes. And by the sheer volume of code that AI tools can generate.

Understanding the Auto-Pentest Loop

To make appsec fit for the agentic AI era, it must be embedded in the building loop, contextual and operating continuously, said Barzel.

This means security agents working alongside coding agents, with every commit pentested and every fix reviewed and validated autonomously. The system reasons about what has changed, what is exposed and what risk it introduced, so that it is predictive, not reactive, he explained.

“In this case, security stops being a department. It becomes a behavior of the system,” Barzel added.

The aim is for:

• Mean time to resolve (MTTR) vulnerabilities to fall from weeks to hours
• 100% coverage of autonomous security checks for merged changes
• Reduction in the time a known risky path is reachable in production before being gated or fixed
• Most issues to be autonomously fixed and validated, with humans only needed to assess more complex or novel issues

New agentic coding risks are being uncovered on a regular basis. For example, in May 2026, a critical vulnerability was discovered in the Cline Kanban server which could allow threat actors to silently hijack AI coding tools.