Independent reference. We are independent of every vendor listed. No affiliate links. No sponsored placements.
Agents

Agentic AI Security: Defence Cost for Tool-Using LLM Agents

When the LLM gets tools, memory and autonomy, the prompt-injection attack surface multiplies. OWASP LLM06 (excessive agency) becomes the dominant risk.

LLM06
Dominant OWASP class for agents
5x
Typical attack-surface increase (illustrative)
Quote
Most agent-aware vendor pricing
Sandbox
Cheapest first-line defence
An LLM-based system is often granted a degree of agency by its developer, the ability to call functions or interface with other systems.
OWASP LLM Top 10 2025 LLM06 entry, genai.owasp.org

What changes when the LLM holds tools

  • The prompt-injection attack can trigger a side-effecting tool call.
  • Memory becomes a persistence vector for stored prompt injection.
  • Identity-on-behalf-of patterns multiply: agent + user + tool + data owner.
  • Indirect prompt injection from tool output (search results, email, code) hits the model.

Defensive layering

  1. 1
    Sandbox tools
    Read-only default
  2. 2
    Guardrail input + output
    Two-sided filtering
  3. 3
    PAM for tool credentials
    See pamcost.com
  4. 4
    Human in the loop
    For destructive actions
  5. 5
    Audit log
    Per tool call, to SIEM

Vendor cost premium

Agent-aware coverage is a quote-only segment. Specialists like Lakera, Pillar, Prisma AIRS, CalypsoAI and Cisco AI Defense list LLM06 in their feature pages but do not publish a number. Budget at least the cost of a non-agent guardrail subscription on top of your existing hyperscaler line.

For identity controls around tool credentials, see pamcost.com.

Last verified June 2026Source: vendor pricing pages. See /methodology.