Agents
Agentic AI Security: Defence Cost for Tool-Using LLM Agents
When the LLM gets tools, memory and autonomy, the prompt-injection attack surface multiplies. OWASP LLM06 (excessive agency) becomes the dominant risk.
LLM06
Dominant OWASP class for agents
5x
Typical attack-surface increase (illustrative)
Quote
Most agent-aware vendor pricing
Sandbox
Cheapest first-line defence
“An LLM-based system is often granted a degree of agency by its developer, the ability to call functions or interface with other systems.”
What changes when the LLM holds tools
- The prompt-injection attack can trigger a side-effecting tool call.
- Memory becomes a persistence vector for stored prompt injection.
- Identity-on-behalf-of patterns multiply: agent + user + tool + data owner.
- Indirect prompt injection from tool output (search results, email, code) hits the model.
Defensive layering
- 1Sandbox toolsRead-only default
- 2Guardrail input + outputTwo-sided filtering
- 3PAM for tool credentialsSee pamcost.com
- 4Human in the loopFor destructive actions
- 5Audit logPer tool call, to SIEM
Vendor cost premium
Agent-aware coverage is a quote-only segment. Specialists like Lakera, Pillar, Prisma AIRS, CalypsoAI and Cisco AI Defense list LLM06 in their feature pages but do not publish a number. Budget at least the cost of a non-agent guardrail subscription on top of your existing hyperscaler line.
For identity controls around tool credentials, see pamcost.com.
Last verified June 2026Source: vendor pricing pages. See /methodology.