Back to Home

March 2025

From: Brian, Tobias, and Gaby

Subject: The case for agentic security

Hi all,

Welcome back to the BT&G infra newsletter.

The M&A markets had a major burst with Google’s acquisition of Wiz for $32B, a staggering number, especially considering the fact that the company started in 2020. Wiz’s ascendence was daunting, sending fear into the bones of cyber founders and investors. Now, however, we’re ravenous. What is the next Wiz-scale business?  

‍

Agents?

Agents cut the heart of the AI promise - a world where humans direct computers to accomplish a wide array of complex, multi-threaded, tasks on our behalf, endowing upon us superpowers. Innovations like inference-time compute and MCP have made agents more attainable. Computer use and products like Deep Research seem like the next logical evolution of everyday AI, with more powerful agents arriving soon

With this, will come great risk. The A.I. Futures Project has shared some bleak perspectives – they predict that by 2027, powerful, opaque agents may manage the operations and execution of the biggest companies in the world. Agents just might be the catalyst to a world where “powerful artificial intelligence systems are becoming smarter than humans, and are wreaking havoc on the global order.” 

As agents eat labor, the breadth and scale of this change will be bigger than the cloud. And so too will be the security challenges. A Wiz-like solution that takes into account why these assets are different than they were before needs to exist. 

‍

There are compelling corollaries between cloud security and agent security. 

Agents give software the ability to reason, decide, and act—much like humans—while introducing new forms of risk. Agents are neither people nor traditional applications, but they behave like both: using apps, navigating workflows, and pursuing goals. Sometimes they’ll have interfaces; other times, they’ll operate behind the scenes, interacting with software through new protocols like MCP.

The same core assets—logic, data, identities—will exist in the agentic plane, but their behavior and exposure will be fundamentally different. Securing them will require new solutions, just as cloud demanded its own security model.

There is going to be a lot of competition in this market – the end-to-end AI security platforms (e.g. Aim Security, Protect AI, Prompt Security, etc.) will vie for this. Non-human identity companies (e.g. Astrix, Clutch Security, Entro, Oasis Security) will as well (claiming agents are just a new type of non-human identity). Amidst the competitive existing landscape, there still is opportunity for new entrants. 

‍

Where is the opportunity for agentic security?

There are two closely related opportunities in agentic security we believe startups can build upon: authentication/permissions & agent misuse.

The first security problem arising from the use of agents is authentication and permissioning. We use this to specifically refer to agents accessing applications, be them first-party or third-party applications, and the data residing in those applications. When human beings log into applications, they are required to provide authentication information to access their specific view and information within the app they want to access. Agents, which will access apps and utilize data in those apps to perform various tasks, will need the same kind of functionality. There have long been “service accounts” that function as non-human identities talking between applications. 

However, what is new is that agents will scan through apps, extract data, make changes, and move information to other apps. These actions will be powered by non-deterministic models, adding unpredictability to what agents do in real-time. This increases the sensitivity of getting authentication correct.The more complex the agent, the more sensitive it becomes and the more necessary it is to have robust and well-tested authentication. 

‍

The second opportunity is agentic misuse. Misuse may arise because malicious actors can possess access to sensitive data and have the capability for risky behaviors by way of an agent. For example, those spam emails that we receive from “people we know” are things that humans likely understand not to engage with, but agents, without full context, might open malicious contents and expose the underlying systems to risk. An agent doesn’t have a brain in the traditional, human sense, and will be easy to manipulate in the short- to medium-term. Protecting against these risks is top of mind for CISOs and an opportunity for security startups. 

In order to protect agents, new solutions will need to hybridize three traditional types of security (identity, application, and data) into one thing. As a result, whether existing solutions will be sufficient is unclear. Consider the issues with all of them as it pertains to agents:

• Identity: you could treat all agents as distinct identities, like humans in your organization. However, they are made of code, store data, and  have “identities”, but a traditional identity solution will only partially cover risks associated with agents.
• Application: treating agents as apps would be  overly narrow. Agents will have new characteristics relative to traditional applications. They will use new protocols to speak to other apps. They will chain together tasks to create workflows, which will on their own need to be secured and monitored, likely running on third party models. 
• Data: Agents are not just data stores. They will be able to read and write, and will generate logs that should be monitored and secured, but agents will also have identities and features that make them look like business applications as well.

‍

As a result, agents really are a new class of application. But perhaps instead of being yet another fragmented attack surface on a CISO’s list, it can actually be a consolidating force across existing practice areas. Identity, application, and data security may be more consolidated than they are today. Maybe agents will be a way to consolidate what is fragmented, and merge the best of identity, application, and data security in a context that requires all three.

‍

Day 0 of the Revolution

We have said this many times in our newsletter, but it remains true today: we are still so early. If Wiz taught us anything, it is that the winner in a platform shift is not necessarily the first-mover. Wiz emerged many years after the cloud became prominent. Agents have not yet really even arrived, so crowning a winner is premature. We do think that the agentic security winner will come sooner than Wiz did – AI apps are scaling and the market is moving much faster than for cloud – but agents are still so nascent.

A CISO of a multi-billion dollar financial services company recently told us the following about agentic security:

‍

It is definitely early days. Most CISOs are still looking to adopt a “current generation” AI security solution that handles generative AI. Layering on yet another solution for agentic AI is going to be a tough sell… Human beings are unpredictable. Human beings have the same access. We have tools to identify anomalous human activity. It is not entirely clear how I am going to sell a new tool that does the same thing for AI agents. And – It may take a couple of real life incidents before anyone takes the risk seriously. Nobody wants to be the first to pay for a tool that addresses a theoretical problem.

We take feedback like this seriously, of course. But with AI security can be a gating factor to even shipping a product. For this reason, we’re leaning in hard on security solutions that enable AI to get to production. 

As always, all feedback, thoughts and companies are welcome. 

‍

Until next time,

BT&G

‍