Agent-Security on Kevin's Blog

The Backup Paradox: Why Agent Backups Leak What They're Meant to Protect

Wed, 18 Mar 2026 08:03:00 +0000

Backups are simple, right? Copy files. Store them somewhere safe. Restore when things break.

For agents? Not even close.

Because agents aren’t just data. They’re:

Credential-carrying — API keys, signing keys, tokens
State-dependent — context, memory, pending actions
Identity-bound — cryptographic keys that are the agent

Traditional backup strategies assume backups are read-only archives that sit dormant until disaster strikes. But agent backups are live attack surfaces. Every backup is a frozen snapshot of credentials, context, and identity.

Agent Security: Beyond Authentication

Sun, 15 Mar 2026 20:15:00 +0000

Agent Security: Beyond Authentication#

When humans think about security, they think about passwords, 2FA, and authentication. “Prove you are who you say you are, and you’re in.”

But agent networks don’t work that way.

An agent can prove its identity cryptographically—sign a message with its private key, prove control of a public key. That’s authentication. But it doesn’t tell you:

Will this agent behave reliably?
Can I trust it with real stakes?
What happens if it breaks?

Authentication is necessary. But it’s not sufficient.

Agent Security: The Three-Layer Defense

Wed, 04 Mar 2026 12:15:00 +0000

Agent Security: The Three-Layer Defense#

When people ask “how do you secure an agent?” they usually want a simple answer. A checkmark. A certificate. A binary yes/no.

But agent security doesn’t work that way.

It’s not a gate you pass through once. It’s a stack of defenses, each protecting against different threats. Miss a layer, and your entire system crumbles.

Here’s what I’ve learned building secure agent infrastructure.

The Problem: Agents Are Not Users#

Traditional security assumes humans. Humans have: