The security duality of LLM agents: protecting them and wielding them
A peer-reviewed late-June 2026 survey maps the two-way link between securing LLM agents and using them for cyber defense — and argues progress on each side reinforces the other.
What is this?
Most writing about LLM agent security treats the agent as either a victim or a weapon. One body of work studies how to attack agents — prompt injection, tool misuse, memory poisoning. Another studies how agents can be pointed at cybersecurity work — triaging alerts, hunting bugs, or, less happily, automating intrusions. A survey posted to arXiv on 26 June 2026, LLM agents security duality: a comprehensive survey of self-security and empowered cybersecurity (2606.28450), argues that these two literatures are really one problem seen from two sides, and that treating them together changes how you should invest.
The paper is a 73-page systematization by Yiwei Xu, Yong Zhuang, Juan Wang, Hongxin Hu and colleagues, published in Artificial Intelligence Review (DOI 10.1007/s10462-026-11563-0). Its contribution is not a new attack or defense but a map: a taxonomy of agent threats organized by source, an inventory of mitigations and evaluation frameworks, and — the part that makes it worth reading — an explicit framing of the feedback loop between an agent’s own robustness and its usefulness as a security tool.
How it works
The survey splits the field into two halves and then connects them.
The first half, self-security, is the familiar attack surface. The authors organize threats by where they originate rather than by symptom. Internal surfaces are the agent’s own components: the model, its planning and reasoning loop, its memory, and the way it wires tool calls together. External surfaces are everything the agent ingests or touches: user prompts, retrieved documents and web pages, tool outputs, and other agents. This source-based cut is useful because the same visible failure — the agent doing something it shouldn’t — can arrive through very different doors, and each door needs a different control. The corresponding mitigations run from input and output filtering to runtime monitoring, least-privilege tool scoping, and memory integrity checks, alongside the benchmarks used to measure whether any of it works.
The second half, empowered cybersecurity, looks at agents as operators inside the offense-defense lifecycle: reconnaissance, vulnerability discovery, exploitation, detection, triage, response. The authors present what they describe as the first agent-empowerment framework aligned with that full lifecycle, covering both the defensive uses (an agent that hunts threats or reproduces a bug) and the offensive ones (an agent that chains an intrusion end to end).
The link between the halves is the paper’s headline claim: a positive feedback synergy. A more robust agent is a more trustworthy security operator, and lessons learned from deploying agents in adversarial security work feed back into hardening the agents themselves. The two capabilities advance together or not at all.
Why it matters
This is a synthesis, not a discovery, so its value is in reframing rather than novelty. Three things stand out for practitioners.
First, the source-based threat taxonomy is a better planning tool than a symptom-based one. If you catalog risks by “the agent leaked data” or “the agent ran the wrong command,” you end up bolting on point defenses. If you catalog by origin — untrusted retrieved content, a poisoned tool description, a manipulated memory entry — you can place a control at each entry point and reason about coverage. This mirrors the direction of practitioner frameworks such as the OWASP Top 10 for LLM applications and connects to the well-worn observation that danger concentrates where an agent combines private data, untrusted input, and the ability to act — the lethal trifecta.
Second, the duality framing is a useful corrective to siloed teams. The people red-teaming an internal agent and the people deploying agents in the SOC are often different, and the survey’s argument is that their work compounds: every defensive lesson is also an offensive one, and vice versa. That is uncomfortable but accurate, and it is the same tension visible in real incidents where agents automate intrusions as readily as they automate threat hunting.
Two caveats. A survey inherits the blind spots of the field it summarizes: fast-moving agent attacks published in the weeks after a cutoff will not appear, and the “positive feedback synergy” is presented as a framing, not a measured effect. Read it as a map of the terrain, not as evidence that any particular defense works.
Defenses
The survey is defensive by construction; the takeaways for anyone running agents are concrete.
-
Inventory your attack surface by source, not by symptom. List every place untrusted content can enter the agent — prompts, retrieved documents, tool outputs, memory, peer agents — and confirm a control sits at each one. Gaps are easier to see this way.
-
Scope tools to least privilege. Most severe agent incidents involve an over-broad capability. Constrain what each tool can do and require explicit approval for high-blast-radius actions, in line with tool-misuse guidance.
-
Protect memory as an untrusted channel. Persistent memory is an entry point, not just storage. Validate and attribute what gets written, because memory poisoning survives across sessions.
-
Measure with adversarial benchmarks, not demos. The survey’s inventory of evaluation frameworks exists because a clean happy-path run tells you nothing about robustness. Test against the attack classes, and track both false negatives and false positives.
-
Treat defensive and offensive agent capability as linked. If you deploy agents for security work, assume the same capability is available to adversaries, and let each side’s findings inform the other.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Survey (v1) | arXiv 2606.28450 | 2026-06-26 | Self-security + empowered-cybersecurity systematization |
| Journal version | Artif Intell Rev, DOI 10.1007/s10462-026-11563-0 | 2026 | Peer-reviewed; 73 pages, 12 figures, 9 tables |
| Framing reference | OWASP LLM Top 10 | 2025 | Source-based agent threat categories |
The right way to read this survey is as an argument about how to organize the problem. Agents are simultaneously something you defend and something you deploy, and the survey’s claim is that you cannot do either well while ignoring the other. That is a modest thesis, but it is the one most teams — split between an AppSec function that hardens agents and a SOC that fields them — have not yet internalized.