I have to confess, I was initially a bit sceptical because of all the hype. There was so much noise within Cisco that I finally had to give it a try…
From search engine to agentic AI #
I started with plain generative AI. We have our own internal version called Circuit — secured, connected to the main models, and literally a free lunch: no quotas, no token limits, eat as much as you can.
Like everyone, I began by asking questions and using it as an advanced search engine. Then I saw the potential to actually build things with it and I literally embraced it. It was far from perfect at first — until I discovered agentic AI, initially with Claude Code then OpenCode. That was a revelation.
The security landmines nobody warns you about #
Of course, it doesn’t come without interesting security issues. Here are two I stumbled across personally:
OpenClaw and the skill problem
I downloaded the source of OpenClaw when it was still called Clawdbot — not even to use it, just to investigate the architecture. That was already too much: as soon as the tool got a bit of traction, Cisco IT immediately wiped it from my disk. They didn’t want to take any risk.
The issue? The tool could download any random skill from the internet. A skill is just a set of instructions to achieve some goal — fine in principle. But skills can also be bundled with scripts to execute. Would you download a random executable from any corner of the internet? That’s essentially what was happening.
Hugging Face and Pickle Deserialization
This was a discovery I hadn’t anticipated. I was looking for a specialised model for local Text-to-Speech when I first came across Pickle Deserialization as a threat vector. Downloading a model from Hugging Face sounds harmless — until you realise that the .pkl format used to serialise model weights can embed arbitrary code that executes on load. Hugging Face itself warns you about it. A malicious model would be effectively a malicious executable in disguise — something worth knowing before you start pulling models from random repositories.
It is like we are back in the wild west — plenty of uncharted territory. At least OWASP has started mapping the landscape with a dedicated Top 10 for LLMs.
Cisco’s response: AI Defense #
Cisco is at the forefront here. Beyond Outshift doing foundational research and publishing the AGNTCY framework for agent interoperability, Cisco acquired Robust Intelligence — and that acquisition is what enabled shipping a serious product quickly: Cisco AI Defense.
At a high level, AI Defense addresses three problems:
- Model scanning — helps organisations evaluate and pick models with known safety profiles
- Shadow AI — discovers and controls unsanctioned AI usage across the organisation
- Runtime protection — guards against prompt injection, data leakage, and policy violations during daily use
The team moves fast. They keep releasing open source tooling on the Cisco AI Defense GitHub — including a skill scanner and an MCP scanner, both directly relevant to the OpenClaw problem above.
Cisco is also in the process of acquiring Astrix, a startup focused on non-human identity and AI agent security. Given that agentic AI introduces a whole new class of identity problems — agents calling APIs, spawning sub-agents, holding credentials — this is exactly the right space to be investing in.
AI as an attack accelerator: Project Glasswing #
As if all that were not enough, there is another dimension entirely. Project Glasswing is an Anthropic initiative that Cisco has joined alongside other major defenders. The premise is straightforward and alarming: AI models — in particular Anthropic’s unreleased Claude Mythos — are becoming remarkably capable at finding vulnerabilities at a scale and depth that legacy frameworks were never designed to handle.
The defenders get access to these capabilities first. But they will eventually reach attackers too, lowering the bar for less-skilled actors to launch complex, high-impact campaigns. The race is on. We already have the KEV catalogue to help prioritise what to patch first — that kind of triage is going to become even more critical.
This is also driving a renaissance in host-based protection. Cisco is back in the HIPS business (anyone remember Okena?) with Hypershield, leveraging eBPF to enforce controls at the kernel level — or even within the network fabric itself. The idea is that you can block a threat based on a compensating control in minutes, long before a patch is available or deployed.
Where this is going #
I will stop here, but the surface area is enormous. AI is already embedded in my daily work. I hope to find time to dive deeper into specific security topics as opportunities arise — and I will share what I learn here as I go.