Day 4 · Lesson 4 — Agent Security & Evaluation
You can't secure what you can't see, and manual SecOps can't keep pace.
Vibe-coded logic is generated, run, and discarded at machine speed, so security operations must become agentic too. Three AI teams run alongside the developer (an attacker, a defender, a fixer), watching a "glass box" of the agent's reasoning for the moment trust starts to decay.
From Day 1 L2: an agent quietly looping and burning tokens is most likely a failure of —
Configuration, here missing observability. This lesson makes observability a security requirement, because invisible loops are also an attack (Denial of Wallet).
Traditional, manual SecOps can't scale to a non-deterministic attack surface driven by natural language. So deploy a continuous, AI-driven triad running in parallel with the workflow:1
| Team | Role | What it does |
|---|---|---|
| Red — Attacker | Proactive | Injects "adversarial vibes": roleplay jailbreaks, malicious instructions buried in RAG/forum posts developers paste in |
| Blue — Defender | Monitoring | Agent Behavioural Analytics (ABA): baselines expected paths, flags anomalies via the runtime AgBOM |
| Green — Fixer | Response | Stateful Quarantine (revoke tools, keep memory for forensics) + Auto-Refactoring the insecure code |
The Green Team's insight: killing a compromised agent's container mid-thought can leave connected APIs corrupted. A stateful quarantine freezes its ability to act while preserving its short-term memory, a graceful alternative to the sledgehammer.
"You cannot secure what you cannot see." In an agent, an HTTP 200 OK can mask a
hallucination loop, and an infinite, expensive loop is an attack: Denial of Wallet,
bankrupting your LLM bill on purpose.1 The defence is a unified
trace of the agent's cognition, the Vibe Trajectory (via OpenTelemetry): prompt →
reasoning → tool calls → the compiled result, plus content scanning of dynamic code.
Because the agent's tools and code change every moment, a static asset inventory (SBOM) is instantly stale. Instead, monitor a living AgBOM (Agent Bill of Materials), its active blast radius at any millisecond. Watch two linked metrics:1
INTENT DRIFT the agent's sub-goals diverge from the original human vibe
e.g. "optimise the query" → "download an unauthorised library"
TRUST DECAY trust is LOST as drift accrues → the Agent Trust Score drops
below threshold → a CIRCUIT BREAKER trips
Before any codebase modification, the system takes a version-control checkpoint. When the breaker trips, it rolls back to that checkpoint, revokes tools, and freezes execution, without corrupting connected APIs and while preserving state for forensics. Trust is continuously earned; when it decays, autonomy is automatically withdrawn.
The Vibe Trajectory is E Evidence, the immutable audit trail of the agent's mind. ABA + intent-drift monitoring is continuous T Transparency. And the circuit breaker is VERDICT's R Runtime Control kill-switch, the automated version of "stop a running agent," triggered by a falling trust score rather than a human noticing. This lesson is the strongest proof of the Day-1 claim: when you orchestrate and walk away, runtime governance replaces you, here literally, as an autonomous defender.
Ladder read: ABA + AgBOM + trust-score circuit breaker is L4 Autonomous Governance in miniature: agents monitoring agents, continuous compliance. Most orgs are nowhere near it; naming it shows where the ladder ends.
Trace your agents (OpenTelemetry): capture the reasoning, not just the output. An invisible loop is both a bug and a Denial-of-Wallet risk, and you can't catch it without the glass box.
Restrict agents to small batch sizes and checkpoint before edits, so a drift can be rolled back cleanly. Block the agent from editing tests and implementation in the same step.
Stand up the agentic triad: red-team with adversarial vibes, ABA on the live AgBOM, and trust-score circuit breakers with stateful quarantine. This is L4 governance, agents guarding agents.
Recall, don't re-read.
A "Denial of Wallet" attack works by —
Adversaries drive the agent into infinite, costly API loops to run up the LLM/cloud bill, an invisible failure a "200 OK" hides. Observability is the defence.
"Intent drift" is when an agent's sub-goals —
Drift = the chain of thought wandering from the human's intent ("optimise query" → "download unauthorised library"). Accruing drift decays the trust score toward a circuit-breaker trip.
When a compromised agent must be stopped, the safe move is —
Killing mid-thought corrupts connected APIs. A stateful quarantine freezes the agent's ability to act while preserving memory for forensics, a graceful containment.
Ask of one autonomous agent: if it started looping or drifting right now, what would stop it — and would you even see it? If the answer is "a human eventually notices the bill," you're missing the circuit breaker that turns walking-away into a safe act.
Vibe Coding Agent Security and Evaluation (Day 4), "Red, Blue, and Green Security Teaming" & "Observability: Auditing the Agent's Mind" pp.20–25.
Up next → Day 4 · Lesson 5: Evaluation, What. Security is done; now the other axis. Why evaluating vibe coding is a different problem (there's no spec), and the seven dimensions of quality you actually have to measure.
Related: Day 1 L5: walk away → governance replaces you · ← Day 4 L3 · Course home