Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Agentic AI is quickly transitioning from experimentation to production. Enterprises are deploying AI agents to interpret goals, decide what actions to take, interact with business tools and APIs, and execute those actions autonomously, with limited or no human oversight. The promise is speed and efficiency, but the proverbial “blast radius” is bigger and fundamentally different from anything security teams have managed before.

Cato researchers have discovered a new indirect prompt injection exploit pattern workflow in BrowserOS (an open-source agentic AI browser). We named it “WebPromptTrap” because the prompt originates from untrusted web content and it traps users into approving an authorization step through a trusted-looking AI summary.

If your encrypted traffic was captured today, would it still be private in ten years? That question changes the conversation. Leaders are used to asking, “Is it encrypted?” Now they are asking, “How long does it stay confidential?” That is where post quantum cryptography, or PQC, comes in. Its role is to strengthen the foundations of a secure connection by improving how trust is established before any data is exchanged. Today’s encryption still works.

Every major technological shift reshapes the landscape, creating both winners and losers. AI will be no different. The key question is which companies are positioned to capture the value it generates, and which ones may fall behind as it unfolds. If you look at previous technology shifts, the winners were not always the companies building the most visible products. They were often the ones that enabled the shift to happen in the first place, or those that benefited from the structural changes it created.

Cato CTRL has discovered a q-based delivery technique used against an Italy-based consumer services company associated with PhantomBackdoor, a multi-stage WebSocket-based backdoor previously reported in a Ukraine-focused spear phishing operation by SentinelOne. In SentinelOne’s earlier reporting, initial access relied on phishing lures and a ClickFix-style flow that triggered a staged PowerShell and ended with a WebSocket backdoor.

AI has moved from experimentation to a strategic enterprise imperative. It’s no longer about whether organizations will adopt AI, but whether their security architecture can govern it at the speed and scale at which it is being embedded into the business. This is not a future concern. It is today’s operational mandate to: Securing AI is not limited to software applications and agents.

Agentic AI promises to improve work processes in all domains and industries. R&D is no different. Recently, Cato R&D built an internal self-evolving pull request (PR) review agent that keeps reviewers in flow by commenting only on high-impact, high-confidence issues, validating every change against its spec from the PR and Jira, and learning continuously from developer feedback through long-term, episodic memory. What were the results?

On February 28, 2026, Israel and the United States launched a joint attack against Iran. In retaliation, Iran launched its own attacks against Israel and US-allied countries and bases in the region. The escalation in the Middle East is ongoing. Cato CTRL is currently monitoring the threat landscape in the region.

Imagine two talented orchestras playing together, but without a conductor or a single score. You get noise, not music. M&A can be like that. The value lies in having every musician on the same page. Traditional networking slows M&A execution. Cato delivers a cloud-native foundation that securely connects the new organization from day one, aligns policies and workflows under a single framework, and helps leadership realize value faster.

Today, we published the 2026 Cato CTRL Threat Report, which is the second annual threat report on AI security from Cato CTRL (the Cato Networks threat intelligence team). In 2025, Cato CTRL uncovered a decisive shift in the AI threat landscape. Threat actors are no longer just exploiting AI systems. They are exploiting AI trust, workflows, and capabilities themselves.