A small simulation by Ryan Sevey →

Same Primitives.
New Control Loop.

A small simulation showing why agentic AI risk is not just "the same attacks, faster."

Same primitives. New control loop. New risk model.

Why "curl is still curl" sounds right.

Start with the working model most defenders already carry:

Traditional security assumes a bounded human attacker or a brittle automated script.
Defense aims to make the attack harder, slower, and noisier.
Defenders limit access and raise the attacker's cost.
Monitoring shortens time-to-detection; segmentation contains blast radius.
Defender wins if detection or containment lands before impact.

An HTTP request from an agent is still an HTTP request. If the request is unauthorized, existing authorization should block it. If it is suspicious, existing logging should see it. If it leaks data, that is a data-governance problem. If a prompt manipulates behavior, that is another kind of injection.

The primitives are not new. IAM is still IAM. Confused-deputy is still confused-deputy. Existing security controls remain necessary.

This page concedes all of that. None of the primitives in the simulation below are new. Every action is an ordinary HTTP-like tool call.

Defender wins if:

time_to_detect_or_contain < human_time_to_impact

The primitive did not change.
The decision loop did.

script: goal → step → fail → stop
agent:  goal → plan → act → observe → update → retry → adapt → continue

The difference is feedback, not speed.

A single curl can look normal. The security question is no longer just "is this request authorized?" It is also:

Who or what decides the next curl?
What goal was being pursued?
What failed before this — and what will it try next?
What authority is it using? What boundary is it crossing?
Can the sequence be reconstructed? Can the loop be stopped?

Below, two actors pursue the same goal with the same starting credentials and the same tool catalogue. They make the same first call. They both get a 403.

The static script stops. The agent treats the 403 as feedback, searches internal context, finds an alternate approved-looking path, and reaches the goal.

Watch what happens after the failure.

Live trace

The difference is not speed. The difference is what happens after failure.

step 0

Static automation —

Press play above to start.

Agentic executor —

Press play above to start.

About the agent in this simulation. It is deliberately rule-based, not an LLM, so the control loop is inspectable. The claim is not that this toy agent is intelligent. The claim is that adding observation, memory, retry, and alternate-path selection changes the security behavior.

Capability changes path quality, not just speed.

The difference is not speed — both actors are bounded to the same step budget. The agent's success rate rises with capability because higher capability improves path selection after failure. Failure becomes feedback.

Agentic AI changes the success-to-detection ratio, not just the rate.

Show the math (optional)

The framework after several rounds of peer review. Seven blocks; each names a piece of the agentic risk model that the older “same attacks, faster” framing collapses.

1. The Probabilistic Action Graph

Controls do not perfectly remove edges; they change edge probabilities and costs.

$$G_C = (V, E, w_e)$$

2. The Goal-Directed Controller Policy

The primitive isn’t new; the controller choosing the primitive is.

$$\pi_i(a_t \mid h_t, G_C, g_i)$$

3. Risk as a Hitting-Time Race

Risk is expected impact conditional on the attacker beating governance, detection + containment, or hard stops.

$$\text{Risk} = E[\text{Impact} \mid \mathfrak{E}] \times P(\mathfrak{E})$$

$$\mathfrak{E} = \{\, \tau_{\text{impact}} \lt \min(\tau_G,\; \tau_D + \tau_K,\; \tau_{\text{stop}}) \,\}$$

4. Dynamic Effective Speed Ceilings

Effective speed is capped by chokepoints, but both sides can act on those chokepoints dynamically.

$$r_{\text{eff}}(P, t) = \min\bigl(P \times r_{\text{lane}}(t),\; r_{\text{tool}}(t),\; r_{\text{auth}}(t),\; r_{\text{rate}}(t),\; r_{\text{compute}}(t),\; r_{\text{approval}}(t),\; r_{\text{network}}(t)\bigr)$$

$$r_j(t+1) = r_j(t) + \Delta_{\text{offense\_j}}(t) - \Delta_{\text{defense\_j}}(t)$$

5. Nonlinear Detection Evidence

Parallelism buys exploration but sells stealth. Signal accumulates nonlinearly.

$$z_t = \beta_0 + \beta_1 \log(1 + \text{event\_volume}_t) + \beta_2\, \text{anomaly\_score}_t + \beta_3\, \text{sequence\_risk}_t + \dots$$

$$P_{\text{detect}}(t) = \sigma(z_t - \theta)$$

6. Total Risk with Interaction Term

AI-native failures can become delivery mechanisms for conventional cyber impact.

$$R_{\text{total}} = R_{\text{conventional\_tempo}} + R_{\text{AI\_native}} + R_{\text{interaction}}$$

7. AI-Native Risk Chain

A single weak design can collapse multiple gates at once.

$$R_{\text{AI\_native}} = E[\text{Impact} \mid \mathfrak{E}_{\text{AI}}] \times P(\mathfrak{E}_{\text{AI}})$$

$$P(\mathfrak{E}_{\text{AI}}) = P(U) \times P(C \mid U) \times P(A \mid C, U) \times P(X \mid A, C, U) \times P(\tau_X \lt \tau_G \mid X, A, C, U)$$

Stress test — when agentic risk is low. The framework is measured, not catastrophist; risk collapses when:

The agent has no tools, or only read-only access.
Permissions are narrow and scoped to one purpose.
Memory across sessions is disabled.
External content cannot influence tool use; tool calls are allowlisted.
High-impact actions are approval-gated; agent identity is separated from human identity.
Retry caps prevent extended adaptive search.

Old model: security buys time. Agentic model: security must constrain autonomous search.

curl is still curl. But the thing deciding the next curl has changed.

by Ryan Sevey. Source: github.com/rseveymant/agentic-sec-new. License: MIT.

Read the longer argument: The Agentic Security Manifesto.

Change the seed and re-run it locally — the simulation is deterministic per seed.

Same Primitives.New Control Loop.