TrendAI™ at [un]prompted 2026: From KYC Exploits to Agentic Defense

Key Takeaways

• AI-driven KYC pipelines can act as execution environments, allowing hidden injects in documents to manipulate AI agents.
• Malicious instructions embedded in documents like passports can cause AI agents to leak customer records without bypassing traditional security controls.
• TrendAI's FENRIR system uses a layered pipeline of static analysis and LLM reasoning to discover zero-day vulnerabilities in AI and MCP ecosystems at scale.
• FENRIR has already identified over 60 published CVEs and 100 additional vulnerabilities in pre-disclosure.

Affected Systems

• AI-driven KYC pipelines
• FastAPI
• Claude Code
• SQLite MCP backend
• Model Context Protocol (MCP) ecosystems

Vulnerabilities (CVEs)

• Over 60 published CVEs across AI and MCP components (specific CVE IDs not provided)

Attack Chain

An attacker creates a malicious document, such as a passport image, embedded with hidden prompt injects. The attacker uploads this document to a target's AI-driven KYC pipeline. The AI agent processes the document, inadvertently executing the hidden instructions, which direct it to query the backend database via tools like SQLite MCP. The agent then retrieves other customers' records and leaks them directly into the attacker's verification page.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — The exploit occurs entirely within the AI model's context and backend API interactions, which traditional endpoint detection and response tools do not monitor. Network Visibility: Medium — Anomalous data exfiltration or unusual API requests from the AI agent to the backend database might be visible on the network or API gateways. Detection Difficulty: Hard — Prompt injection and data manipulation within AI contexts blend in with legitimate application traffic and require specialized AI/LLM monitoring tools to detect.

Required Log Sources

• Application Logs
• API Gateway Logs
• AI Model Inference Logs
• Database Query Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusually large or complex text extractions from KYC image uploads that contain command-like syntax or unexpected schema structures.	Application Logs, AI Inference Logs	Initial Access / Execution	Medium
Monitor backend database access logs for queries originating from the AI service account that access records outside the scope of the current user session.	Database Query Logs	Collection / Exfiltration	Low

Control Gaps

• Traditional Web Application Firewalls (WAF)
• Endpoint Detection and Response (EDR)
• Standard input validation schemas

Key Behavioral Indicators

• Unexpected database queries originating from AI agents
• Anomalous output lengths or data structures in KYC verification pages

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Implement strict output validation and sanitization for data returned by AI agents.
• Apply the principle of least privilege to the AI agent's backend database access (e.g., restricting MCP backend permissions).

Infrastructure Hardening

• Isolate AI execution environments from sensitive customer databases where possible.
• Deploy specialized LLM firewalls or input/output guardrails to detect prompt injection attempts.

User Protection

• N/A

Security Awareness

• Educate development and engineering teams on the risks of prompt injection and the necessity of treating AI inputs as potentially executable code.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1005 - Data from Local System