{"id":60285,"date":"2026-03-09T00:00:00","date_gmt":"2026-03-09T00:00:00","guid":{"rendered":"urn:uuid:8a69d4f5-567b-5f62-296d-ae431a301837"},"modified":"2026-03-09T00:00:00","modified_gmt":"2026-03-09T00:00:00","slug":"trendai-at-unprompted-2026-from-kyc-exploits-to-agentic-defense","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/trendai-at-unprompted-2026-from-kyc-exploits-to-agentic-defense\/","title":{"rendered":"TrendAI\u2122 at [un]prompted 2026: From KYC Exploits to Agentic Defense"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

The sessions from Sean Park and Peter Girnus with Demeng Chen captured the attention of attendees because they painted a picture of the ecosystem: as AI systems rapidly expand, so does the attack surface around them. The work of TrendAI\u2122 is aimed at helping organizations keep up with those changes through real research and practical defensive measures.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Principal Threat Researcher Sean Park took the stage for a session that sounded like something out of a spy novel: “When Passports Execute: Exploiting AI Driven KYC Pipelines.”<\/p>\n

Most of us assume that when we upload a photo of our ID for “Know Your Customer<\/a>” (KYC) verification, the AI is just pulling text from the image into a database. Sean showed that these pipelines are actually execution environments. He demonstrated how a document embedded with hidden “injects”, can trick an AI agent into reading and writing data across different customer records. It\u2019s a worrying look at how data theft can happen without ever having to “bypass” a traditional security control.<\/p>\n

In a real-world stack built with FastAPI, Claude Code, and a SQLite MCP backend, his team embedded malicious instructions inside a passport so that the AI agent followed them and leaked other customer records directly into the verification page. They scaled this into 2,600 automated tests across 13 different models to explore high success rate injects. The takeaway here is that if your AI can read documents and call tools, your documents can potentially become executable attack surfaces even when guarded with strict schemas.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Later in the conference, Threat Hunting Senior Manager Peter Girnus and Threat Researcher Demeng Chen presented the latest results from the vulnerability research pipeline of TrendAI\u2122. Their talk, titled FENRIR: AI Hunting for AI Zero Days at Scale, demonstrated what the team has built to uncover weaknesses in the AI and model context protocol (MCP) ecosystem.<\/p>\n

The presentation covered the full architecture behind FENRIR<\/a>, a multi\u2011stage system that scales from static analysis to human validation. The research is built around a simple but critical idea: AI systems cannot be secured unless we can find their weakest points faster than attackers can.<\/p>\n

Using a layered pipeline, FENRIR processes large codebases with a combination of CodeQL, Semgrep, YARA\u2011X, SpotBugs, and two tiers of LLM reasoning. The system is designed to eliminate more than 90 percent of false positives before a human researcher even sees a result. Once a true positive reaches an analyst, it already comes with an exploit proof, an auto\u2011generated report, and threat intel artifacts.<\/p>\n

This approach has already produced:<\/p>\n