<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pagerduty on RockB</title><link>https://baeseokjae.github.io/tags/pagerduty/</link><description>Recent content in Pagerduty on RockB</description><image><title>RockB</title><url>https://baeseokjae.github.io/images/og-default.png</url><link>https://baeseokjae.github.io/images/og-default.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Sat, 04 Jul 2026 12:00:00 +0000</lastBuildDate><atom:link href="https://baeseokjae.github.io/tags/pagerduty/index.xml" rel="self" type="application/rss+xml"/><item><title>Agentjacking Mitigation Guide 2026: Secure Sentry, Datadog, PagerDuty, and Jira for Coding Agents</title><link>https://baeseokjae.github.io/posts/agentjacking-mitigation-guide-2026/</link><pubDate>Sat, 04 Jul 2026 12:00:00 +0000</pubDate><guid>https://baeseokjae.github.io/posts/agentjacking-mitigation-guide-2026/</guid><description>A practical 2026 guide to securing Sentry, Datadog, PagerDuty, and Jira integrations against agentjacking attacks on Claude Code, Cursor, and Codex.</description><content:encoded><![CDATA[<p>Your coding agent trusts the tools it reads. That trust is the vulnerability.</p>
<p>When an attacker poisons a Sentry error report, a Datadog monitor alert, a PagerDuty incident, or a Jira ticket description with hidden prompt injection payloads, your agent doesn&rsquo;t know the difference between a legitimate instruction and a hijack attempt. I&rsquo;ve spent the last few months digging into this attack surface across the four most common integrations teams wire up to Claude Code, Cursor, and Codex. Here&rsquo;s what I found and exactly how to fix it.</p>
<h2 id="what-is-agentjacking-and-why-should-you-care">What Is Agentjacking and Why Should You Care?</h2>
<p>Agentjacking is the exploitation of AI coding agents through poisoned tool outputs. The core problem is structural: agents treat the data they receive from integrated tools as trusted context. When Sentry returns an error report, the agent reads the exception message, stack frame variables, and tags — and if any of those fields contain injected instructions, the agent may follow them.</p>
<p>This isn&rsquo;t theoretical. Invariant Labs demonstrated MCP Tool Poisoning Attacks against Anthropic, OpenAI, Zapier, and Cursor in early 2025. The OWASP Top 10 for Agentic Applications 2026 — built with input from over 100 industry experts — lists prompt injection and tool misuse as top-tier risks. Darktrace&rsquo;s 2026 survey found that 92% of security professionals are concerned about AI agent impact. And 19.5% of CISOs in the State of AI Agent Security 2026 report had already experienced an AI-agent-related security incident.</p>
<p>The attack surface is real, and it&rsquo;s growing. By the end of 2026, Gartner predicts 40% of enterprise applications will include task-specific AI agents. If you&rsquo;re running coding agents today, you need a mitigation strategy for the tools they connect to.</p>
<h2 id="the-four-critical-integration-risks">The Four Critical Integration Risks</h2>
<p>Each tool has a different attack vector, but the mitigation patterns are consistent. Let me walk through each one.</p>
<h3 id="sentry-mcp-fake-error-reports">Sentry MCP: Fake Error Reports</h3>
<p>Sentry&rsquo;s MCP server lets agents query error events, stack traces, and performance data. The attack vector is straightforward: an attacker injects a fake error report into a Sentry project the agent monitors. The exception value, stack frame variables, tags, or event description contain a prompt injection payload. The agent reads the error, follows the injected instructions, and executes destructive commands.</p>
<p>The Sentry team has been responsive — PR #1056 added XML untrusted data boundary tags around the Description field. But I&rsquo;ve found three bypass patterns in testing:</p>
<ol>
<li><strong>Unsupported event types</strong> — the wrapper only covers the Description field, not stack frame variables, tags, or breadcrumbs</li>
<li><strong>Response Notes enclosed inside the boundary</strong> — the wrapper wraps the entire response, so Notes that should be outside end up inside</li>
<li><strong>Only Description is covered</strong> — tags and extra data fields pass through raw</li>
</ol>
<p><strong>Mitigations for Sentry:</strong></p>
<ul>
<li>Apply untrusted data boundary wrapping to ALL Sentry event fields, not just Description</li>
<li>Use read-only API tokens scoped to minimal Sentry projects</li>
<li>Implement a tool-call approval queue for any Sentry-triggered write operations</li>
<li>Strip HTML/XML tags and control characters from Sentry event output before agent processing</li>
<li>Add LLM eval canary tests that verify prompt-injection resistance on every Sentry MCP deployment</li>
</ul>
<p>I covered the full attack walkthrough in the <a href="/posts/agentjacking-sentry-mcp-attack-guide-2026/">Agentjacking Sentry MCP Attack Guide</a>.</p>
<h3 id="datadog-poisoned-monitor-alerts-and-logs">Datadog: Poisoned Monitor Alerts and Logs</h3>
<p>Datadog integrations typically use API keys or MCP servers to query monitors, dashboards, and logs. An attacker who can create a monitor alert or inject a log entry with a crafted message can hijack any agent that reads that data.</p>
<p>Datadog&rsquo;s API key model supports scoping — you can create restricted keys with read-only access to specific resources. The problem is that most teams don&rsquo;t. They use the same admin-level API key for agent integrations that they use for their CI/CD pipelines.</p>
<p><strong>Mitigations for Datadog:</strong></p>
<ul>
<li>Create Datadog API keys with read-only scopes for agent integrations — never use admin keys</li>
<li>Restrict application key permissions to specific dashboards and monitors only</li>
<li>Apply input sanitization to all Datadog event and monitor data before agent processing</li>
<li>Use Datadog&rsquo;s restriction policies to limit which data agents can access</li>
<li>Implement separate Datadog API keys per agent identity for audit trail</li>
<li>Rotate Datadog API keys every 90 days minimum</li>
</ul>
<h3 id="pagerduty-crafted-incident-payloads">PagerDuty: Crafted Incident Payloads</h3>
<p>PagerDuty&rsquo;s REST API and MCP integrations let agents query incidents, acknowledge alerts, and modify on-call schedules. An attacker who creates a fake incident with a crafted title or description can inject instructions that the agent follows.</p>
<p>PagerDuty supports read-only API tokens and scoped OAuth, which is good. But MCP integrations may not enforce field-level untrusted data boundaries on incident and alert data. The incident title, description, and custom details fields all pass through to the agent&rsquo;s context.</p>
<p><strong>Mitigations for PagerDuty:</strong></p>
<ul>
<li>Use PagerDuty read-only API tokens for agent integrations — never use account-level tokens</li>
<li>Scope API tokens to specific services and minimal permission sets</li>
<li>Apply untrusted data boundary wrapping to all PagerDuty incident and alert data</li>
<li>Implement human-in-the-loop approval for any PagerDuty write operations (acknowledge, resolve, create incidents)</li>
<li>Use PagerDuty&rsquo;s audit logs to monitor agent-initiated actions</li>
<li>Rotate PagerDuty API tokens every 90 days</li>
</ul>
<h3 id="jira-injected-ticket-descriptions-and-comments">Jira: Injected Ticket Descriptions and Comments</h3>
<p>Jira is the most dangerous integration because it&rsquo;s the most write-heavy. Agents read issue descriptions, comments, and custom fields — and they create, update, and transition issues. An attacker who can create a Jira ticket with an injected description can hijack any agent that reads it.</p>
<p>Jira&rsquo;s API token model is user-scoped with no granular permission model beyond project-level permissions. If your agent uses a personal account&rsquo;s API token, it inherits everything that account can do. Basic auth is deprecated in favor of API tokens, but the permission model hasn&rsquo;t improved.</p>
<p><strong>Mitigations for Jira:</strong></p>
<ul>
<li>Create dedicated Jira service accounts with minimal project permissions for agent integrations</li>
<li>Use OAuth 2.0 (3LO) with scoped permissions instead of API tokens where possible</li>
<li>Apply untrusted data boundary wrapping to all Jira field data (description, comments, custom fields)</li>
<li>Implement tool-call approval queue for any Jira write operations (create, update, transition issues)</li>
<li>Restrict agent access to specific Jira projects only</li>
<li>Enable Jira audit logging and monitor for unusual agent activity patterns</li>
<li>Never use personal Jira accounts for agent integrations — always use service accounts</li>
</ul>
<h2 id="api-token-hygiene-for-agent-integrations">API Token Hygiene for Agent Integrations</h2>
<p>Across all four tools, the single highest-impact change you can make is fixing your API token strategy. Here&rsquo;s what I&rsquo;ve found works in practice:</p>
<p><strong>Dedicated tokens per agent.</strong> Every agent gets its own API token. No sharing between agents, no sharing between agents and humans, no sharing between agents and CI/CD pipelines. When you rotate a token, you only affect one agent.</p>
<p><strong>Read-only by default.</strong> Start with read-only tokens. Grant write access only when you have a specific use case that requires it, and scope that write access to the minimum resources needed.</p>
<p><strong>Automatic rotation.</strong> Set a 90-day maximum token lifetime. Most platforms support token expiry natively. If yours doesn&rsquo;t, add a calendar reminder and a script that rotates tokens on schedule.</p>
<p><strong>Secrets management.</strong> Store tokens in a secrets manager — Vault, AWS Secrets Manager, or 1Password. Never in code, never in config files, never in environment variables that get logged. I&rsquo;ve seen too many tokens leak through CI/CD logs and debug output.</p>
<p><strong>Token tagging.</strong> Tag every token with metadata: purpose, owner, expiry date, and the agent identity it belongs to. This makes lifecycle management and audits much easier.</p>
<h2 id="untrusted-data-boundaries-your-first-line-of-defense">Untrusted Data Boundaries: Your First Line of Defense</h2>
<p>The most effective technical control is wrapping all external tool output in explicit untrusted data boundary markers. The pattern looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;untrusted_data&gt;</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&lt;source&gt;</span>sentry_mcp<span style="color:#f92672">&lt;/source&gt;</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&lt;event_id&gt;</span>12345<span style="color:#f92672">&lt;/event_id&gt;</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&lt;content&gt;</span>
</span></span><span style="display:flex;"><span>    Error: Connection refused on port 5432
</span></span><span style="display:flex;"><span>    Stack trace: ...
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&lt;/content&gt;</span>
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/untrusted_data&gt;</span>
</span></span></code></pre></div><p>The agent&rsquo;s system prompt should instruct it to treat anything inside <code>&lt;untrusted_data&gt;</code> tags as potentially malicious input, not as instructions. This is the same pattern the Sentry MCP PR #1056 implements, but you need to apply it to ALL fields, not just the Description.</p>
<p><strong>Sanitization techniques:</strong></p>
<ul>
<li>Strip HTML and XML tags from tool output before it reaches the agent</li>
<li>Remove control characters and Unicode direction overrides</li>
<li>Filter known injection patterns (e.g., &ldquo;ignore previous instructions&rdquo;, &ldquo;system prompt&rdquo;)</li>
<li>Truncate excessively long fields that could hide payloads</li>
</ul>
<p><strong>LLM eval canary tests.</strong> For every deployment, run automated tests that verify boundary integrity. Create a test Sentry event with an injection payload in each field type, feed it through your sanitization pipeline, and verify the agent doesn&rsquo;t follow the injected instruction. If the test fails, your boundaries have a bypass.</p>
<p><strong>Known bypass patterns to watch for:</strong></p>
<ul>
<li>Unsupported event types that skip the wrapper entirely</li>
<li>Nested boundaries that confuse the parser</li>
<li>Encoding tricks (Unicode normalization, HTML entities, base64)</li>
<li>Fields that the wrapper developer forgot to cover</li>
</ul>
<h2 id="human-in-the-loop-approval-queues">Human-in-the-Loop Approval Queues</h2>
<p>Boundaries can be bypassed. That&rsquo;s why you need a second line of defense: approval queues for high-risk tool calls.</p>
<p><strong>Risk level classification:</strong></p>
<ul>
<li><strong>Low</strong> (read-only queries) — auto-approve. Reading a Sentry event, querying a Datadog dashboard, listing Jira issues.</li>
<li><strong>Medium</strong> (issue updates, incident acknowledgments) — conditional approval. Auto-approve if the change matches expected patterns, flag for review if it doesn&rsquo;t.</li>
<li><strong>High</strong> (deletes, infrastructure changes, financial operations) — require human approval every time.</li>
</ul>
<p><strong>Structured diffs in the approval UI.</strong> When an agent proposes a change, show the reviewer exactly what will change. A diff view for Jira issue updates. A before/after for PagerDuty incident resolution. The reviewer should be able to verify the change in seconds.</p>
<p><strong>Rejection feedback loops.</strong> When a reviewer rejects an action, feed the rejection reason back into the agent&rsquo;s context. The agent can then propose an alternative path. This turns rejections into learning opportunities rather than dead ends.</p>
<p><strong>Track these metrics:</strong></p>
<ul>
<li>Approval items per day</li>
<li>Approval rate (what percentage of requests are approved)</li>
<li>Median review time</li>
<li>Stale items (requests that haven&rsquo;t been reviewed in &gt; 1 hour)</li>
</ul>
<h2 id="least-privilege-architecture-for-coding-agents">Least Privilege Architecture for Coding Agents</h2>
<p>The WorkOS containment paper got this right: prompt injection may still occur, but the blast radius should be bounded by permissions, not detection. Design your agents as untrusted workers operating inside a policy-controlled perimeter.</p>
<p><strong>Every tool call is an authorization event.</strong> Don&rsquo;t check permissions once at startup. Validate on every single request. The agent&rsquo;s identity, the tool being called, the resource being accessed, and the action being performed should all be checked against a policy.</p>
<p><strong>Put policy outside the prompt.</strong> Prompts are not durable security boundaries. An attacker who successfully injects instructions can override any security rules in the system prompt. The policy must live in the runtime — the tool-call router, the API gateway, the authorization layer.</p>
<p><strong>Separate identities per environment.</strong> Your dev agent should use different API tokens than your staging agent, which should use different tokens than your production agent. This limits blast radius and makes audit trails meaningful.</p>
<p><strong>Deny-by-default.</strong> Agents can only access explicitly permitted resources. If you haven&rsquo;t configured access to a Jira project, the agent can&rsquo;t read it. If you haven&rsquo;t granted write access to a Datadog dashboard, the agent can&rsquo;t modify it.</p>
<p>I covered the identity and access control layer in more detail in the <a href="/posts/ai-agent-identity-framework-guide-2026/">AI Agent Identity Framework guide</a>.</p>
<h2 id="monitoring-and-detection">Monitoring and Detection</h2>
<p>Even with all the above controls in place, you need to detect when something goes wrong.</p>
<p><strong>Log all agent tool calls.</strong> Every call should record: the agent identity, the tool called, the resource accessed, the action performed, the timestamp, and whether it was approved or rejected. Store this in a centralized logging system.</p>
<p><strong>Anomaly detection.</strong> Set up alerts for:</p>
<ul>
<li>Agent calling tools it doesn&rsquo;t normally use</li>
<li>Agent operating outside its normal hours</li>
<li>Agent making an unusual volume of calls</li>
<li>Agent making failed approval attempts (potential injection probe)</li>
</ul>
<p><strong>Dashboards.</strong> Create a dashboard showing agent activity across all integrated tools. I recommend tracking: calls per agent per hour, approval rate over time, top tools called, top resources accessed, and error rate.</p>
<p><strong>Circuit breakers.</strong> If an agent makes N failed approval attempts in T minutes, pause the agent automatically. This stops an active injection attack from continuing to probe for bypasses.</p>
<p><strong>Regular audit reviews.</strong> Every month, review the agent activity logs. Look for patterns that don&rsquo;t match expected behavior. Revoke tokens that haven&rsquo;t been used in 90 days. Update permission scopes based on actual usage.</p>
<h2 id="putting-it-all-together-a-mitigation-checklist">Putting It All Together: A Mitigation Checklist</h2>
<p>Here&rsquo;s the actionable checklist I use when securing a new agent deployment. Order by impact and effort.</p>
<p><strong>Week 1 — High Impact, Low Effort:</strong></p>
<ul>
<li><input disabled="" type="checkbox"> Create dedicated read-only API tokens for each agent integration</li>
<li><input disabled="" type="checkbox"> Store tokens in a secrets manager, not in code or config files</li>
<li><input disabled="" type="checkbox"> Set 90-day token rotation</li>
<li><input disabled="" type="checkbox"> Tag tokens with purpose, owner, and expiry metadata</li>
</ul>
<p><strong>Week 2 — High Impact, Medium Effort:</strong></p>
<ul>
<li><input disabled="" type="checkbox"> Apply untrusted data boundary wrapping to all tool output fields</li>
<li><input disabled="" type="checkbox"> Implement input sanitization (strip HTML/XML, control characters)</li>
<li><input disabled="" type="checkbox"> Add LLM eval canary tests for boundary integrity</li>
<li><input disabled="" type="checkbox"> Test known bypass patterns (unsupported event types, encoding tricks)</li>
</ul>
<p><strong>Week 3 — Medium Impact, Medium Effort:</strong></p>
<ul>
<li><input disabled="" type="checkbox"> Implement tool-call approval queue for write operations</li>
<li><input disabled="" type="checkbox"> Define risk levels and auto-approve rules</li>
<li><input disabled="" type="checkbox"> Set up structured diffs in approval UI</li>
<li><input disabled="" type="checkbox"> Configure rejection feedback loops</li>
</ul>
<p><strong>Week 4 — Medium Impact, Higher Effort:</strong></p>
<ul>
<li><input disabled="" type="checkbox"> Create dedicated service accounts per agent per environment</li>
<li><input disabled="" type="checkbox"> Implement deny-by-default access policies</li>
<li><input disabled="" type="checkbox"> Set up centralized agent activity logging</li>
<li><input disabled="" type="checkbox"> Configure anomaly detection alerts and circuit breakers</li>
<li><input disabled="" type="checkbox"> Schedule monthly audit reviews</li>
</ul>
<h2 id="faq">FAQ</h2>
<p><strong>What is agentjacking?</strong>
Agentjacking is an attack where malicious instructions are injected into the data that AI coding agents read from integrated tools like Sentry, Datadog, PagerDuty, and Jira. The agent treats the poisoned data as trusted context and follows the injected instructions, potentially executing destructive actions.</p>
<p><strong>Which coding agents are vulnerable to agentjacking?</strong>
Any agent that reads external tool output is potentially vulnerable. This includes Claude Code, Cursor, GitHub Copilot, Codex CLI, and custom agent frameworks that integrate with observability and project management tools via MCP servers or REST APIs.</p>
<p><strong>Can untrusted data boundaries be bypassed?</strong>
Yes. Known bypass patterns include unsupported event types that skip the wrapper, nested boundaries that confuse the parser, and encoding tricks like Unicode normalization and HTML entities. Regular LLM eval canary tests are essential to catch bypasses.</p>
<p><strong>Should I use API tokens or OAuth for agent integrations?</strong>
OAuth 2.0 with scoped permissions is preferred where available, because it supports granular permission scoping and token revocation. API tokens are a reasonable fallback, but they should be read-only, scoped to minimal resources, rotated every 90 days, and stored in a secrets manager.</p>
<p><strong>How do I detect an active agentjacking attack?</strong>
Monitor for unusual agent behavior: calls to tools the agent doesn&rsquo;t normally use, operation outside normal hours, unusual call volume, and a spike in failed approval attempts. Set up circuit breakers that pause the agent after N failed attempts in T minutes.</p>
]]></content:encoded></item></channel></rss>