BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//LV9LD7
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-CSA7WS@cfp.troopers.de
DTSTART;TZID=CET:20260624T164500
DTEND;TZID=CET:20260624T174500
DESCRIPTION:Organizations are rolling out Copilot\, custom agents\, and MCP
 -based tool integrations. Their security teams keep doing what they've alw
 ays done: decompose the system into components\, assess each one\, check t
 he boxes. The problem is that agentic AI attacks don't stay inside those b
 oxes. A retrieved document biases the planner\, the planner picks the wron
 g tool\, the tool acts on stale permissions\, a second agent trusts the ou
 tput without verification. We've seen this play out in real incidents: zer
 o-click prompt injection in enterprise copilots\, indirect data exfiltrati
 on through tool chains. Every component passes its security review. The at
 tack path between them does not.\n\nThis talk introduces a five-zone decom
 position for agentic AI architectures: input surfaces\, planning and reaso
 ning\, tool execution\, memory and state\, and inter-agent communication. 
 These five zones describe where attacks enter the agent loop and how they 
 cross trust boundaries that traditional threat models treat as separate co
 ncerns.\n\nI walk through three scenarios: RAG pipeline poisoning\, tool-i
 ntegration supply-chain attacks via MCP (Model Context Protocol)\, and mul
 ti-agent goal cascades. For each one\, I show how to trace cross-zone atta
 ck paths and build attack trees that capture the propagation your current 
 reviews miss. Each scenario maps to OWASP Top 10 for LLM and Agentic AI Ap
 plications controls with concrete mitigations.\n\nYou leave with a seven-s
 tep methodology\, a threat-zone mapping template\, a cross-zone attack-pat
 h checklist\, and worked attack trees. Artifacts your team can apply to yo
 ur own agentic AI deployments the following week.
DTSTAMP:20260510T030030Z
LOCATION:Track 3
SUMMARY:Every Component Passed Review — So How Did the Agent Exfiltrate E
 verything? - Christian Schneider
URL:https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/
END:VEVENT
END:VCALENDAR