Agent Engine Threat Detection overview

This document describes Agent Engine Threat Detection and its detectors.

Agent Engine Threat Detection is a built-in service of Security Command Center that helps you detect and investigate potential attacks on AI agents that are deployed to Vertex AI Agent Engine Runtime. If the Agent Engine Threat Detection service detects a potential attack, the service generates a finding in Security Command Center in near-real time.

Agent Engine Threat Detection monitors the supported AI agents and detects the most common runtime threats. Runtime threats include the execution of malicious binaries or scripts, container escapes, reverse shells, and the use of attack tools within the agent's environment.

In addition, control-plane detectors from Event Threat Detection analyze various audit logs (including Identity and Access Management, BigQuery, and Cloud SQL logs) and Vertex AI Agent Engine logs (stdout and stderr) to detect suspicious activities. Control-plane threats include data exfiltration attempts, excessive permission denials, and suspicious token generation.

Benefits

Agent Engine Threat Detection offers the following benefits:

Proactively reduce risk for AI workloads. Agent Engine Threat Detection helps you detect and respond to threats early by monitoring the behavior and environment of your AI agents
Manage AI security in a unified location. Agent Engine Threat Detection findings appear directly in Security Command Center. You have a central interface to view and manage threat findings alongside other cloud security risks.

How it works

Agent Engine Threat Detection collects telemetry from the hosted AI agents to analyze processes, scripts, and libraries that might indicate a runtime attack. When Agent Engine Threat Detection detects a potential threat, it does the following:

Agent Engine Threat Detection uses a watcher process to collect event information while the agentic workload is running. The watcher process can take up to one minute to start and collect information.
Agent Engine Threat Detection analyzes the collected event information to determine whether an event indicates an incident. Agent Engine Threat Detection uses natural language processing (NLP) to analyze Bash and Python scripts for malicious code.
- If Agent Engine Threat Detection identifies an incident, it reports the incident as a finding in Security Command Center.
- If Agent Engine Threat Detection doesn't identify an incident, it doesn't store any information.
- All data collected is processed in memory and doesn't persist after analysis unless identified as an incident and reported as a finding.

For information about how to review Agent Engine Threat Detection findings in the Google Cloud console, see Review findings.

Detectors

This section lists the runtime and control-plane detectors that monitor AI agents that are deployed to Vertex AI Agent Engine Runtime.

Runtime detectors

Agent Engine Threat Detection includes the following runtime detectors:

Display name	Module name	Description
Execution: Added Malicious Binary Executed	`AGENT_ENGINE_ADDED_MALICIOUS_BINARY_EXECUTED`	A process executed a binary that threat intelligence identifies as malicious. This binary was not part of the original agentic workload. This event strongly suggests that an attacker has control of the workload and is running malicious software.
Execution: Added Malicious Library Loaded	`AGENT_ENGINE_ADDED_MALICIOUS_LIBRARY_LOADED`	A process loaded a library that threat intelligence identifies as malicious. This library was not part of the original agentic workload. This event suggests that an attacker likely has control of the workload and is running malicious software.
Execution: Built in Malicious Binary Executed	`AGENT_ENGINE_BUILT_IN_MALICIOUS_BINARY_EXECUTED`	A process executed a binary that threat intelligence identifies as malicious. This binary was part of the original agentic workload. This event might suggest that an attacker is deploying a malicious workload. For example, the actor might have gained control of a legitimate build pipeline and injected the malicious binary into the agentic workload.
Execution: Container Escape	`AGENT_ENGINE_CONTAINER_ESCAPE`	A process running inside the container attempted to bypass container isolation by using known exploit techniques or binaries, which threat intelligence identifies as potential threats. A successful escape can allow an attacker to access the host system and potentially compromise the entire environment. This action suggests that an attacker is exploiting vulnerabilities to gain unauthorized access to the host system or broader infrastructure.
Execution: Kubernetes Attack Tool Execution	`AGENT_ENGINE_KUBERNETES_ATTACK_TOOL_EXECUTION`	A process executed a Kubernetes-specific attack tool, which threat intelligence identifies as a potential threat. This action suggests that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations.
Execution: Local Reconnaissance Tool Execution	`AGENT_ENGINE_LOCAL_RECONNAISSANCE_TOOL_EXECUTION`	A process executed a local reconnaissance tool that is not typically part of the agentic workload. Threat intelligence identifies these tools as potential threats. This event suggests that an attacker is trying to gather internal system information, such as mapping the infrastructure, identifying vulnerabilities, or collecting data on system configurations.
Execution: Malicious Python Executed	`AGENT_ENGINE_MALICIOUS_PYTHON_EXECUTED`	A machine learning model identified executed Python code as malicious. An attacker can use Python to download tools or files into a compromised environment and execute commands without using binaries. The detector uses natural language processing (NLP) to analyze the Python code's content. Because this approach isn't based on signatures, detectors can identify known and novel malicious Python code.
Execution: Modified Malicious Binary Executed	`AGENT_ENGINE_MODIFIED_MALICIOUS_BINARY_EXECUTED`	A process executed a binary that threat intelligence identifies as malicious. This binary was part of the original agentic workload but was modified at runtime. This event suggests that an attacker might have control of the workload and is running malicious software.
Execution: Modified Malicious Library Loaded	`AGENT_ENGINE_MODIFIED_MALICIOUS_LIBRARY_LOADED`	A process loaded a library that threat intelligence identifies as malicious. This library was part of the original agentic workload but was modified at runtime. This event suggests that an attacker has control of the workload and is running malicious software.
Malicious Script Executed	`AGENT_ENGINE_MALICIOUS_SCRIPT_EXECUTED`	A machine learning model identified executed Bash code as malicious. An attacker can use Bash to download tools or files into a compromised environment and execute commands without using binaries. The detector uses NLP to analyze the Bash code's content. Because this approach is not based on signatures, detectors can identify known and novel malicious Bash code.
Malicious URL Observed	`AGENT_ENGINE_MALICIOUS_URL_OBSERVED`	Agent Engine Threat Detection observed a malicious URL in the argument list of a running process. The detector compares these URLs against the unsafe web resources lists maintained by the Google Safe Browsing service. If you believe that Google incorrectly classified a URL as a phishing site or malware, report the issue at Reporting Incorrect Data.
Reverse Shell	`AGENT_ENGINE_REVERSE_SHELL`	A process started with stream redirection to a remote connected socket. The detector looks for `stdin` bound to a remote socket. A reverse shell allows an attacker to communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet.
Unexpected Child Shell	`AGENT_ENGINE_UNEXPECTED_CHILD_SHELL`	A process that does not normally invoke shells unexpectedly spawned a shell process. The detector monitors process executions and generates a finding when a known parent process spawns a shell unexpectedly.

Control-plane detectors

This section describes the control-plane detectors from Event Threat Detection that are specifically designed for AI agents deployed to Vertex AI Agent Engine Runtime. Event Threat Detection also has detectors for general AI-related threats.

These control-plane detectors are enabled by default. You manage these detectors the same way you do other Event Threat Detection detectors. For more information, see Use Event Threat Detection.

Display name	API name	Log source types	Description
Discovery: Agent Engine Service Account Self-Investigation (Preview)	`AGENT_ENGINE_IAM_ANOMALOUS_BEHAVIOR_SERVICE_ACCOUNT_GETS_OWN_IAM_POLICY`	Cloud Audit Logs: IAM Data Access audit logs Permissions: `DATA_READ`	An identity associated with an AI agent deployed to Vertex AI Agent Engine was used to investigate the roles and permissions associated with that same service account. Sensitive roles Findings are classified as High or Medium severity, depending on the sensitivity of the roles granted. For more information, see Sensitive IAM roles and permissions.
Exfiltration: Agent Engine initiated BigQuery Data Exfiltration (Preview)	`AGENT_ENGINE_BIG_QUERY_EXFIL_VPC_PERIMETER_VIOLATION` `AGENT_ENGINE_BIG_QUERY_EXFIL_TO_EXTERNAL_TABLE`	Cloud Audit Logs: BigQueryAuditMetadata data access logs Permissions: `DATA_READ`	Detects the following scenarios of a BigQuery data exfiltration initiated by an agent deployed to Vertex AI Agent Engine: Resources owned by the protected organization were saved outside of the organization, including copy or transfer operations. This scenario corresponds to the `AGENT_ENGINE_BIG_QUERY_EXFIL_TO_EXTERNAL_TABLE` finding type and has High severity. Attempts were made to access BigQuery resources that are protected by VPC Service Controls. This scenario corresponds to the `AGENT_ENGINE_BIG_QUERY_EXFIL_VPC_PERIMETER_VIOLATION` finding type and has Low severity.
Exfiltration: Agent Engine initiated CloudSQL exfiltration (Preview)	`AGENT_ENGINE_CLOUDSQL_EXFIL_EXPORT_TO_PUBLIC_GCS` `AGENT_ENGINE_CLOUDSQL_EXFIL_EXPORT_TO_EXTERNAL_GCS`	Cloud Audit Logs: MySQL data access logs PostgreSQL data access logs SQL Server data access logs	Detects the following scenarios of a Cloud SQL data exfiltration initiated by an agent deployed to Vertex AI Agent Engine: Live instance data was exported to a Cloud Storage bucket outside of the organization. Live instance data was exported to a Cloud Storage bucket that is owned by the organization and is publicly accessible. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.. Findings are classified as High severity by default.
Exfiltration: Agent Engine initiated BigQuery Data Extraction (Preview)	`AGENT_ENGINE_BIG_QUERY_EXFIL_TO_CLOUD_STORAGE`	Cloud Audit Logs: BigQueryAuditMetadata data access logs Permissions: `DATA_READ`	Detects the following scenarios of a BigQuery data extraction initiated by an agent deployed to Vertex AI Agent Engine: A BigQuery resource owned by the protected organization was saved, through extraction operations, to a Cloud Storage bucket outside the organization. A BigQuery resource owned by the protected organization was saved, through extraction operations, to a publicly accessible Cloud Storage bucket owned by that organization. For project-level activations of the Security Command Center Premium tier, this finding is available only if the Standard tier is enabled in the parent organization.. Findings are classified as Low severity by default.
Initial Access: Agent Engine Identity Excessive Permission Denied Actions (Preview)	`AGENT_ENGINE_EXCESSIVE_FAILED_ATTEMPT`	Cloud Audit Logs: Admin Activity logs	An identity associated with an AI agent deployed to Vertex AI Agent Engine repeatedly triggered permission denied errors by attempting changes across multiple methods and services. Findings are classified as Medium severity by default.
Privilege Escalation: Agent Engine Suspicious Token Generation (Preview)	`AGENT_ENGINE_SUSPICIOUS_TOKEN_GENERATION_IMPLICIT_DELEGATION`	Cloud Audit Logs: IAM Data Access audit logs	The `iam.serviceAccounts.implicitDelegation` permission was misused to generate access tokens from a more privileged service account through a Vertex AI Agent Engine. Findings are classified as Low severity by default.
Privilege Escalation: Agent Engine Suspicious Token Generation (Preview)	`AGENT_ENGINE_SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_OPENID`	Cloud Audit Logs: IAM Data Access audit logs	The `iam.serviceAccounts.getOpenIdToken` IAM permission was used across projects through a Vertex AI Agent Engine. This finding isn't available for project-level activations. Findings are classified as Low severity by default.
Privilege Escalation: Agent Engine Suspicious Token Generation (Preview)	`AGENT_ENGINE_SUSPICIOUS_TOKEN_GENERATION_CROSS_PROJECT_ACCESS_TOKEN`	Cloud Audit Logs: IAM Data Access audit logs	The `iam.serviceAccounts.getAccessToken` IAM permission was used across projects through an AI agent deployed to Vertex AI Agent Engine. This finding isn't available for project-level activations. Findings are classified as Low severity by default.

For deprecated and shut down rules, see Deprecations.

What's next

Learn how to use Agent Engine Threat Detection.
Learn how to use Event Threat Detection.
Refer to the Threat findings index.