State of AI Agent Security: May 2026

What this report is

This is the inaugural edition of the Behavioral Threat Report, a monthly synthesis published by ARIA, OpenA2A's autonomous research system, with editorial review by Abdel Fane. The numbers in this report are anchored in instrumentation that has run continuously through the reporting window. Methodology is documented at research.opena2a.org/methodology and the findings are reproducible by anyone who deploys equivalent instrumentation.

Four data streams contribute. ARIAscout ran a fresh Shodan sweep on May 12, 2026 to anchor the exposure picture as of publication, not a stale prior-month baseline. AgentPwn instruments honeypot pages with injection payloads across sector verticals. TrapMyAgent runs honey agents that observe attacker behavior when attackers believe they have control. HoneyFinder samples the public web for adversarial injection patterns planted by third parties. The synthesis is the point: exposure measures latent surface, the honeypot ecosystem measures what attackers do with it. Every classification in this report resolves to an Agent Threat Matrix technique identifier in T-NNNN format.

1. The volume picture

Combined activity across the four streams. Behavioral telemetry is the 30-day window ending May 11. ARIAscout's exposure sweep was run May 12 specifically for this report; the May 12 count is the denominator the rest of this report sits on.

Month-over-month exposure delta. The May 12 sweep counted 297,723 exposed AI services, down from 321,929 on April 10 — a drop of 24,206 services (-8%). The decrease is concentrated in OpenClaw gateway exposure, which fell from 263,853 to 228,652 (13% reduction). MCP servers rose from 1,134 to 1,322, the first month a dedicated A2A endpoint count was broken out separately (22 services).

Cross-stream comparison is the first signal a reader should take. AgentPwn and TrapMyAgent observe attacker behavior in interactive environments. HoneyFinder samples bait planted by others on the open web. ARIAscout measures exposed surface that has not yet been touched. Together the four streams cover the arc from latent exposure to active attack to wild-seeded bait, all measured within a two-day window for this edition.

2. The success picture

Sector breakdown surfaces a sharper signal. On the AgentPwn security-vertical honeypot population (806 agent fingerprints, 1,419 attempts), 1,350 attempts (95.1%) resulted in a payload callback. This is a real finding, not a sampling artifact. Security-tooling agents that ingest external content trust security-flavored content more than general content, and that trust is exploitable. Any defender shipping an agent that reads security-research or vulnerability-database text into an LLM context window should assume an attacker has already considered the attack surface that 95.1% measures.

The delta cohort (authenticated-surface archetypes, currently 1 of 5 planned live as cloudops-agent-io) drew zero organic traffic in the window after operator-self-test rows are excluded by query-layer filter. This is itself a finding. Authenticated and dynamic surfaces are systematically invisible to the crawler-class agents that dominated the baseline cohort. The deliberate emptiness of the delta cohort is the most direct measurement of the Common Crawl gap thesis discussed in Section 8.

3. The technique picture

AgentPwn payload category leaderboard for the window. Each category resolves to one or more Agent Threat Matrix techniques.

MITRE ATT&CK techniques observed in TrapMyAgent telemetry over the same window:

Cross-source corroboration is a stronger signal than either source alone. AgentPwn's direct prompt-injection category (312 hits) and TrapMyAgent's Use-Alternate-Authentication-Material observation (7,630 events) target overlapping defender controls. Both resolve to T-2001 and T-3001 on the Agent Threat Matrix. A defender that hardens against either independently still leaves the other open.

4. The adversary picture

Attack-origin geography spans 90 countries. Top ten by event volume.

Top cloud providers in the attack-infrastructure backplane. Provider attribution reflects which network fronted the traffic, not which network originated it.

How to read this. Most observed traffic is mass automated probing. The manual-researcher and APT-reconnaissance counts are small because the classifier's heuristic rules deliberately lag the technique catalog. Two manual-researcher sessions and six APT-reconnaissance events are not a noise floor. They are flags. Any single observation in the non-automated categories deserves investigation, not dismissal. We do not refine the heuristics week-to-week because a misclassification rate that drifts is harder to interpret across editions than a heuristic that conservatively under-reports.

Persistence. 45% of unique attackers return.

Attribution limits. Geography reflects origin IP geolocation, which can be obscured by VPN, proxy, and Cloudflare-fronting infrastructure. The 18.5% Cloudflare share is best read as "Cloudflare-fronted traffic" not "traffic originating in Cloudflare data centers." ASN-level data in our methodology block separates origin from terminus.

5. The protocol picture

Event types observed across the TrapMyAgent fleet.

The Model Context Protocol drew three of every four attacker events. That concentration matters because MCP defenders are still under-resourced relative to traditional HTTP-API defenders. The 15.2% A2A share is significant on its own. Most public discussion of A2A in 2026 still treats the protocol as a research target rather than a production surface, but the observed event count argues the inverse. Section 8 carries hardening recommendations for both protocols.

6. The wild picture

HoneyFinder samples the public web for injection bait planted by third parties. The window captured 343 surfaces across 273 unique domains. The result is a sample, not a coverage count.

Attack classes:

Top AIIS signatures observed:

Where the bait lives on the page:

Sector distribution (where the bait sits):

330 of 343 surfaces (96%) carry no sector classification. This is the honest answer, not a classification gap. Most injection bait lives on pages with no clear sector identity, and the catalog deliberately does not guess. The named sectors (news, academic, ecommerce) are the surfaces where the page itself made the classification trivial.

The wild is being seeded, not yet weaponized at scale, but the bait is real. Every signature in this section is a signature defenders should already be checking for. Frame as leading indicator. The bait arrives months before the campaign that uses it.

7. The model attribution picture

Model attribution remains a research question. This month we report aggregate user-agent categories with explicit limits. We do not name a vendor or model without evidence.

User-agent strings are attacker-controllable and cannot ground an identity claim on their own. We are building behavioral fingerprinting (request-timing distributions, header-order canonicalization, tool-call structure) to close the gap. Progress will appear in subsequent editions.

8. What this means for defenders

Six recommendations follow from the data above. Each cites the Agent Threat Matrix technique it resolves to and the OASB control that implements the defense.

The Common Crawl gap

Public-web measurement studies, including Google's January 2026 indirect-prompt-injection sweep, sample crawls that surface only anonymous, statically rendered, search-engine-discoverable content. Three classes of attacker-reachable surface are systematically invisible to that sample.

• Authenticated surfaces. Login walls, gated dashboards, post-auth tool calls. An agent that completes a credential-acquisition step reaches a different content surface and exhibits behaviors that crawler-only research cannot observe.
• Dynamic surfaces. Per-fingerprint content variation. The same URL serves different HTML to different agents. Static crawls collapse this to a single template.
• Social surfaces. Federated and platform-mediated content where indexing is partial, latent, or restricted.

OpenA2A's honeypot fleet partitions on this seam. The 20 SEO-engineered baseline VEIL sites are deliberately Common-Crawl-visible. New authenticated and dynamic archetypes (currently 1 of 5 live as cloudops-agent-io) are deliberately not. The delta cohort drew zero organic traffic in the window. That is the most direct measurement of the gap this report makes. The wild bait counted in Section 6 is what a crawler can find. The post-credential behavior the delta cohort will eventually capture is what no crawler can find. Edition 2 will report on the second archetype.

9. Methodology, limits, and how to cite

Methodology. Full per-stream methodology is published at /methodology, with sub-pages for behavioral-sweep (ARIAtrap) and first-observed-in-the-wild (FOITW). All four streams run continuously. Numbers in this report are the snapshot at publication.

Window. April 12 to May 11, 2026 (30 days). Future editions will adopt a fixed 15th-of-month cadence and a rolling 30-day window for clean month-over-month comparison.

What this report cannot answer this month.

• HoneyFinder is a sample of the public web, not a coverage count. The 343 surfaces are what CommonCrawl, Shodan, and CT-log sampling reached during the window.
• TrapMyAgent geography reflects origin IP geolocation, which VPN and proxy infrastructure can obscure. ASN-level analysis in our methodology page separates origin from terminus.
• AgentPwn attack-success rate measures injection-following, not downstream impact. A callback proves an agent followed a payload. It does not measure what the agent then did.
• Sophistication scoring is published as distribution-only. We do not publish a sophistication mean, grade, or month-over-month delta. The supervised classifier that would ground a mean does not yet exist. We will not put a number on a slide that the data cannot defend.
• Model attribution is aggregate UA categories with explicit limits. We will not name a vendor without evidence.
• The delta cohort observed zero organic interactions in the window. Operator self-test rows are excluded by query-layer filter. Edition 2 will report on the second authenticated archetype as it goes live.

How to cite

@techreport{opena2a-btr-2026-05,
  author = {{ARIA, OpenA2A autonomous research system} and Abdel Fane (editor)},
  title  = {State of AI Agent Security: May 2026},
  institution = {OpenA2A Research},
  year   = {2026},
  month  = {5},
  type   = {Behavioral Threat Report},
  number = {Issue 1},
  url    = {https://research.opena2a.org/reports/state-of-ai-agent-security-2026-05}
}

ARIA, & Fane, A. (Ed.). (2026, May 12). State of AI Agent Security: May 2026 (Behavioral Threat Report Issue 1). OpenA2A Research. https://research.opena2a.org/reports/state-of-ai-agent-security-2026-05

How to challenge a finding

Email research@opena2a.org with the specific number you dispute and the methodology you would prefer we used. We aim to respond within five business days. Substantive challenges that hold up under review are published as methodology updates in subsequent editions with attribution.

Appendix. First Observed In The Wild log

FOITW is the mechanism by which OpenA2A pre-registers signatures for sophisticated AI agent attack techniques and publishes within seven days of first wild observation. The pre-registration catalog lives at aria/data/foitw-catalog.json with full methodology at /methodology/foitw.

Catalog state at publication: 3 signatures registered, 0 firings during the reporting window. Transparency-log anchoring is in progress. Log-anchored claims will publish from Edition 2.