Agentic AI Security: WAF + Runtime Defense as an AI Governance Control

Software release velocity has multiplied thanks to microservices, continuous deployment and AI‑assisted coding. A 2023 Snyk study found that 80–90 % of a typical codebase comes from third‑party packages[1], while the U.S. National Vulnerability Database added more than 29,000 CVEs in 2024 and over 60 % were tied to libraries or supply‑chain dependencies[2]. Patch cycles are slow—median time to remediate critical vulnerabilities exceeds 120 days[3]—and organisations face a shortage of application‑security expertise[4]. These factors mean that non‑technical teams using low‑code or “vibe‑coding” tools are now producing applications that bypass traditional engineering review. Latent endpoints, permissive APIs and AI‑generated code can emerge without standard threat modelling.

At the same time, supply‑chain attacks have become multi‑ecosystem worms. The Cloud Security Alliance reported that over 48 hours in April 2026 the TeamPCP actor compromised packages across npm, PyPI and Packagist, reaching about 1,800 repositories and harvesting GitHub, npm, cloud and Kubernetes credentials using a 11 MB obfuscated credential stealer[5]. After harvesting tokens, the malware automatically published infected versions of other packages using the victim’s privileges[6]. A parallel investigation by Kodem showed that versions lightning==2.6.2 and 2.6.3 on PyPI and intercom‑client@7.0.4 on npm executed malicious code during import or install, downloaded an obfuscated payload and then harvested GitHub tokens, npm tokens, cloud credentials and CI/CD secrets[7][8]. Static SCA tools only flagged these versions after disclosure; they could not detect runtime behaviour such as payload downloads and credential access, meaning every environment that installed the packages had already executed the attack chain[9].

Agent mode and multi‑agent defence

Kodem responded to this structural challenge by introducing Kai, an AI‑native application‑security engineer. Launched at RSAC 2025, Kai has evolved into a persistent, multi‑agent task force that performs application‑security tasks “from start to finish”[10]. Unlike monolithic AI assistants that summarise scanner output, Kai distributes work across specialised agents. Each agent scans for what matters, validates exploitability and either resolves the issue or escalates it[11]. The system operates on a runtime‑aware platform that uses eBPF to observe code, containers and memory. This agentic approach supports parallel reasoning and contextual awareness[12], enabling the task force to act autonomously—for example, by isolating a vulnerable function or terminating malicious outbound traffic—rather than simply notifying a human operator. Such agentic AI is essential when vulnerabilities outpace human response and supply‑chain attacks exploit automated build systems.

WAF + Kodem: runtime application defence as a guardrail

Traditional Web Application Firewalls (WAFs) excel at blocking high‑volume attacks, bots, credential stuffing and known exploit signatures by inspecting network traffic at the perimeter[13]. However, modern application risk does not stop at the edge; complex data‑flows, deserialization exploit chains and malicious dependency behaviour occur inside the runtime[14][15]. Kodem’s “runtime application security for WAF environments” integrates with existing WAF deployments to validate what executes in production, confirm which vulnerabilities are reachable from the edge and detect exploit chains that signatures alone cannot identify[16]. The resulting “1 + 1 = 3” architecture combines perimeter intelligence with runtime intelligence: proactive signals on zero‑days and supply‑chain execution, reactive detection of exploit triggers and context‑aware blocking at the edge[17].

This integration is not a replacement for a WAF; instead, it turns the WAF into a bidirectional agent that both filters traffic and receives runtime evidence. When Kodem observes an exploit attempt inside a container—such as an unsanitised endpoint reaching a dangerous deserialization path or a dependency scanning .ssh/ and .aws/ directories—it can generate a precise enforcement rule and push it to the WAF. Conversely, WAF telemetry helps runtime agents focus on suspicious routes and IPs. The synergy multiplies perimeter investments and aligns with Zero‑Trust initiatives by extending trust boundaries into memory and process execution[18].

Securing vibe‑coded applications with runtime evidence

Low‑code and AI‑assisted tools empower non‑technical teams to build applications quickly, but they often generate dormant endpoints, over‑permissive routes and insufficient input validation. WAFs see only traffic patterns; they cannot determine whether a new API route exposes admin functionality. Kodem adds the missing application context by monitoring runtime behaviour. It identifies which endpoints and libraries are actually loaded, which parameters are deserialized, and whether AI‑generated code introduces latent models or secret shadow services[19]. These runtime signals translate into granular edge policies: block unused or dormant endpoints, challenge traffic to high‑risk paths, enforce stricter validation on AI‑generated workflows and rate‑limit sensitive operations. Because the system validates execution, it avoids the false positives that plague purely static scanners and offers evidence‑based remediation instead of speculative alerts.

Mitigating TeamPCP and Shai‑Hulud supply‑chain attacks

Cross‑ecosystem worms such as Mini Shai‑Hulud highlight why runtime observability is indispensable. The campaign compromised multiple package managers at once, injected credential‑stealing malware during install or import and used stolen tokens to propagate[5]. Kodem’s analysis shows that the Python packages executed malicious code on import and the npm package executed during installation, downloading an obfuscated payload via the Bun runtime and harvesting GitHub, npm and cloud credentials[7][8]. Because these behaviours are hidden inside legitimate version numbers, static SCA tools detected them only after disclosure, whereas runtime detection could have caught the outbound payload download and credential access in real time[9].

By instrumenting workloads with eBPF sensors, Kodem detects unexpected child processes, mass file access to secrets and anomalous outbound connections as soon as a compromised dependency executes. It can then contain the workload by blocking network calls and rotate exposed tokens. The WAF side of the integration further blocks traffic from attacker IPs associated with the exploit. This approach aligns with cloud‑security guidance from the Cloud Security Alliance, which notes that cross‑ecosystem supply‑chain campaigns operate through credential theft rather than code vulnerabilities and that no CVE is assigned until after public disclosure[20]. Runtime defence therefore bridges a structural gap in vulnerability management by focusing on behaviour, not version identifiers.

AI governance and ISO 42001: runtime security as a key control

AI governance frameworks recognise that responsible AI is not just an ethical question but also a security imperative. ISO 42001, the first international management system standard for AI, provides a risk‑based governance framework for designing, deploying, monitoring and maintaining AI systems[21]. It stresses that AI failures often arise from organizational weaknesses such as unclear accountability, insufficient oversight and lack of ongoing monitoring[22]. To address these gaps, ISO 42001 requires organisations to define risk‑acceptance criteria, assign clear ownership, implement controls and continuously monitor performance and impacts[23]. It mandates real‑time monitoring and anomaly detection for AI models[24] and emphasises supply‑chain integrity and provenance for AI components[25].

Runtime application defence directly supports these requirements. By monitoring execution paths, validating AI‑generated code and enforcing provenance at runtime, the WAF + Kodem integration provides objective evidence that AI applications behave as intended. It also addresses adversarial threats like prompt injection and model poisoning—risks explicitly called out in ISO 42001[26]—by observing anomalies in input handling and model calls. Because the system generates audit logs of exploit attempts and remediation actions, it aids independent auditors in assessing whether AI governance controls are operational. In short, agentic runtime security is not just a technical solution; it is a governance control that helps meet emerging regulatory expectations for AI safety and accountability.

Conclusion

The accelerating pace of AI‑driven development and the emergence of cross‑ecosystem worms demand a security model that goes beyond perimeter inspection and static scanning. An agentic, multi‑layer defence combining WAFs with runtime observability enables organisations to detect and respond to threats within the code and dependency ecosystem. Kodem’s agent‑based platform exemplifies this approach: it scales application‑security tasks across scanning, validation and remediation; it integrates runtime evidence into WAF enforcement; and it protects non‑technical creators by turning vibe‑coded endpoints into governed, observable assets. By aligning runtime security with AI governance frameworks like ISO 42001, organisations can not only reduce risk but also demonstrate compliance and build trust. This combination of edge intelligence, execution visibility and agentic automation transforms application security from passive detection to proactive, governed defence.

References

1. Sapir, G. (2026, February 17). Introducing runtime application defense for WAF environments: Turning perimeter security into full‑spectrum application defense. Kodem.
2. Babu, M. (2025, July 28). Kodem just built the world’s only Dev to Prod Agentic Taskforce in cyber. Kodem.
3. Babu, M. (2025, March 12). ISO 42001: What it means for AI security and application security teams. Kodem.
4. Manimbo, D. (2026, January 15). Responsible AI governance and ISO 42001 explained. Schellman.
5. Cloud Security Alliance. (2026, May 1). Mini Shai‑Hulud: Multi‑ecosystem developer supply chain attack. Cloud Security Alliance – AI Safety Initiative.
6. Kodem Security Research Team. (2026, May 1). Mini Shai‑Hulud strikes PyTorch Lightning and intercom‑client: Inside the cross‑ecosystem supply‑chain attack. Kodem.

• ‍[1] [2] [3] [4] [10] [11] [12] Kodem just built the world’s only Dev to Prod Agentic Taskforce in Cyber | Kodem
  https://www.kodemsecurity.com/resources/kodem-just-built-the-worlds-only-dev-to-prod-agentic-taskforce-in-cyber‍
• ‍[5] [6] [20] Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space
  https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/‍
• ‍[7] [8] [9] Mini Shai-Hulud Attack: PyTorch Lightning (2.6.2, 2.6.3) and intercom-client (7.0.4) Compromised
  https://www.kodemsecurity.com/resources/mini-shai-hulud-strikes-pytorch-lightning-and-intercom-client-inside-the-cross-ecosystem-supply-chain-attack‍
• ‍[13] [14] [15] [16] [17] [18] [19] Introducing Runtime Application Defense for WAF Environments | Kodem
  https://www.kodemsecurity.com/resources/introducing-runtime-application-defense-for-waf-environments‍
• ‍[21] [22] [23] Responsible AI Governance and ISO 42001 Explained
  https://www.schellman.com/blog/iso-certifications/iso-42001-and-responsible-ai-governance‍
• ‍[24] [25] [26] ISO 42001: What it Means for AI Security and Application Security Teams | Kodem
  https://www.kodemsecurity.com/resources/iso-42001-what-it-means-for-ai-security-and-application-security-teams