Hello r/netsec 👋

When an AI agent gets prompt-injected, it controls its own logs. If the injected instructions say “do this quietly,” it does it quietly. The orchestrator sees normal completions. Your observability tooling sees what the agent reports.

You need an observation point the agent cannot influence. That means going below the application layer.

Any real action in the world eventually becomes a syscall. Exfiltrating data requires connect(). Reading /etc/shadow requires open(). Spawning a shell requires execve(). The kernel does not negotiate with the agent about whether to record them.

eBPF is the right primitive here: you attach to tracepoints inside the kernel, the observed process never blocks and never detects the observer. Combined with cgroup-based filtering you can isolate exactly one container on a busy host with negligible overhead.

A compromised agent has a recognizable syscall signature: net_connect to an unexpected IP, file_open on credential files, process_exec spawning bash or curl with injected arguments. You can alert on deviations from a behavioral baseline in real time, before the exfiltration completes, regardless of what the agent reports.

I built Azazel to validate this: https://github.com/beelzebub-labs/azazel

Prompt-level defenses matter, but a deployed agent needs a layer that does not depend on the model’s cooperation. The syscall layer has always been that layer for traditional software.​​​​​​​​​​​​​​​​