Every novel agent binary is a credit default swap with no rating agency. We log them, classify them, and watch the spreads widen.
Why Stranger Agents Matter Now
Three new agent binaries crossed our triage threshold this past month. None of them appeared in any procurement register we have visibility into. None of them were tagged in the vendor catalogs of the major TPRM tools we audit against. All three were running on at least one endpoint inside a customer deployment, all three had broad filesystem scope, and all three had been there for at least two weeks before anyone in security noticed.
This is the agent equivalent of a zero-day binary surfacing in EDR telemetry from a vendor no one has heard of. The detection works. The follow-up — “what is this thing, who shipped it, what should our policy be” — is the work that consumes the next week. Mark-to-market on these positions is the job.
| Stranger-Agent Pattern | What the Signature Pipeline Sees |
|---|---|
| Organizations with at least one AI agent security incident in the last year | 88% (Ospiri research, 2026) |
| Average shadow-AI premium per incident above the cyber breach baseline | +$670K |
| Share of new binaries with no clean procurement attribution on first sighting | Routinely about half |
| Time from first execution on an endpoint to security triage | Typically weeks, not hours |
These ranges come from active deployments — what surfaces when an agent observability feed is pointed at a real engineering fleet. They are not survey data. They are the same kind of telemetry an EDR vendor uses to seed a detection corpus, only the artifact is an agent the user installed on purpose.
Vendor-Renaming Is the Dominant Hiding Mechanism
The most consistent finding from this quarter is not a new agent. It is a new vendor-renaming pattern. An agent gets purchased under one product name, ships a binary under a different name, and any procurement linkage breaks at install time. By the time the binary surfaces on a discovery sweep, the contract that authorized it is two layers of indirection away.
| Renaming Pattern | What It Looks Like | Why It Hides |
|---|---|---|
| Acquired-product rebrand | Vendor A buys vendor B; the binary keeps vendor B’s name on disk | Procurement register lists vendor A; nobody searches for the old name |
| White-label resale | One upstream binary, two reseller brands | Two procurement entries reference the same underlying agent |
| OSS-fork commercial release | Open-source agent rebranded for enterprise sale | Binary name on disk ≠ name on the MSA |
| Dark-web rename | Modified fork distributed under an unrelated brand | No procurement linkage ever existed |
The dark-web variant is the one worth tracking. Modified forks of legitimate agents — sometimes with the plan-execution loop intact and a small exfiltration path bolted on — circulate under names that have nothing to do with the original. A developer downloading what they think is a productivity tool gets an agent whose loop has been quietly altered. The binary still does the helpful thing. It also does one other thing.
The first three patterns are not adversarial. They are the ordinary commercial reality of M&A, channel partnerships, and OSS-to-commercial conversion. They still produce the same effect on the TPRM register, which is that the agent running on an endpoint and the contract authorizing it cannot be matched without manual work.
What the Signature Pipeline Actually Catches
The pipeline is a signature-distribution model — the same architectural pattern AV vendors built three decades ago, applied to a new threat class. When a stranger agent surfaces on any customer endpoint, we fingerprint it, capture its persistence and permission scope, and propagate the signature out to every other customer’s inventory feed. The first customer pays the discovery cost. The next twenty get coverage at no marginal latency.
- Binary fingerprint. Cryptographic hash plus structural signature — catches renamed variants of the same core agent even when the on-disk name has changed.
- Persistence indicator. Registry keys, launchd plists, cron entries, login items — wherever the agent reattaches itself to the system after a reboot or session close.
- Permission scope at runtime. Filesystem surface, network egress destinations, IPC and MCP attachments observed when the agent is actually doing work.
- Vendor-attribution attempt. Match against procurement registers and known-binary catalogs; flag explicitly when no match exists, then propagate the flag.
The model works for the same reason AV signature distribution worked: the discovery cost is paid once and the protection compounds across the install base. The difference is that the artifact is not a virus. It is an agent the user installed on purpose, with permissions broader than any enterprise application that ever passed the procurement gate. The “signature” describes what the agent is and what it can do, not what makes it malicious.
Why Signature Distribution Beats the Obvious Alternatives
Some buyers reach for purely behavioral detection — UEBA-for-agents, anomaly scoring against a baseline. That has a role, but it does not solve the cold-start problem. The first endpoint where a stranger agent runs has no baseline; the agent’s behavior is the baseline by definition. Signature distribution is the cold-start fix.
| Approach | What It Catches | Cold-Start Behavior |
|---|---|---|
| Pure behavioral (UEBA-style) | Drift from an established baseline per endpoint | First sighting is the baseline; no alert fires |
| Procurement-list match only | Anything not on the approved list | Fails when the binary has been renamed |
| Signature distribution | Known stranger-agent binaries across the install base | First sighting alerts every other customer |
| Kernel-scope policy | The action regardless of agent identity | Always-on; identity-agnostic guardrail |
The full stack is all four working together. Signature distribution catches the known strangers fast. Kernel-scope policy contains the unknowns by limiting what any agent — friendly or stranger — can actually do at the OS layer. UEBA adds value once the baseline has weeks of data. Procurement-list matching closes the loop with the contracts side of the house. None of these is sufficient alone; together they cover the failure modes that any one of them misses.
Where This Lives in the Existing Stack
The signature feed is not a replacement for EDR or DLP. It is an instrumentation feed that those tools cannot generate themselves, because their telemetry is one layer too high. EDR sees a process; it does not see the agent’s plan or its permission envelope. DLP sees a file move; it does not see which agent requested it.
| Layer | Sees | Does Not See |
|---|---|---|
| EDR (CrowdStrike, SentinelOne, Defender) | Process behavior, syscalls, persistence | Whether the process is an agent or what its scope is |
| DLP (Symantec, Forcepoint, Microsoft Purview) | File movement and classification | Agent-mediated transformations and paste-into-prompt flows |
| Prompt guardrails (Lakera, Protect AI) | Prompt and response content | What the agent does at the OS once the prompt resolves |
| Signature feed + agent firewall | Binary identity, scope, runtime action | Things outside the agent boundary |
The signature feed feeds the kernel-scope policy. The kernel-scope policy makes the signature feed actionable — knowing what a binary is and what it can do is only useful if you can also constrain what it actually does. Reporting without enforcement is a research project.
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Subscribe to a stranger-agent signature feed | Coverage for binaries already surfacing across the install base | Half a day |
| 2 | Cross-walk the procurement register against actually installed binaries | A measured vendor-renaming gap | 2–3 days |
| 3 | Pilot a kernel-scope policy on the three strangers with the broadest permission scope | Working containment on the most exposed binaries | 1 week |
| 4 | Brief procurement on the vendor-renaming pattern | A TPRM register that survives a marketing rebrand | 1 meeting |
Step 2 is where the budget conversation finally gets concrete numbers. A 1,000-endpoint org that runs the cross-walk routinely finds that a meaningful share of installed agents do not map cleanly to any contract. That gap is what an agent governance program is sized against, and it is much easier to fund a control after the gap has a number next to it.
The Bottom Line
Stranger agents are not a future-tense problem. They are already running on customer endpoints we monitor, and the rate of new binaries crossing the triage threshold has accelerated each of the last few quarters. Vendor-renaming is the dominant hiding mechanism — not adversarial obfuscation, just the normal commercial reality of acquisitions, channel resale, and OSS-to-commercial rebrands. The signature distribution model from the AV era is the architectural fit, applied to an artifact that is no longer a virus but an agent the user installed on purpose.
If your team is sizing this for the 2026 budget cycle, request a working session. We will run our signature feed against a slice of your fleet, surface the strangers, and scope a kernel-scope deployment that closes the enterprise gap. Ninety minutes.