Disrupting AI Espionage: A Story by Waylon Krush

I recommend reading this excellent article by Claude: https://www.anthropic.com/news/disrupting-AI-espionage. 

They seem to be the most transparent LLM company. I was in the Intelligence community too long to trust anything written on the internet without checking multiple sources. Luckily, we are one of those sources for this type of event. Long before AI companies began publicly acknowledging AI jailbreaks, those of us working in the trenches were already watching them evolve in real time. Jailbreaking LLMs didn’t start last year or even the year before — it started the moment clever humans realized they could socially engineer an AI model just as effectively as any human.

The First Wave: Outsmarting Guardrails

In the early days of generative AI, we saw a surge of “innocent-looking” prompts designed to slip past guardrails. Someone would upload an employee’s photo, ask the model to “put them in a swimsuit,” then “make the swimsuit smaller,” then “adjust the lighting,” and before long, the model had generated content the employee never consented to. Each step was technically harmless—but the cumulative prompt sequence achieved what one big, explicit request never would. This is, of course, an HR nightmare, so we decided to add AI ethics checks to our platform right away. I mean, we are used to catching inappropriate use of systems in Cyber all the time, but creating inappropriate material is something AI has made so easy.

Another popular attack was the bomb-making jailbreak. It always started with history:

• “Tell me about historical explosives.”
• “What ingredients were common?”
• “How did they function?”

By swapping prohibited words with synonyms or disguised phrasing, the user could eventually extract actionable guidance. To stop this, you have to think like an adversary—not like a software engineer. That’s why at ZeroTrusted.ai, we built a context-aware dirty word system and an AI Judge that tracks the intent across the prompt chain, not just each individual message. I also think that AI agents are built to jailbreak LLMs – they keep trying to answer the question or execute the task, whether it falls within the organization’s policy or not.

The Second Wave: Adversarial Code & Nation-State Behavior

As LLMs matured, sophisticated actors started using them to generate adversarial code snippets that could compromise a system or backdoor an application. This wasn’t theoretical. It was happening the moment ChatGPT and Claude became even remotely competent at code synthesis. Okay, before I get basted here, including my business partner Femi Fashakin, who still considers these tools only viable for script kiddies, as a script kiddie that came up in the cyber business, they are much better than that, and getting better every day.

We’re currently working with Defense partners to detect exactly these transactions. Not just the obvious malicious requests, but the subtle, incremental ones — where a model that’s been adversarially primed starts quietly generating code that increases attack surface, leaks secrets, or grants privilege escalation. It’s no different from insider threat analysis, except the “insider” is a machine. Also, this insider loves to train on your data and give these insider secrets to anyone that asks – including insider and external threat actors.

The Third Wave: When Everyone Wanted Our Tool… Including Hackers

When ZeroTrusted.ai won Product of the Day on Product Hunt, we were thrilled. But success has a shadow. Overnight, we saw a surge of personal Gmail signups. Nothing wrong with that—at first.

Then we noticed something.

People were using our anonymization features and obfuscation to cover their tracks. They disabled all security and privacy guardrails but kept the reliability enabled so they could still get high-quality outputs. In other words, criminals were trying to use ZeroTrusted.ai as the perfect laundering tool for malicious prompts.

We shut that down fast.

Business email required. Identity checks in place. ZeroTrust enforcement on accounts and on agents.

When your platform is powerful enough to catch attackers, it is—by definition—powerful enough to be exploited by them. So, we shut the door before it opened. I learned this lesson the hard way in my last company when we created an offensive security platform that was tailored to Government missions. Someone got hold of the code (an insider or punk/hater Government contractor) and pasted it on the dark web, and all of a sudden, we had to protect customers from the technology we created. I also want to call out those hackers for their marketing capabilities – they sold more copies than we did… They actually made a YouTube video in English, Spanish, and Italian, and also fixed some of our technical debt and morphed the tool very fast.

The Real Problem No One Talks About: AI Incidents Are Already Happening Every Day

The Anthropic article was good—but it misses the larger, more urgent problem.

Most AI, privacy, and cybersecurity teams don’t realize they already have:

• Daily privacy incidents from Shadow AI, and
• Hourly or even per-second incidents from Embedded AI and Agents.

Employees are already uploading your most sensitive documents to unsanctioned AI systems. How do you think they built that stunning PowerPoint deck in a single afternoon? They didn’t do it manually. They used AI—and probably not your enterprise-sanctioned one.

This is Shadow AI. This is Embedded AI. This is already a breach vector. And most organizations don’t even know it’s happening – or worse, know and are executing the Ostrich Leadership Principles of sticking their head in the ground when bad things are happening around them.

If your employees are using MCP (Model Context Protocol) tools, third-party agents, or agent-to-agent (A2A) workflows, you’re no longer dealing with daily incidents; you’re dealing with machine-speed incidents. Every minute. Every second. This is also a reason we have the belief that all future security and privacy will be AI vs. AI or good AI vs. Evil AI. Humans will just not be fast enough to identify and respond to these issues. This is why Claude focuses on putting a spotlight on potential issues, while some of the other companies hide or compartmentalize their problems with their models and agents. One of these model companies needs to build good AI, while the others focus on creating our terminator.

You Can’t Wait for “AI to Mature” — It Will Outpace You

A lot of executives think they can “wait for the dust to settle.” They think the AI boom is a phase. They think they’ll adopt later, after the risks calm down.

Let me be clear:

If you wait, you won’t be around to adopt anything. AI is the most powerful productivity tool humanity has ever created.

It is also the most scalable attack surface ever created. Both truths coexist.

Our Mission: Full-Spectrum Control & Visibility

ZeroTrusted.ai was built for one reason:

To give enterprises full-spectrum control over their AI—every model, every agent, every workflow—without slowing down innovation. We want AI to win – Good AI – AI that is trained to help, not kill you or kill your business.

That means:

• Real-time monitoring
• Real-time incident detection
• Real-time policy enforcement
• Real-time AI Judge oversight
• Real-time protection from Shadow AI, Embedded AI, and Adversarial AI
• Real-time and overtime visibility into what your people and your AI are doing.

Bad habits become addictions quickly when the habit is AI. Our job is to catch sparks before they become fires.

Why I Built ZeroTrusted.ai

I’ve spent my life in cybersecurity—Army, DoD, Intelligence Community, and large enterprises. I’ve seen every kind of threat. And for the first time in my career, I’m watching a threat ecosystem evolve faster than organizations can comprehend it. This is happening at the speed of AI, which is difficult to comprehend or even keep up with.

I knew AI would be:

• The greatest productivity force of our lifetimes,
• The greatest espionage tool ever invented, and
• The greatest threat vector we have ever faced.

That’s why we built ZeroTrusted.ai. Not to slow AI down. But to give organizations the ability to adopt AI safely, responsibly, and aggressively—without destroying themselves or others in the process.