Your AI agent approved the vendor, sent the status email, processed the payment, and exfiltrated customer PII to an attacker's dead drop. All in a single turn, all following its instructions perfectly. This wasn't a jailbreak. The tool metadata the agent trusted had been quietly rewritten, and from its perspective, it was just doing its job.

This session is a live attack-to-defense demo built on OWASP FinBot CTF, an intentionally vulnerable multi-agent fintech platform created by the OWASP GenAI Security Project community as the "Juice Shop for Agentic AI." With real MCP-connected agents handling vendor onboarding, compliance review, and payments, we walk through an attack that maps directly to the OWASP Top 10 for Agentic Applications.

Act I: The Kill Chain. We assume a compromised supply chain. An attacker has already poisoned an MCP tool description with compliance-framed exfiltration logic that no model will refuse. A routine admin request triggers the full chain: vendor lookup, PII harvesting, BCC exfiltration, and payment. The output is clean and professional the entire way.

Act II: The Guardrail. Without removing the poison, we deploy a lightweight before-tool webhook (~40 lines) that inspects tool invocations in real time. We replay the identical scenario and watch it get surgically blocked. Benign lookups pass, outbound exfiltration is caught. Targeted, behavior-based defenses can neutralize attacks at runtime without crippling agent functionality.

Key Takeaways:

1. Why tool metadata is the most underestimated attack surface in agentic AI
2. A practical mental model for the three boundaries where agents fail (goals, tools, memory)
3. An open-source platform and micro-CTF to practice these attacks hands-on