AgenticCyOps: Securing Multi-Agentic AI Integration in Enterprise Cyber Operations

TL;DR

This work introduces AgenticCyOps (Securing Multi-Agentic AI Integration in Enterprise Cyber Operations), a framework built on a systematic decomposition of attack surfaces across component, coordination, and protocol layers, revealing that documented vectors consistently trace back to two integration surfaces: tool orchestration and memory management.

Abstract

Multi-agent systems (MAS) powered by LLMs promise adaptive, reasoning-driven enterprise workflows, yet granting agents autonomous control over tools, memory, and communication introduces attack surfaces absent from deterministic pipelines. While current research largely addresses prompt-level exploits and narrow individual vectors, it lacks a holistic architectural model for enterprise-grade security. We introduce AgenticCyOps (Securing Multi-Agentic AI Integration in Enterprise Cyber Operations), a framework built on a systematic decomposition of attack surfaces across component, coordination, and protocol layers, revealing that documented vectors consistently trace back to two integration surfaces: tool orchestration and memory management. Building on this observation, we formalize these integration surfaces as primary trust boundaries and define five defensive principles: authorized interfaces, capability scoping, verified execution, memory integrity & synchronization, and access-controlled data isolation; each aligned with established compliance standards (NIST, ISO 27001, GDPR, EU AI Act). We apply the framework to a Security Operations Center (SOC) workflow, adopting the Model Context Protocol (MCP) as the structural basis, with phase-scoped agents, consensus validation loops, and per-organization memory boundaries. Coverage analysis, attack path tracing, and trust boundary assessment confirm that the design addresses the documented attack vectors with defense-in-depth, intercepts three of four representative attack chains within the first two steps, and reduces exploitable trust boundaries by a minimum of 72% compared to a flat MAS, positioning AgenticCyOps as a foundation for securing enterprise-grade integration.

Figures (4)

• Figure 1: (Left) Functional architecture of an agentic AI system, illustrating interactions among AI language model, tool, and memory; (Center) Multi-agent vertical and horizontal design topologies; (Right) Agentic systems integration protocol (MCP).
• Figure 2: Validated MCP Client Server Communication. In any Agent-Tool interaction, a consensus-based validator has been shown to limit attack surfaces. The Validator is an independent component designed primarily for authorization, auditing, and context-based verification and filtration.
• Figure 3: Secure Memory Management Architecture. In-depth defense approach for persistent state management includes hierarchical isolation to prevent unauthorized cross-agent retrieval and write filtering via consensus, ensuring data integrity and synchronization across shared tiers.
• Figure 4: Multi-Agentic SOAR following our AgenticCyOps Framework. This diagram illustrates a three-pillar architecture designed to automate and orchestrate SOC incident response through agentic AI. The MCP Host serves as the central orchestrator, coordinating task planning, tool selection, and agent communication across four phase-scoped MCP Servers (Monitor, Analyze, Admin, and Report), each equipped with LLM-driven reasoning loops tailored to their respective lifecycle stage. A persistent Organizational Memory layer, accessible via a dedicated Memory Management Agent, provides shared contextual state across all agents, enabling continuity and informed decision-making throughout the full incident response lifecycle.