The 30-Day Agent Security Checklist
Field Guide
The 30-Day Agent Security Checklist
No philosophy. No metaphors. Just the steps. Four weeks to go from 'we should probably secure our agents' to 'we have a tested, documented security posture.' Start Week 1 today.
Key takeaway
Week 1: Map every agent, its tools, data sources, and actions. Assign an owner to each one.
Key takeaway
Week 2: Deny-by-default on high-risk actions, rotate credentials, move to a secrets manager.
Key takeaway
Week 4: Run one red-team exercise per critical agent. Simulate a credential leak. Time the recovery.
You’re not going to security-conference your way out of this. No frameworks. No metaphors about castles and moats. You need to spend four weeks doing the actual work.
Here’s what done looks like: You’ve mapped every agent, documented its power and constraints, rotated every credential, logged anomalies, run a red-team exercise against the three riskiest agents, and written a recovery plan you’ve tested. Four weeks. Start today.
This post is the one you print. Tape it next to your monitor. Check off each item as you finish it. Share it with your team on Slack. By the end of Week 4, you’ll actually know what your agents can and can’t do, and you’ll have tested that your defenses work.
Week 1: Map It
An agent you haven’t inventoried is an agent you can’t secure.
Monday through Wednesday:
Go through your infrastructure. Write down every agent. Include the chatbot in your docs site, the internal automation tool, the customer service escalation system, the data pipeline agent, all of it. For each one, answer:
- What’s its primary job?
- What tools does it have access to? (List them. All of them.)
- What data sources feed it? (APIs, databases, files, user input?)
- What actions can it take? (Send email? Delete files? Update a database?)
- Who built it? Who maintains it now?
- Who owns the risk if something breaks?
Yes, this feels obvious. You’ll discover you don’t actually know the answers. That’s the point.
Thursday:
For each agent, draw its trust boundary. What’s inside the perimeter (it can do this without asking) and what’s outside (it needs human approval, a second system check, a rate limit)? Write it down.
Map data flow. Where does information come in? Where does it go? Is there a path where untrusted input could reach a high-power tool?
Friday:
Assign an owner to each agent. Not the person who built it. The person responsible if it goes wrong. That person gets a copy of your inventory. Their job for next week is to know these numbers cold.
Week 2: Lock It
Credentials in code are timed explosives. Fix the three most dangerous things in seven days.
Monday through Tuesday:
Pull your credential inventory. Where do your agents authenticate? What secrets do they hold?
If you find hardcoded keys, API tokens, database passwords anywhere in your code, your codebase, your config files, or especially in your version control history, rotate them today. All of them. Don’t move on to the next step until they’re replaced.
Move secrets into a proper secrets manager. HashiCorp Vault. AWS Secrets Manager. Azure Key Vault. Something that isn’t a text file or an environment variable in a GitHub Actions workflow.
Wednesday through Friday:
For your top 5 most-dangerous actions (the ones that could breach data, modify critical systems, send messages to users), implement deny-by-default:
- The agent can’t take that action without explicit human approval, OR
- The action goes into a queue that a human reviews before execution, OR
- The agent can only take the action if ALL of these conditions are true (rate-limited, user confirms intent, secondary validation passes).
Test each one. Make sure the deny mechanism actually works. Make sure humans know when approval is needed.
Verify least-privilege. Does your customer service agent really need access to the salary database? Does the documentation chatbot need write permissions to your product database? Shrink every agent’s permissions to only what it actually needs.
Week 3: Watch It
Attacks happen in the logs. You just have to look.
Monday and Tuesday:
Set up structured event logging. Every agent action gets logged with: timestamp, agent ID, action attempted, input received, decision made, result.
Use your existing logging system. Datadog. Splunk. CloudWatch. Doesn’t matter. The key is: every action is captured in a queryable format.
Wednesday:
For each high-risk action (the ones you locked down in Week 2), set up an alert. If that action is triggered more often than your baseline expects, you get paged. If that action fails, you get notified. If that action succeeds but the result doesn’t match the expected pattern, flag it.
Thursday and Friday:
Establish a baseline. Run your agents in normal operation for two days. What does good look like? How many successful actions? How many failures? What’s the typical response time?
Create a one-page anomaly document. “If we see X, Y, or Z, something is wrong.” Define what abnormal looks like for your environment: failed authentication spikes, unusual API call volumes, unexpected resource access patterns. Base the thresholds on your own baseline data, not generic numbers.
Document who gets notified when anomalies hit. Where does the alert go? Who responds first?
Week 4: Test It
Theory breaks in reality. Run one red-team exercise per critical agent.
Monday:
Pick your riskiest agent. The one with access to the most sensitive data, the most powerful actions, the most potential for damage.
Simulate a credential leak. Assume an attacker has its API key. What can they do? Walk through it. Write it down. Can they exfiltrate data? Modify records? Send messages to users?
Try to break your input validation. Feed the agent garbage input. Embedded instructions. Contradictory commands. See what happens.
Tuesday and Wednesday:
Document what you found. What worked? What failed? Where were you vulnerable?
Fix the worst gaps. If the agent accepted malicious input that bypassed your controls, fix it. If the credential rotated but the old one still worked somewhere, revoke it properly.
Test the fix. Make sure your fix actually stops the attack.
Thursday:
Run a credential rotation drill. Assume one of your agent’s credentials got leaked. How fast can you rotate it? How many places do you have to update? Does the agent keep working? Does the old credential stop working immediately?
Time it. From “we know the credential is compromised” to “the agent is running on new credentials and the old ones are dead.” Can you do it in 15 minutes? 5 minutes? Document the actual time.
Friday:
Write a one-page incident summary. What would happen if this agent was compromised. How would you know. What steps would you take. How long would recovery take.
Share it with the team. Make sure everyone understands the risk and the recovery plan. Then actually follow the plan once as a drill. No surprises when it’s real.
You’re Done
By end of Week 4, you have:
- Complete inventory of every agent
- Documented trust boundaries
- Credentials in a secrets manager
- Deny-by-default on dangerous actions
- Structured logging on all agent activity
- Alerts for anomalies
- One red-team exercise completed per critical agent
- A tested recovery plan
This isn’t the end of security. It’s the foundation. You’ll iterate. You’ll find gaps. You’ll break things and fix them.
But you’ll know where you stand.
Start Week 1 today.
Next: The Operator Readiness Assessment walks you through scoring yourself across five security dimensions. 15 minutes. Shows you exactly what to fix next.
Join the Intelligence Brief
Threat intelligence, agentic vulnerabilities, and engineering frameworks delivered straight to your inbox.