Pwning and Defending AI Agent Code Interpreters
Kinnaird McQuade
BSidesSF 2026 · Day 2 · AMC Theatre 14
Kinnaird McQuade, Chief Security Architect at Beyond Trust, delivered a compelling talk at BSides SF, shedding light on the rapidly evolving and inherently risky landscape of **AI agent code interpreters**. The presentation, titled "Pwning and Defending AI Agent Code Interpreters," delved into the architecture of these isolated execution environments, their common vulnerabilities, and practical defensive strategies. McQuade emphasized that while AI agents promise unprecedented productivity, the rush to adopt them, often in "YOLO" or "dangerously skip permissions" modes, has created a fertile ground for novel security threats.
AI review
McQuade brings a genuine vuln disclosure — DNS C2 through a microVM-based sandbox marketed as 'complete isolation' — and builds a coherent threat model around it. The AWS Bedrock Agent Core finding is concrete, reproducible, and timely; the broader sandbox taxonomy (execution/network/file system/credential isolation as a spectrum) gives defenders a durable mental model rather than a checklist. Minor credibility drag from the Beyond Trust affiliation, but the research stands on its own.