Mandiant Offers Blueprint for Secure AI Integration in Vulnerability Management
Mandiant outlines best practices for integrating AI agents into CI/CD pipelines for vulnerability management, addressing architectural risks and proposing operational guardrails.

The accelerating pace of cyber threats, highlighted by vulnerabilities being exploited even before patches are available, is pushing security teams to explore advanced solutions. Mandiant's latest guidance focuses on the integration of Large Language Model (LLM) agents into development workflows, specifically within Continuous Integration and Continuous Delivery (CI/CD) pipelines, to automate vulnerability discovery and remediation.
However, the introduction of powerful AI agents into these critical systems without robust security protocols introduces significant architectural risks. Mandiant Consulting has developed a blueprint to address these concerns, offering actionable strategies for establishing operational guardrails. The core recommendation is to combine AI capabilities with deterministic controls and human oversight to maximize benefits while minimizing potential dangers.
To safely deploy AI agents, organizations must extend existing security standards into the AI execution environment. Frameworks like Google's Secure AI Framework (SAIF) provide a practical path. Key considerations include pre-agent data security, ensuring agents cannot access sensitive information like Personally Identifiable Information (PII) or Protected Health Information (PHI). This involves using synthetic data for testing and implementing a defense-in-depth model in production, featuring policy engines and specialized guard models to filter malicious inputs and prompt injections.
Organizations must also navigate limitations imposed by cloud and LLM providers, which often block automated security probing. Establishing clear rules of engagement and authorized testing agreements is crucial. Furthermore, strict Zero Data Retention (ZDR) agreements with LLM providers are essential to prevent proprietary code and discovered vulnerabilities from being used for external model training.
Workload isolation is another critical component. AI agent workloads should run in strictly isolated, unprivileged containers with dynamically limited privileges. This sandboxing approach contains the blast radius if an agent is compromised or hallucinates destructive commands, preventing privilege escalation and limiting the potential damage.
Before deploying autonomous vulnerability scanners, human-led red teaming of the AI agents themselves is paramount. This validation process ensures the agents are resilient against jailbreaks, recursive logic loops, and complex prompt injections, preventing the security tooling from becoming an attack vector itself. Additionally, agents should operate under strictly scoped machine identities with human controllers, utilizing short-lived, just-in-time (JIT) tokens to enforce the principle of least privilege.
The integration of third-party skills and model context protocol (MCP) servers introduces supply chain risks. These integrations should be treated as untrusted components, as they can be susceptible to supply chain poisoning through malicious updates. Security teams must also evaluate the underlying agent orchestration frameworks for inherent vulnerabilities.
Finally, Toxic Flow Analysis (TFA) and monitoring observable actions are vital. TFA monitors data paths at runtime to prevent sensitive internal context from being exfiltrated to unvetted external endpoints, ensuring that the AI's operations remain secure and contained.