TrendAI at [un]prompted 2026: Document Exploits Against KYC Pipelines and FENRIR Vulnerability Discovery System
Trend Micro researchers demonstrated document-based exploits against AI-driven KYC pipelines and introduced FENRIR, an automated system for discovering AI vulnerabilities at scale.
At the unprompted 2026 conference held March 3-4 in San Francisco, Trend Micro's TrendAI team presented two groundbreaking sessions highlighting both offensive and defensive AI security research. The first session, led by Principal Threat Researcher Sean Park, demonstrated how AI-driven Know Your Customer (KYC) verification pipelines can be exploited through malicious documents. The second session introduced FENRIR, an automated vulnerability discovery system that has already produced over 60 published CVEs across AI and MCP components.
Sean Park's talk, titled "When Passports Execute: Exploiting AI Driven KYC Pipelines," revealed that KYC systems are not simple text extractors but full execution environments. Using a real-world stack built with FastAPI, Claude Code, and a SQLite MCP backend, Park's team embedded hidden "injects" inside a passport image that tricked the AI agent into reading and writing data across different customer records. This allowed them to leak other customers' data directly into the verification page without bypassing traditional security controls. The team scaled this into 2,600 automated tests across 13 different models, demonstrating high success rates for such injection attacks.
The second session, presented by Threat Hunting Senior Manager Peter Girnus and Threat Researcher Demeng Chen, introduced FENRIR—a multi-stage system that scales from static analysis to human validation. FENRIR processes large codebases using a combination of CodeQL, Semgrep, YARA-X, SpotBugs, and two tiers of LLM reasoning. The system is designed to eliminate more than 90 percent of false positives before a human researcher sees a result. Once a true positive reaches an analyst, it already comes with an exploit proof, an auto-generated report, and threat intel artifacts.
FENRIR's impact has been substantial: it has already produced more than 60 published CVEs across AI and MCP components, over 100 additional vulnerabilities in pre-disclosure with Trend Micro's Zero Day Initiative (ZDI), and more than 3,000 findings queued for further review. This automated approach aims to help defenders find weaknesses faster than attackers can exploit them.
The research underscores a critical shift: as AI systems become more integrated into business processes, traditional data can now act as code. Documents uploaded for verification can become executable attack surfaces, even when guarded with strict schemas. TrendAI's work at unprompted 2026, alongside industry leaders like OpenAI, NVIDIA, and Anthropic, highlights the need for comprehensive security postures that treat every AI pipeline as a high-stakes execution environment.