27 Seconds to Breakout: Why Identity Is the Only Perimeter Left

A reported 27-second lab breakout, from hijacked browser session to shell, sits outside what wall-based defense was built for. Per-action signed identity...

5 min read

One threat analysis of agentic systems reported a breakout time of 27 seconds: the gap between a compromised browser session and arbitrary shell execution. That figure deserves a caveat up front. It is a worst-case laboratory benchmark from a single source, not an accepted industry baseline, and real-world breakout times vary widely by environment. But even if actual numbers run several times slower, the scenario it describes falls outside the assumptions most defensive architecture was built on.

We spent a decade building walls around machines. Network segmentation, VLANs, zero-trust perimeters, egress filtering. All of it assumes the attacker is outside trying to get in, and that detection plus response happens on human timescales. An autonomous agent under hostile control breaks both assumptions at once.

The attacker is already inside the perimeter

A hijacked agent runs as a trusted process, with legitimate credentials, on a machine you own, doing things that look like its job. It reads files and calls APIs because that is its job. Prompt injection or a poisoned tool response repurposes something that was always inside your perimeter.

Segmentation does not help here. The agent already sits in the segment with the data. The wall is behind the attacker.

Human-speed defense cannot answer machine-speed compromise

Reactive security assumes a window between compromise and damage, a window in which logs get ingested, alerts fire, and someone triages. Machine-speed attacks close that window before any human-scale process opens. Worse, the hostile activity often looks like ordinary agent behavior, so anomaly rules keyed to network patterns may never fire at all.

From guarding machines to signing actions

If you cannot build a wall the attacker is not already behind, and you cannot react faster than the attack executes, one credible architectural direction remains: make each individual action carry its own proof of legitimacy. To be clear, this is a design argument, not a description of a deployed standard, and it comes with serious unsolved engineering costs discussed below.

Concretely, it means a cryptographically signed identity lease attached to every discrete step an agent takes:

  • Every tool call. The unit of authorization becomes "this specific invocation of this specific tool was approved under a lease that is scoped, signed, and short-lived," replacing session-level authentication.
  • Every memory read. Agent memory is an attack surface. A poisoned memory entry is a persistence mechanism. Reads should be gated the same way writes are.
  • Every execution step. Shell access, file writes, network calls. Each one verifiable on its own, rather than inherited from a session token granted minutes ago under different conditions.

The difference from conventional zero trust is granularity and lifetime. Session-level trust means a hijacked agent inherits everything the session was granted. Per-action leases mean the damage a hijack can do is bounded by what a single signed, scoped step is allowed to do, and the lease expires before a human would even notice the compromise.

Where signing helps, and where it does not

Consider an agent whose current task is summarizing documentation, holding a lease scoped to reading those pages and writing a summary. An injected instruction tells it to invoke a shell tool. The invocation fails because the browsing context holds no lease for execution; nothing had to detect the attack. The authorization simply does not exist there. That refusal happens inline, at machine speed, with no human in the loop. This is the case where the model genuinely delivers.

Now the harder case, which any honest treatment has to face. Suppose the agent's legitimate task requires file access, and the injected instruction abuses exactly that access, reading a credential file the current lease already covers. The signed action executes. Per-action identity did not stop the injection. It only narrowed what the injection could reach.

That is the real boundary of the model. It enforces least privilege at fine granularity, but it cannot distinguish a legitimate read from a malicious one inside the same scope. The value is containment, not immunity, and the containment is only as strong as the scoping discipline behind each lease. An attack is refused mechanically only when the injected goal falls outside the current lease. When it falls inside, other controls still have to carry the load.

The honest caveats

Per-action signing is not free. It adds latency to every tool call, and key management for short-lived leases is genuinely hard to operate; at present these are open engineering problems, not solved ones. There will be constant pressure to widen scopes and lengthen lifetimes for convenience, which quietly rebuilds session-level trust under a new name. And as the example above shows, signed identity does not stop an agent from being manipulated into misusing permissions it legitimately holds. It bounds the damage. It does not eliminate the vector.

Still, the direction holds up under those caveats. Walls assume the threat is outside. Reaction assumes you have time. Agentic systems undermine both assumptions, and identity verified per action rather than per session is the most plausible structural answer on the table, provided its costs can be engineered down and its scopes kept honest.