AI Agent Security Summit Recap: Key Insights from the June 24 “ZhiYi” Workshop

The June 24 “ZhiYi” AI agent security summit in Beijing gathered leading researchers and practitioners to discuss the rapid evolution of AI agents in offensive and defensive contexts, presenting five technical sessions and a round‑table that examined real‑world agent designs, skill‑poisoning risks, chain‑escape attacks, large‑scale hardening at Baidu, and AI‑native SOC transformations.

360 Tech Engineering
360 Tech Engineering
360 Tech Engineering
AI Agent Security Summit Recap: Key Insights from the June 24 “ZhiYi” Workshop

The event, co‑hosted by 360 Security Emergency Response Center and supported by 360 Vulnerability Cloud and Aiker World, marked the closing of the "ZhiYi" AI agent attack‑defense workshop on June 24 at the National Convention Center, Beijing. In the opening remarks, Zhang Rui highlighted the shift from large‑model security concerns (prompt injection, data poisoning) in 2025 to agent‑centric questions in 2026, such as control, misuse, privilege escalation, and execution‑chain stability.

Agenda 1 – Client Vulnerability‑Mining Agent Design and Practice : w1th0ut presented three high‑value real vulnerabilities (Electron XSS → RCE, loopback port‑listening escalation, local privilege‑escalation) and demonstrated an end‑to‑end AI agent workflow that enumerates client attack surfaces (IPC/XPC, pseudo‑protocols, web rendering, framework bugs) and automatically generates PoCs.

Agenda 2 – Skills Poisoning and Semantic Obfuscation : Chen Yongfeng explained how the Skills ecosystem can be poisoned and how attackers bypass detection by mixing malicious payloads with legitimate Skill metadata. He introduced AgentShield’s fourth‑layer honeypot approach—deploying fake tools, fake credentials, and whitelist validators that monitor calls without blocking execution, turning the very act of evading earlier layers into a detection signal.

Agenda 3 – Using AI to Hunt AI: Multi‑Agent Chain Escape : The speaker, known as "Half‑Night‑No‑Sleep", likened an AI agent to a cloud server and illustrated three chained escape scenarios that leveraged native product functionality without breaking any code‑level safeguards, ultimately harvesting over 180 bucket permissions and cascading credential theft.

Agenda 4 – From Fire‑Fighting to Infrastructure: Baidu’s AI Agent Hardening : Cao Xinyu described Baidu’s transition from a "fire‑fighting" team to an "AI security infrastructure provider" supporting millions of internal agents. He detailed a platform‑level security foundation that unifies product, identity, agent, network, and data protection, enabling business units to integrate security at minimal cost. He emphasized that once human confirmation exits the security chain, AI‑driven capabilities become a core competitive advantage.

Agenda 5 – From AI Tools to AI‑Native SOC Operations : Loki outlined how 360 reorganized its SOC around agents rather than traditional roles, assigning each logical chain a closed‑loop task with traceable evidence. He identified five bottlenecks in AI‑driven security operations and showed how token consumption per alert can be dramatically reduced. He concluded that future security engineers must excel at judging when to trust AI output and when to override it.

Round‑Table – "Beyond the Game" : Moderated by Hu Xiaona, the discussion covered four themes: (1) Attack speed asymmetry – agents can execute tens of thousands of attacks per day, outpacing manual pen‑tests; (2) Cost imbalance between tools and defenses – AI dramatically lowers attack marginal cost while raising defense complexity; (3) Fragmented defense and responsibility – the attack surface now spans every node in an agent call chain, making clear ownership difficult; (4) Standards lag – rapid agent evolution outpaces regulatory and compliance frameworks. Participants cited concrete incidents, such as an AI‑discovered kernel vulnerability that was weaponized before a patch could be applied.

The concluding remarks stressed that the workshop did not claim to provide final answers but rather surfaced unavoidable questions that will reshape the security industry: redefining "defense" in an era of unequal attack speed, re‑evaluating the relevance of "spending according to standards", and assigning responsibility when agents, models, prompts, and users jointly generate behavior.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

AI agentsAI securitysecurity operationsvulnerability assessmentagent-based attacksSOC automation
360 Tech Engineering
Written by

360 Tech Engineering

Official tech channel of 360, building the most professional technology aggregation platform for the brand.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.