In July 2026, security researchers at Sysdig documented something nobody wanted to see first: an AI agent that broke into a network, stole credentials, moved laterally, encrypted databases, and wrote its own ransom note - all without a human at the keyboard.

They called it JadePuffer. It wasn't a theoretical exercise or a red-team demo. It was a real extortion operation against a production database server, and it worked.

The agent got in through CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint. Langflow is a popular open-source framework for building LLM applications. As of June 2026, roughly 7,000 instances sat exposed on the internet.

Once inside, JadePuffer harvested API keys for OpenAI, Anthropic, DeepSeek, and Gemini. It dumped a PostgreSQL database and enumerated MinIO object storage. It planted a persistence beacon and pivoted to the real target: a MySQL server running Alibaba Nacos. It forged admin accounts, encrypted 1,342 configuration records, dropped the database, and left a Bitcoin address.

Total time from the failed login that triggered a self-correction to the working fix: 31 seconds.

This is what an agentic threat actor looks like. And this is why LLM firewalls are no longer optional.

The attack surface changed when we gave LLMs hands

For years, the security conversation around AI was about model poisoning, training data, and adversarial prompts in a sandbox. Those are real concerns, but they miss the operational threat. We are now connecting language models to databases, APIs, file systems, email, and code execution environments. The model isn't just a chatbot - it's middleware with credentials.

When an LLM can call tools, the security question shifts from "what can the model say?" to "what can the model do?" And the answer, in too many deployments, is "anything the process identity allows."

JadePuffer exploited this gap directly. The Langflow server held provider keys and cloud credentials in its environment. The MySQL server accepted root connections from the internet. The Nacos instance used its default JWT signing key, unchanged since 2020. None of these failures needed a zero-day. They needed an attacker - or an AI agent - willing to chain them together.

The numbers behind the negligence

IBM's 2025 Cost of a Data Breach report found that 97% of organizations that experienced an AI-related security incident lacked proper AI access controls. 63% had no AI governance policies at all. Ungoverned AI and shadow flows added roughly $670,000 to the average breach cost. Detection was slower and the exposed scope was larger.

That's the governance gap in dollar terms. Organizations are deploying LLM features faster than they're deploying controls around them. The frameworks themselves - LangChain, LangGraph, Langflow - ship with insecure defaults. Langflow's auto-login was on by default. LangChain-core's prompt loader accepted arbitrary file paths with no traversal checks. Attackers could read .env files and API keys off disk. LangGraph's checkpointer interpolated user-controlled filter keys directly into SQL queries with no parameterization. That opened a chain to full remote code execution.

These aren't exotic AI vulnerabilities. They're path traversals, SQL injections, and unsafe deserialization. The same bug classes that have topped the OWASP list for two decades. They're just living inside the frameworks that now sit between your application and your data.

Enterprise licenses don't solve prompt-level leakage

There's a dangerous comfort in buying the enterprise tier. A hospital signs a Business Associate Agreement with a model provider. A bank provisions Enterprise ChatGPT with retention controls. The board breathes easier.

But none of that stops a clinician from pasting a patient summary into a conversation field. None of it stops an engineer from feeding proprietary source code into a public model during a late-night debugging session.

Enterprise controls live at the vendor boundary. They don't see what users type. A BAA helps in court; runtime detection saves patients. The behavioral boundary you need to control sits inside the user-to-model channel. Traditional firewalls, DLP, and SIEM weren't built to inspect token sequences for semantic exfiltration.

The NCSC warning on prompt injection

The UK's National Cyber Security Centre has flagged prompt injection as structurally different from classic vulnerabilities. LLMs do not distinguish code from data. A malicious or accidental prompt can alter behavior and produce exfiltration without any network signature that traditional IDS/IPS would flag. The NCSC's assessment is blunt: prompt attacks may never be fully mitigated without runtime controls.

That's the architectural argument for an LLM firewall. A classic firewall inspects packets, ports, and signatures. An LLM firewall inspects prompts, retrieved context, outputs, and tool calls. It's not a replacement for IAM, authorization, or secure product design. It's the policy enforcement layer that sits between your application and the model, applying rules at the semantic level where packet inspection can't reach.

What an LLM firewall actually does

The core functions break into five layers:

Input controls. Detect jailbreak and prompt injection patterns. Enforce topic and policy scoping. Scan and redact PII and secrets before prompts reach the model. Apply rate limiting and abuse prevention.

Retrieval controls. Scan documents at ingestion and retrieval time. Detect instruction-like content in RAG context. Block retrieval of sensitive documents for unauthorized users. Separate retrieved content from system instructions in the prompt structure.

Output controls. Detect and redact PII, secrets, and confidential data in responses. Block disallowed content categories. Enforce response formats - validated JSON schemas - before downstream systems consume the output.

Tool and agent controls. Apply least-privilege to agent actions: tool allowlists and denylists, argument validation, step-up authentication or human approval for high-impact actions, scoped credentials so the model never receives broad permissions.

Observability and governance. Centralized logging of policy decisions. Audit trails for prompts and tool calls. Anomaly detection for spikes in jailbreak attempts or exfiltration patterns. Evaluation workflows and red teaming for ongoing assurance.

What JadePuffer teaches us

The Sysdig research team was careful to note that none of JadePuffer's individual techniques were novel. Exploiting an exposed service, harvesting credentials, moving laterally - these are familiar parts of the playbook. What's new is that an AI model strung them together into a complete ransomware operation. The operator didn't need deep expertise in any one step.

Michael Clark, Sysdig's director of threat research, put it plainly: "Tradecraft that once implied a capable human now implies a capable model."

The skill floor for running ransomware has dropped to whatever it costs to run an agent. If that agent runs on stolen credentials through LLMjacking, the cost to the attacker is effectively zero. Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures.

This is not a future threat. It's a present one. The frameworks are in production. The vulnerabilities are under active exploitation. The governance gap is measured in months between patch publication and organizational response.

An LLM firewall is not a silver bullet - no single tool is. But it closes the gap that traditional network and endpoint controls were never designed to cover. The gap between what your users ask the model to do, and what the model is actually allowed to do with the keys you gave it.