On March 18, 2026, five cybersecurity companies independently announced AI agent security products. Not two. Not three. Five in a single day.
This isn’t coincidence — it’s the RSAC 2026 pre-announcement wave. And it confirms what the $182 million funding surge signaled a day earlier: agent security has crossed from niche concern to full market category.
Here’s what each company launched and why it matters.
1. TrojAI: Agents That Red-Team Other Agents
TrojAI announced three capabilities that push agent security beyond the prompt layer:
- Agent-Led AI Red Teaming — Coordinated autonomous agents conduct red team testing on other AI agents, applications, and models. Multi-turn attack chains, adaptive learning across cycles, automatic mapping to OWASP/MITRE/NIST frameworks.
- Agent Runtime Intelligence (private preview) — Full execution trace capture beyond prompts: tool usage, memory access, data retrieval patterns, system prompt exposure.
- Coding Agent Protection — Real-time defense for Claude Code and Codex against exposed secrets, data leakage, and indirect prompt injection via retrieved files.
“Enterprises need to understand exactly what their AI agents are doing and enforce policy across entire workflows, not just prompts,” said CEO Lee Weiner.
The coding agent protection is particularly notable. As AI coding assistants become embedded in development workflows, they introduce a new class of risk — malicious instructions hidden in retrieved files can hijack the code generation process.
2. Cyware: Agentic Fabric for SOC Teams
Cyware launched Agentic Fabric — an ecosystem of specialized security agents designed to work alongside human analysts:
- Analyst Agent Hub — Central coordination for driving agents across workstreams, available in-platform or via browser extension
- Attack Flow Agent — Reconstructs adversary activity timelines, maps to MITRE ATT&CK
- Contextual Intelligence Agent — Converts raw threat data into plain-language summaries
- SOC Analysis Agent — Supports investigation triage with contextual threat understanding
- Detection Engineering Agent — Generates YARA/Sigma detection code instantly
“Agentic Fabric introduces an ecosystem of specialized agents that work alongside analysts, applying threat intelligence across the entire security lifecycle,” said CPO Sachin Jade.
This is agents securing against agents — using AI-powered SOC automation to keep pace with AI-powered attacks.
3. Token Security: Intent-Based Agent Governance
Token Security introduced a fundamentally different approach: intent-based security.
The insight: two agents with identical permissions can behave completely differently depending on what they’re trying to accomplish. Static permissions and inherited human roles can’t contain this.
Token’s five-layer approach:
- Discover all AI agents, their owners, and their access continuously
- Understand intent — both declared purpose and observed behavior
- Enforce least privilege dynamically aligned to defined intent
- Flag drift — constrain actions that fall outside intent boundaries
- Lifecycle governance — prevent access drift and orphaned agents
“AI agents shouldn’t inherit the full permissions of the humans who create them,” said CTO Ido Shlomo. “When they do, organizations lose visibility and control.”
Identity as the control plane for agents — service accounts, API credentials, cloud roles — is a natural enforcement layer because it’s how agents actually interact with enterprise systems.
4. Reco: Solving Agent Sprawl
Reco launched AI Agent Security to tackle “agent sprawl” — the proliferation of autonomous agents traversing enterprise SaaS ecosystems without oversight.
The key differentiator: behavioral detection beyond OAuth. Traditional SaaS security posture management (SSPM) sees connections. Reco sees behavior.
“A typical SSPM might flag a Zapier-Salesforce link as a third-party integration,” said CEO Ofer Klein. “We identify that this specific workflow is an AI agent that runs every 15 minutes, accesses customer payment data, enriches it with external APIs, and writes results to a shared spreadsheet — all without human intervention.”
Real-world incidents Reco observed include:
- Agents with full read/write access to customer PII across Salesforce, financial data in NetSuite, and source code in GitHub
- An unnamed agent exfiltrating customer data to a personal Airtable account for 8 months before discovery
The platform covers Copilot, ChatGPT, Salesforce Agentforce, and automation tools like n8n and Zapier.
5. Menlo Security: Browser as Agent Operating System
We covered Menlo’s launch earlier today. The approach is browser-native: treating the browser session as the security control point for both humans and agents, with “Guardian Runtime” instruction-data separation and steganographic prompt injection defense.
The Pattern
What’s striking isn’t just the volume — it’s the diversity of approaches:
| Company | Approach | Control Point |
|---|---|---|
| TrojAI | Red team + runtime trace | Agent execution layer |
| Cyware | Agentic SOC automation | Threat intelligence |
| Token Security | Intent-based governance | Identity & permissions |
| Reco | Behavioral SaaS detection | Cross-app agent sprawl |
| Menlo Security | Browser-native security | Browser session |
Each company identified a different gap in the agent security stack. None of them overlap significantly. This suggests the market is large enough to support multiple specialized players — a sign of category maturity.
The Bigger Picture
Adding these five to the companies that launched in the past 10 days:
- Mar 9: AvePoint AgentPulse
- Mar 15: Singulr Agent Pulse
- Mar 15: Mimecast adaptive security
- Mar 17: Kai ($125M) + Surf AI ($57M)
- Mar 18: TrojAI, Cyware, Token Security, Reco, Menlo Security
- Mar 18: Chainguard hardened agent skills
That’s 12+ agent security products in 10 days, with $182M in single-day funding. All timed for RSAC 2026 (April 28 – May 1 in San Francisco).
The RSAC wave is the clearest signal yet: agent security isn’t a feature. It’s a market.
We’ve been tracking the emergence of agent security as a category since February’s CVE disclosures. What started as patch-and-fix has become a multi-billion-dollar industry forming in real time.