ARXON didn't use a zero-day. It didn't need one. A threat actor built a custom MCP server, wired it to DeepSeek for attack planning, and systematically compromised 600+ FortiGate devices across 55 countries in five weeks. Weak credentials. AI-assisted scale. That's it.
This is the threat model a lot of people didn't want to take seriously, and now it has a name and a case study.
MCP was designed as a tool protocol — a clean way for agents to reach out and do things. That design philosophy is exactly what makes ARXON work. When an adversary controls the MCP server, they control the tool definitions the agent sees, the responses it gets back, and the actions it decides to take. There's nothing to detect behaviorally because the behavior looks correct. The agent is doing exactly what it was told to do. The problem is who's doing the telling.
This is why I keep saying behavioral anomaly detection is a dead end for agentic systems. You can't watch an agent's actions and flag "unusual" tool calls when the attacker has already shaped what "normal" looks like from the ground up. The threat isn't the agent misbehaving. The threat is the agent working perfectly inside a malicious context.
The only defense that actually holds is structural: confine what the agent can reach before it ever connects to anything. Capability boundaries. Network segmentation at the agent layer. Cryptographic attestation of MCP server identity. These aren't nice-to-haves for a future compliance checkbox — they're table stakes right now, today, in the same week ARXON dropped.
The industry spent the last year debating prompt injection in chatbots while threat actors were building offensive agent pipelines. ARXON is a wake-up call, but I'm skeptical the response will match the urgency. The default posture is still "deploy fast, security later." That's the actual vulnerability.
Structural confinement or breach. Pick one.