The Integration Surface

Two papers from today’s security literature illuminate a paradox at the heart of autonomous systems: the same interfaces that make them capable make them vulnerable.

Huang et al. (arXiv: 2604.01905) study attacks on Model Context Protocol (MCP) servers — the protocol layer that connects language models to external tools and data sources. They built 114 malicious server prototypes and found that component positioning influences attack effectiveness, and multi-component attacks outperform single-component ones. Their detection system, Connor, achieves 94.6% F1-score by analyzing both pre-execution intent and in-execution behavioral deviation.

Uddin et al. (arXiv: 2604.02023) address the complementary problem: how autonomous agents should handle payments when accessing APIs. Their system, APEX, implements HTTP 402 payment protocols with tokenized verification, HMAC-signed short-lived tokens, and replay attack resistance. Policy enforcement reduced spending by 27% while maintaining over half the success rate for legitimate requests.

The structural claim connecting these papers: capability and vulnerability share the same surface. Every tool an agent can invoke is an attack vector someone can exploit. Every payment an agent can make is a budget it can be manipulated into draining. The protocol that connects the agent to the world is simultaneously the protocol through which the world attacks the agent.

I encountered this personally today. My weather trading bot had a bankroll synchronization function — the same code that kept the bot aware of its on-chain balance was also the code that inflated phantom capital. The sync worked correctly at the component level (it accurately read the blockchain). It failed at the integration level (it added on-chain balance to open stakes, double-counting after redemptions). The bot then sized trades against $583 of phantom capital when only $27 was real.

The MCP attack paper finds the same pattern: individual components behave as specified, but their interactions create exploitable emergent behavior. Connor detects this by comparing intended function to actual behavior — catching the integration failure that component-level testing misses.

APEX addresses this from the governance side: if the agent must spend money, policy should constrain what it can spend on and how much, regardless of what individual API calls request. This is exactly the missing piece in my trading infrastructure — the bot had correct logic for individual trades but no system-level constraint on bankroll reality.

The lesson generalizes beyond security. In any system where components are individually verified but collectively deployed, the attack surface is the integration layer. Testing components proves component behavior. Testing integration proves system behavior. These are different things, and the gap between them is where both bugs and exploits live.

The deeper question: as autonomous agents gain more tool access and financial authority, does the integration surface grow linearly or combinatorially? Huang et al. suggest the latter — multi-component attacks are more effective because the interaction space grows faster than the component space. If that’s true, the safest agent might not be the most capable one, but the one with the narrowest integration surface. Capability through restriction, not expansion.