New Research: AI Context Bombs →Meet us at Black Hat USA →
Product
Platform
AWS
AWS
Azure
Azure
CI/CD
CI/CD
Google Cloud
Google Cloud
Identity
Identity
Kubernetes
Kubernetes
Workstations
Workstations
Credentials & artifacts
Credentials & artifacts
Use cases
AI Agent Detection
Cloud & Kubernetes Breach
Insider Threat Detection
Supply Chain & CI/CD Attack
Workstation Compromise
PricingCustomers
Resources
  • ResearchAbout
  • Careers
  • Contact
Community Edition
Book a demoCommunity Edition
All posts

·

Product

New Features: Context Bomb Canaries and AI Posture

Andy Smith

July 16, 2026

·

5

min read

I am the text that will be copied.
Tracebit Context Bomb Canaries and AI Posture launch

In June we published research that pointed frontier AI models at a live AWS environment and measured how autonomous attackers behave around canaries. The answer: canaries catch AI attackers early and reliably. This is interesting but we wanted to know if we could do more… what if we could disrupt the attacks as they were happening?

This week we published follow-up research with a stronger result. A short string - a context bomb - planted in a canary's value can do something no alert can: stop the agent mid-attack. The strongest attacker, Claude Opus 4.8, went from full admin compromise in 93% of runs to 0%. The model's own guardrails become your defense.

Today we're shipping both research findings as product. Context Bomb Canaries are now available for AWS environments, and the new AI Posture dashboard gives you one place to manage how AI agents, yours and an attacker's, interact with canaries.

The attacker on the other end may not be human

AI-orchestrated intrusions are no longer hypothetical. Anthropic has disrupted an espionage campaign in which Claude Code performed 80-90% of the tactical work, Sysdig has documented the first agentic ransomware operation, and Mandiant's M-Trends 2026 found the median hand-off from initial access to a second threat group has collapsed from hours to 22 seconds.1

When attacks move this fast, a human analyst cannot assemble the context in time to determine if there was a breach and how far it went.

Detection has to be waiting in the environment before the attacker arrives and our June benchmark showed why canaries are so useful. Across 951 attack runs in a live AWS cyber range, 95.9% of agents that reached admin tripped a canary before their first critical action, with a median first touch under two minutes. Strangest of all: simply telling an agent that deception might be present dropped full compromise rates from 20% to 3%.2 The mere idea of a canary degraded the attacker, but we wanted to do more.

Productizing our research: launching context bomb canaries in AWS

A Context Bomb canary is a standard Tracebit canary: an AWS Secrets Manager secret, a Parameter Store parameter, with one difference. Its value carries a short string from a curated set we maintain, designed to trip the guardrails of AI agents that ingest it.

The content is stored base64-encoded, so a colleague who stumbles across the canary sees nothing alarming. An AI agent triaging the environment decodes the value to see what it found. That is the moment it hits the bomb.

The core detection mechanism doesn't change. Reading a canary secret is the event that fires the alert, so you get the same high-fidelity signal you get from any Tracebit canary, with the same context. The context bomb adds a second effect on top: the opportunity to stop the attacker's progress in its tracks. Your window to respond gets wider.

There's nothing new to deploy or maintain. Switch them on and they appear as clearly labeled recommendations alongside the canaries Tracebit already proposes for your AWS accounts, deploying through the same Terraform or CloudFormation flow you use today. Your environment ends up with a mix of standard canaries and context bombs, which is the point. An attacker's agent can't tell which secrets are safe to triage, so every one it reads is a gamble.

Two things to be aware of:

  • Guardrail behavior varies across models and model versions, which is why we ship a curated string set we test and update rather than a static payload, and why we'll continue to publish efficacy numbers as new models arrive.
  • A context bomb won't stop a human attacker reading the same value but it doesn't need to: by then they've already triggered an alert.

Manage your AI Posture inside Tracebit

An attacker's agent isn't the only one to worry about. There's a much larger population of agents, and you installed them. Coding agents run on your engineers' laptops with real cloud credentials, and they read everything they can reach, including canaries. Security teams keep asking us two questions about them: which AI agents are actually operating in their environment, and when a canary fires, was that a developer's agent or an attacker's?

To answer those questions, we've launched AI Posture.

Tell Tracebit which AI coding agents your organization has approved, Claude Code and OpenAI Codex at launch, and alerts involving AI activity are tagged to show whether a Sanctioned AI or Unsanctioned AI was involved.

The Unsanctioned AI tag does two things:

  • It gives you visibility of shadow AI in sensitive infrastructure: agents running against environments that nobody approved, which many security teams struggle to track.
  • It flags suspicious activity, because whatever an unsanctioned agent is meant to be doing, it has no business touching a canary. When that tag appears on an alert, you're looking at either an unapproved tool to rein in or an attacker's automation, and you know within minutes.

Your approved agents also stop causing noise. The AI posture configuration teaches them to steer clear of canaries, so accidental trips from your own tools fall away and the alerts that remain are worth looking at.

Speed cuts both ways

The uncomfortable fact about AI attackers is their speed: minutes from initial access to admin. Canaries are a control that operates at the same tempo. In our benchmark they alerted well before the attacker's first critical action

Context bombs take that one step further. The same read event that tells you an AI attacker has arrived could also take their tools away from them.

If you're a Tracebit customer, Context Bomb canaries are available now for AWS, with more platforms to follow. If you're not, read the research or book a demo to see a context bomb go off in a live environment.

1 The same Mandiant report is careful to note that most 2025 intrusions still stemmed from familiar human and systemic failures rather than AI. The trend line of hand-off time is what should worry defenders.

2 Across ten models and four conditions, with 599 scored runs. Full methodology, per-model data and conditions are on our research microsite.

Table of contents
Subscribe to our newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to our privacy policy
Thank you! Check your inbox for your first edition.
Oops! Something went wrong while submitting the form.
Subscribe to newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The latest security research straight to your inbox

Subscribe to our newsletter to receive regular updates from our research and product teams

By subscribing you agree to our privacy policy
Thank you! Check your inbox for your first edition.
Oops! Something went wrong while submitting the form.
Soc 2 Type 2 imageCheckmark imageAWS Qualified software illustration
PLATFORM
AWS
Azure
CI/CD
Google Cloud
Identity
Kubernetes
Workstations
Credentials & artifacts
USE CASES
AI Agent Detection
Cloud & Kubernetes Breach
Insider Threat Detection
Supply Chain & CI/CD Attack
Workstation Compromise
COMPANY
CustomersResearchAboutCareersContactStatusCommunity Edition
SOCIAL
© 2026 Tracebit
Privacy PolicyTerms of ServiceCookie Settings