The Ten-Hour Exploit Window: Why Agentic AI Just Rewrote Australia's Security Playbook

At Black Hat Asia in late April, RunSybil's CEO reported that the window from bug discovery to working exploit has collapsed from five months in 2023 to ten hours in 2026. Frontier language models are now doing the offensive heavy lifting. For Australian businesses deploying agents into APRA-regulated systems, health records and legal workflows, that data point is not a curiosity. It is a turning point.

The ten-hour collapse

The number that landed at Black Hat Asia is the kind of statistic that should reset assumptions. Patch cycles, vendor SLAs, internal change-management windows and even the cadence of board-level cybersecurity briefings were all designed around an attacker timeline measured in months. That timeline no longer exists.

Two forces are driving the collapse. The first is offensive automation. Large language models are competent enough at code analysis, fuzzing and proof-of-concept generation that the human attacker becomes a director rather than an operator. The second is the explosion of agentic surface area. Every new agent connected to email, files, calendars, ticketing systems or production data is another foothold to map.

For most Australian organisations, the defensive response has lagged. Security teams trained on the old timeline are still operating as if they have weeks. They no longer do.

Why agents change the security model

The previous generation of AI security thinking treated language models as transient. A prompt arrived, a response went out, nothing persisted. Defences focused on input filtering and output classification.

Agents break that model in three ways. They have memory, so a successful attack on Tuesday can still be operating on Friday. They have tools, so a compromised agent can read documents, send emails, query databases or trigger workflows on the attacker's behalf. And they have identity, often with permissions that map to a real human's access rights without the same accountability trail.

What used to be a single API call is now a system. And systems are attack surfaces.

Three new attack classes specific to agents

Indirect prompt injection through tools and data sources. An attacker no longer needs to type the malicious prompt themselves. They can place it inside a document the agent will read, an email the agent will summarise, or a webpage the agent will browse. The agent treats it as instruction. This is the most-cited risk in the academic literature and the most under-defended in production.

Memory poisoning. Long-running agents build state across conversations. An attacker who can write to that state, even once, can shape every subsequent decision the agent makes. The poisoned memory looks like context, not malice.

Privilege escalation through tool chaining. An agent with permission to read files and send emails has, in combination, the permission to exfiltrate. An agent that can query a database and call a webhook has the permission to leak. Each individual capability looked benign during the security review. The combination did not.

The double agent problem

Microsoft's Vasu Jakkal framed it clearly in January. Every agent should have similar security protections to humans, or it becomes an unchecked insider threat. The framing is exactly right. An agent inside a finance team has the same theoretical access as a junior analyst, but without HR onboarding, without a manager review cycle, without the social friction that makes human insider threats relatively rare.

When that agent is compromised, the question is not whether something will be exfiltrated. It is whether anyone will notice. The agent does not look guilty. It is doing what it is told, by whoever is telling it.

Why regulated industries feel this first

In an unregulated SaaS environment, an agent compromise costs a customer and a news cycle. In a regulated environment, it costs a notifiable breach.

APRA-regulated entities operate under CPS 234 for information security and now CPS 230 for operational risk. An agent that exfiltrates client data is not a technical incident, it is a board-reporting event. Health practices regulated under the Privacy Act and My Health Records framework face mandatory data breach notification. Law firms managing client privilege face professional conduct obligations that predate the digital age and apply with full force to AI-mediated leakage.

The blast radius of a compromised agent in these settings is regulatory before it is technical. Board members and partners are starting to understand this. Procurement teams have not yet caught up.

What to do this quarter

Five controls, in order of priority.

Give every agent a clear identity. Not a shared service account. Not the developer's API key. A first-class identity tied to a specific role, with logging that maps to that identity end to end. If an investigation starts six months from now, you need to be able to answer the question of what this agent did without ambiguity.

Scope permissions to the smallest viable footprint. An agent that needs read access to a folder does not need write access. An agent that needs to query one database does not need credentials for the others. The default in most production deployments today is far too generous, because permission narrowing is friction at deployment time.

Add a sanitiser layer between the agent and untrusted inputs. Documents from external parties, email content, web content and third-party API responses can all carry indirect prompt injection. A separate model running classification or rule-based filtering on inputs before they reach the agent's reasoning loop is now standard practice in mature deployments.

Log independently of the agent. Agents lying about their own activity is a known failure mode. The logs that matter are the ones written by the system the agent is acting on, not by the agent itself. That means database query logs, email send logs, webhook fire logs and file access logs. Independent, retained, regularly reviewed.

Keep humans in the loop for high-stakes actions. Money movement, contract signature, regulator submission, public communication, irreversible data deletion. Anything where a mistake cannot be retracted should require a human signoff. The productivity loss is small. The downside protection is large.

The agent firewall market is forming

A wave of startups is now positioning itself as the security layer for agentic systems. Some are essentially output sanitisers. Some are runtime policy engines. Some are observability platforms that mostly tell you what already happened. The category is real, but the buying signal is not yet mature.

The right time to evaluate these tools is after the five controls above are in place, not before. A firewall in front of an agent that has unscoped permissions and no independent logging is theatre. A firewall in front of an agent that already has solid foundational controls is genuine defence in depth.

If you are evaluating a vendor, the questions that matter are these. Where exactly does the tool sit in the request path. What does it block by default. What does it log. And how does it integrate with the identity and permission systems you already trust.

How this maps to Australian governance frameworks

Three connections matter for Australian operators.

First, the Essential Eight already covers most of what good agent security looks like, just under different language. Application control, restricting administrative privileges, multi-factor authentication and patching applications all map directly to agent identity, scoped permissions, authentication on tool access and rapid response to advisories. Maturity Level 3 of the Essential Eight is already a credible baseline for agentic deployments.

Second, APRA's CPS 234 expectation that information security capability is commensurate with the size and extent of threats is a moving target. The threat landscape has moved. Capability needs to move with it.

Third, the Privacy Act reforms working through Parliament will sharpen accountability for automated decision-making. An agent making decisions about a customer is, under the proposed framework, an automated decision that the customer has rights against. The technical and legal teams should be talking about this now, not after the reforms pass.

The takeaway

The ten-hour exploit window is not a future scenario. It is the current operating environment. Australian businesses that take a quarter to put the five controls above in place will be in a defensible position. Those that wait until something goes wrong will be reading about themselves in the OAIC notification register.

Agentic AI is the most powerful productivity lever most regulated organisations have ever had access to. It is also the most powerful new attack surface. The two facts coexist. Treat them with equal seriousness.