Negative TTE and the MCP Supply Chain

Keith Hoodlet is engineering director at Trail of Bits, the firm whose Buttercup cyber-reasoning system took second place at DARPA's AI Cyber Challenge this year. He came back on Zero Signal — with Ruby Murphy from Hampton North in for Stuart Mitchell — to walk through the four threads that defined this stretch of the season: Google Mandiant's negative time-to-exploit data, the Buttercup result and the realistic limits of agentic patching, the first documented malicious mirror of an MCP server, and the work-slop problem that's quietly degrading every AI-augmented team.

The first half of the episode goes deep on the attacker-defender curve. Mandiant's negative TTE figure is not really about AI making attackers smarter — it's about well-resourced adversaries who already had the skill now executing at a speed AI tooling unlocks. Keith's grounding of CVE-Genie is important context: the published 51% success rate at $2.71 per exploit only applies to open-source code with available proof-of-concept material. Closed-source vendors like Cisco and Fortinet still face plenty of trash-fire issues, but not yet "Insta-CVE-recreation for less than three bucks." Buttercup, the Trail of Bits cyber-reasoning system, demonstrated the defender's parallel: agentic discovery and patching of vulnerabilities across MITRE's most dangerous CWEs, with patches that don't break unit and integration tests. The real-world adoption gate isn't capability, it's regulation, business constraints, and the absence of solid functional test coverage in most organizations.

The second half pivots to what every CISO needs to be paying attention to right now. The Koi Security write-up of the Postmark MCP mirror — a real French developer's GitHub account, 16 benign versions, then a single update that added a BCC line silently exfiltrating every email passing through the server — is the first documented case of MCP supply chain compromise. It will not be the last. The closing segments on work-slop, talent fundamentals, and the MCP context protector tool from Trail of Bits are the operating playbook for security leaders trying to defend their organization through this transition. 

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

Google Mandiant's negative time-to-exploit number lit up security feeds this month. The headline reads scarier than the underlying dynamic. Keith's correction is the right one to internalize: AI hasn't made attackers smarter, it's made well-resourced attackers faster. The threat actors with the skill, time, and tooling to develop exploits manually are now augmented with AI tooling that compresses the work. The CVE-Genie proof point — 51% success rate at $2.71 per exploit — is consequential, but it requires open-source code and proof-of-concept material to operate. Closed-source vendor breaches still take more work. The dystopia where every CVE turns into a working exploit for the price of a coffee is real for one slice of the surface, not yet for all of it.

That doesn't change the operating reality for defenders. The window between disclosure and weaponization is collapsing toward zero, and the response posture has to compress correspondingly. Patch SLAs measured in 30/60/90-day buckets are now structural exposure. The teams that are going to survive this transition are the ones moving toward agentic vulnerability remediation — discover, validate, patch, regression-test, deploy — at the cadence the threat actors are operating on.

The Trail of Bits Buttercup system that took second at DARPA's AI Cyber Challenge is the most visible proof point of where defender tooling is headed. It found exploitable vulnerabilities across 20 of MITRE's top dangerous CWEs, generated proofs-of-vulnerability, produced patches that resolved the underlying issue without breaking application functionality, and shipped the largest functional patch in the competition at 300+ lines. The breadth across vulnerability classes — memory safety, injection, the full spread — is the part that matters operationally.

The technical gate to enterprise adoption is mostly solved. The non-technical gates are bigger. In regulated domains — medical devices, in-feature diagnostics — the patch can't ship instantly because the change has to be proven not to affect patient safety. Organizations without solid unit and integration test coverage can't safely accept agent-generated patches at all, because the agent's "fix" might silently rewrite shared libraries.

The specific failure mode Keith called out is one every AppSec leader should commit to memory.

LLMs have a habit of recreating shared libraries as singletons. Auth and authorization that should be using a shared, validated flow get silently rewritten into a bespoke version inside the patched module. The patch resolves the originally reported vulnerability and quietly introduces a new one in the auth path. Unless there's a human reviewer who understands the codebase well enough to catch the architectural change, the security team has just shipped a regression that looks like a fix. Don't roll your own crypto. Don't hallucinate your own auth.

The Koi Security disclosure of the Postmark MCP mirror server is the canonical case study every security leader should be circulating internally right now. The setup: a real French GitHub developer with a long-standing, legitimate-looking history. A mirrored copy of the official Postmark MCP server, hosted under their account. Versions 1.0.0 through 1.0.15 are clean. Version 1.0.16 silently adds a BCC line to every email passing through the MCP server, exfiltrating to a malicious account. The tool description doesn't change. The behavioral signature is invisible at the LLM-context layer — you have to be looking at the actual server-side code change to catch it.

This is the AI-era version of a typo-squat, and it inherits every problem the package ecosystem already has, plus new ones. Software bill of materials practices that you should already be doing for npm, PyPI, and friends now have to extend to MCP servers. Self-hosting, version pinning, repository allow-listing, and signed-release requirements are no longer nice-to-haves — they're the baseline. The agent-builder population inside any large enterprise is going to dwarf the developer population within two or three years, which means the supply chain attack surface is about to expand by an order of magnitude. The teams that didn't get supply chain security right the first time are going to face the consequences at much larger scale.

Trail of Bits released the MCP context protector tool — available at trailofbits.com/MCP — which sits as an MCP server in front of other MCP servers. Three things it does that matter operationally. First, validate tool descriptions on initial connection, looking for prompt injection patterns hidden in the description that the agent will execute before the human can intervene. Trail of Bits coined the term "line jumping" for this attack class, riffing on the bouncer-and-rope analogy — the prompt injection is the request that gets read first, jumping the line of legitimate user input. Second, pin the tool description version and re-validate on change, so silent schema updates don't slip through unnoticed. Third, integrate with Nemo Guardrails (NVIDIA) and LlamaFirewall (Meta) for layered prompt-injection defense, plus a quarantine and ANSI escape code filtering for hidden text and zero-width characters embedded in tool descriptions.

The companion release worth knowing about is Anamorpher — a tool that demonstrates how prompt injections can be hidden inside images that look benign at human scale but, when downscaled and sent to a multimodal model, render the malicious prompt visible to the model. The implication for any organization processing user-uploaded images through an LLM pipeline is direct. The conversation Conor described with a general counsel — white text on a white background in a contract being read by an LLM-powered review system — is the same class of attack expressed in a different medium. The data is the danger.

The HBR-coined "work-slop" concept ties the technical conversation back to operations. AI-augmented teams are producing volume that looks polished and adds no value. The MIT Sloan finding — 95% of enterprise AI adoption projects failing — is partly downstream of this. The pattern Keith and Ruby converged on is that the recovery time you get from LLM productivity gains has to be reinvested in validation, benchmarking, and quality review. The teams shipping work-slop are the ones who pocketed the time savings and skipped the review step. The teams getting real productivity gains are the ones doing the harder work of measuring outcomes against pre-LLM baselines.

The talent stratification that follows is severe. Keith's interview signal is asking candidates what they do with their free time — the engineers who are building agents on weekends, running home labs, breaking and rebuilding things, are the ones who will be fine. The candidates whose résumés are generic AI-buffed boilerplate are not. Ruby's hard truth from the recruiter's chair lands the same way: companies want one person to be three people now (security engineer + agent builder + code reviewer), the bar has shifted permanently, and pretending otherwise is a career risk. The people who care about the quality of the work they ship are the ones who will keep getting paid to ship it. The people who don't will compete for a shrinking pool of jobs.

Keith's Monday morning advice for any CISO heading into an agent-builder mandate is to ask for headcount. The agent-builder population inside the company is about to grow much faster than the security population. Without a proportional investment in security expertise — people who understand LLM-introduced risk, can build the guardrails, and can maintain them as they get stale — the supply-chain risk, the work-slop risk, and the operational risk all compound past where the existing team can defend.

Guests — Keith Hoodlet, Engineering Director at Trail of Bits; previously at GitHub (cloud security architect); winner of the DoD's inaugural AI bias bounty

Books mentioned — The Skill Code by Matt Bean (referenced by Keith)

Frameworks / models / tools named — Buttercup (Trail of Bits cyber-reasoning system, second place at DARPA AI Cyber Challenge); MCP Context Protector (Trail of Bits MCP defense tool, available at trailofbits.com/MCP [VERIFY]); Anamorpher (Trail of Bits image-based prompt injection tool); Nemo Guardrails (NVIDIA); LlamaFirewall (Meta); Google Mandiant time-to-exploit report (negative TTE figure); CVE-Genie (the 51% / $2.71 paper, open-source-only context); Hextrike (referenced as the "Cobalt Strike for threat actors" in the AI era); Postmark MCP mirror server (Koi Security disclosure); Apache Log4Shell / Shai-Hulud npm worm (referenced as the supply-chain comparisons); HBR's "work-slop" coverage; MIT Sloan's 95% AI adoption failure stat; OpenAI Operator (referenced); Cursor / Windsurf / Cline / VS Code Copilot (referenced as the agentic IDE category); MITRE CWE Top 25

Other people / shows / resources referenced — Ruby Murphy (Hampton North, guest co-host this week filling in for Stuart Mitchell); Stuart Mitchell (regular co-host, on paternity leave this episode); Walmart CEO Doug McMillon (the "thou shalt use AI / agent builder" framing); Ford CEO Jim Farley (the blue-collar capacity constraint argument); Black Girls Hack (Ruby's referenced talent-pipeline organization); Waymo CEO Tekedra Mawakana (referenced re: the driver-to-tech transition framing); Prof G Markets / Scott Galloway / Ed Elson (closing aside); Conor's "white text on white background contract" anecdote; the prompt-injection-on-LinkedIn-profile gag at the open