Palo Alto Networks completed its acquisition of Koi on April 15, using the deal to formally define a new product category: Agentic Endpoint Security. The timing tells the story. One day earlier, researchers at CALIF published a detailed account of OpenAI’s Codex autonomously escalating from a browser foothold to root on a real Samsung Smart TV. Six days before that, Norton launched the first consumer security product designed to monitor what AI agents do on a user’s machine in real time.
Three events in one week. Each from a different direction. All pointing to the same conclusion: autonomous AI agents have fundamentally changed what “the endpoint” means, and the existing security stack has no answer.
What Palo Alto Bought
Koi built security tooling specifically for the nonbinary software layer that traditional endpoint detection and response (EDR) misses entirely. Code packages, browser extensions, IDE plugins, MCP servers, local containers, model artifacts: these components are installed directly by developers and employees, often without centralized IT oversight. They are not classic executables. Most EDR products never see them.
Palo Alto is integrating Koi’s technology into two product lines. Prisma AIRS (AI Runtime Security) gains visibility into agentic AI running on endpoints, providing a single control plane for enterprise-wide AI adoption. Cortex XDR gets a new module designed to identify and remediate risks within what the company calls “the unmanaged AI software ecosystem.” Koi’s standalone product remains available for customers running other EDR solutions.
Chief Product Officer Lee Klarich framed the acquisition in explicit terms: “These agents operate with access to critical systems and sensitive data, creating the ultimate insider threat,” he said in the press release. “With the acquisition of Koi, we are delivering the only solution I’ve seen to secure vibe coding and agentic AI at the endpoint.”
The press release names Claude Code and OpenClaw by name. That specificity is notable. Palo Alto is not selling protection against a hypothetical future. The company is telling enterprises that tools already running on their developer machines constitute the attack surface they need to secure now.
The Threat That Built the Category
Palo Alto’s acquisition blog provides the numbers that justify the new category. Researchers identified more than 135,000 exposed OpenClaw instances running on the open internet due to default configurations. Koi’s own research found more than 800 malicious skills in OpenClaw’s marketplace. A separate Koi investigation documented AI extensions in VS Code leaking code from 1.5 million developers, and the first malicious MCP server in the wild, which silently forwarded every email to the plugin creator after developers had already started using it.
Barracuda Networks published a parallel analysis on April 9. Their assessment of OpenClaw’s security risks concluded that “most real-world risk comes from insecure deployment, not zero-day exploits, especially internet-exposed agents and over-privileged identities,” according to a blog post by the Barracuda team. The recommendation: treat agentic AI as untrusted code by default.
Then came the CALIF research that made the risk visceral.
What Codex Did to a Samsung TV
On April 14, security researchers at CALIF published a full write-up of an experiment that started with a simple question: if you give an AI agent a partial foothold on a real device and matching firmware source code, can it escalate to root without being told where to look?
The answer was yes.
The researchers gave OpenAI’s Codex a browser-level shell (uid=5001, no root) on a Samsung Smart TV running Linux kernel 4.1.10 under Samsung’s Tizen platform. They provided the matching KantS2 firmware source tree. They did not point Codex at any specific driver, mention physical memory, or provide credential information.
Codex independently enumerated the attack surface and identified world-writable device nodes from the ntk* driver family. It read through Samsung’s vendor driver source code (the Novatek Microelectronics stack), found a kernel interface (/dev/ntksys) that accepted physical addresses from user space and mapped them directly into the caller’s process without validating whether the requested range belonged to privileged memory. It built a proof chain in stages: first using /dev/ntkhdma to obtain a known-good physical address, then mapping it through ntksys to confirm read/write access, then scanning RAM to locate the browser process’s kernel credentials, and finally zeroing the uid/gid fields to achieve root.
“The AI had to enumerate the target surface on its own, read through Samsung’s vendor driver source code, and verify every finding against the live device,” the CALIF researchers wrote. As Cybersecurity News reported, this “behavior closely mirrors a skilled human penetration tester working a real engagement.”
The TV runs firmware representative of millions of deployed consumer devices. The root cause (world-writable udev rules on a memory-management interface) was a design error in Samsung’s shipped configuration, not a novel zero-day. The vulnerability was a known class of issue that a human analyst would eventually find. The difference: Codex found it without guidance, in a single session, operating as an autonomous agent.
For the AES thesis, the CALIF research validates a specific concern. Agent-powered tools running with any system-level access can now be expected to discover and exploit privilege escalation paths at machine speed. Traditional EDR, designed to detect known malware signatures and behavioral patterns in conventional executables, has no model for an AI agent that reads kernel source code and builds a custom exploit chain autonomously.
The Consumer Side
While Palo Alto targets enterprise buyers, Norton shipped the consumer counterpart. On April 9, Gen Digital announced the beta launch of Norton AI Agent Protection in Norton 360 for Windows.
The product introduces what Gen calls a “trust layer” between an AI agent’s decisions and their execution on a user’s device. It operates in three tiers: safe actions proceed without interruption, confirmed threats are blocked automatically, and suspicious actions are paused for user review before execution.
Travis Witteveen, Head of Products at Gen, described the gap: “People are giving AI agents significant access to their machines, accounts and personal information because that’s what makes them powerful. But until now, there’s been no way to verify what those agents are about to do and the potential harm they could cause with one bad decision or click.”
Gen’s Threat Labs provided the threat data driving the product. The team identified “approximately hundreds of malicious skills in public agent registries,” according to the press release. The product currently works across Claude Code, Cursor, and OpenClaw on Windows, with Mac support coming.
Norton AI Agent Protection represents a signal beyond its immediate functionality. When a consumer antivirus brand builds a product category around AI agent oversight, the threat has crossed from the security research community and enterprise SOCs into the mainstream protection market.
What AES Actually Protects Against
Traditional EDR monitors processes, files, and network connections. It excels at detecting known malware, suspicious executables, and lateral movement patterns. Agentic Endpoint Security, as Palo Alto defines it, targets a different layer.
The problem is that AI agents are legitimate software. They run with the user’s credentials and permissions. They read files, execute commands, browse the web, and invoke APIs. When compromised or misused, they do all of those things at machine speed, using the same legitimate access paths they use for productive work. An EDR product sees an authorized process performing authorized actions. The malicious intent is invisible at the process level.
AES addresses this by monitoring the decision layer, not just the execution layer. It tracks what an agent is about to do, why it’s doing it (based on the instruction chain), and whether that action falls within policy boundaries. The Palo Alto/Koi integration adds this monitoring to the existing Cortex XDR and Prisma AIRS control planes, meaning enterprises can set policies for agent behavior alongside their existing network and cloud security posture.
Norton’s consumer approach is simpler but structurally similar. Instead of policy engines and compliance frameworks, it gives individual users a review checkpoint. The underlying principle is identical: intercept agent actions before execution, not after.
The Competitive Landscape
Palo Alto is not the only company moving into this space, but it is the first to name the category explicitly and build an acquisition strategy around it. CrowdStrike’s Charlotte AI AgentWorks ecosystem (announced at RSAC 2026) approaches the problem from the SOC side, using agents to detect and respond to threats. Microsoft’s Agent Governance Toolkit, released as open source on April 14, targets the policy and compliance layer. Cisco’s reported $250-350M pursuit of Astrix Security suggests identity governance for agents will be another major investment area.
The distinction matters. CrowdStrike and Microsoft are building tools where agents defend against threats. Palo Alto and Norton are building tools that defend against the agents themselves. Both are necessary. The CALIF research shows why: an AI agent operating with legitimate access can discover and exploit vulnerabilities that traditional security tools were built to defend against. The attack surface and the defense surface are now the same software layer.
What This Means for the Agent Stack
For developers deploying agents in production, the Palo Alto/Koi acquisition changes the procurement conversation. Enterprise security teams now have a vendor-supported framework for evaluating and controlling agent behavior on endpoints. “Can we secure the agents on developer machines?” has a product answer instead of a policy wish.
For agent platform builders, the category creation adds a compliance checkpoint. Enterprises adopting OpenClaw, Claude Code, or Cursor in regulated environments will increasingly require AES-compatible deployments. Platform teams that build observable, policy-hookable agent architectures will have an easier path to enterprise adoption than those that treat the agent as a black box.
For the security industry, the week of April 8-15 may mark the moment when agentic AI security stopped being a conference panel topic and became a shipping product category. The Palo Alto acquisition, Norton’s consumer beta, and the CALIF research form a complete narrative: the threat is real, the market response is real, and the products are arriving from both the enterprise and consumer sides simultaneously.
The endpoint changed. The security stack is catching up.