The Agentic AI Security Stack - by Fernando Lucktemberg
Next Kick Labs
SubscribeSign in
The Agentic AI Security Stack<br>Deploy secure agentic AI systems. This free 200+ page reference provides a unified threat model, traces kill chains, and maps every control to OWASP, MITRE ATLAS, & CSA MAESTRO. Share without legal re
Fernando Lucktemberg<br>Jul 01, 2026
Share
Get the book: Read online and/or download PDF - no email required, no paywall.<br>Agentic Ai Security Stack V1<br>4.63MB ∙ PDF file
Download<br>Download
License: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 (CC BY-NC-ND 4.0). Free to share with colleagues, cite in documentation, and redistribute with attribution. No commercial use or derivative works.<br>Copy this to share:<br>“The Agentic AI Security Stack is a free 200-page practitioner reference covering 12 security layers for agentic AI deployments: threat modeling, credential architecture, isolation, egress control, human-in-the-loop security gates, memory integrity, orchestration trust, agent-native identity, MCP protocol hardening, supply chain verification, audit logging, and regulatory compliance. Every chapter maps to OWASP, MITRE ATLAS, and CSA MAESTRO. Free, CC BY-NC-ND 4.0: https://www.nextkicklabs.com/p/agentic-ai-security-stack-book-release”<br>For Security Leaders
Most organizations deploying agentic AI systems have no unified security reference that starts from a threat model. The result is a patchwork of controls with gaps the attacker’s kill chain can move through cleanly. This book names all twelve interception points and maps every one to the OWASP, MITRE ATLAS, and CSA MAESTRO classifications your teams already use.<br>What this means for your organization:<br>Structural gap: Agentic AI deployments built without a threat model foundation carry attack surfaces that no individual control will close.
Framework alignment: Teams cannot map informal controls to compliance requirements without a shared vocabulary; this book provides that mapping across OWASP, ATLAS, and MAESTRO.
Cost of inaccessibility: Security knowledge locked behind portals does not reach the engineers making deployment decisions; this reference is free and shareable without legal restrictions.
What to tell your teams:<br>Read Chapters 2 and 8 together: credential architecture and agent-native identity address different failure modes that are frequently conflated and left unmitigated.
Map your current agent deployment to the ACME kill chain before implementing any individual control.
Review Chapter 9 (MCP Protocol Security) before connecting any agent to an external tool server; transport security and content security are different problems with different mitigations.
The Creative Commons license means you can share this reference across teams and vendors without a legal review step.
Thanks for reading Next Kick Labs! Subscribe for free to receive new posts and support my work.
Subscribe
From First Article to Free Reference
In February 2026, I published a preview of what I was calling a seven-module guide to agentic AI security. The thing that shipped four months later had twelve chapters, exceeded 200 pages, and had been reviewed by a researcher who helps write the OWASP standards it references. The seven became twelve not because the plan was wrong, but because the threat model was right.<br>Most agentic AI security guidance starts with controls. It names prompt injection, tells you to sanitize inputs, adds a note about API key hygiene, and calls it a threat model. What it actually is, is a list of things I already knew about, organized into a format that feels comprehensive. The threat model that produces a complete defense stack starts from the other direction: name the attacker’s objective, trace the kill chain step by step, and let the required controls fall out of that analysis. The twelve chapters of the Agentic AI Security Stack are what that analysis produced.<br>The Prerequisite
The book could not have been announced in January 2026 when the Security Pivot was announced. The prerequisite was not yet in place.<br>From October through December 2025, I published articles on AI architecture: Firecracker microVMs, tiered memory systems, orchestration protocols, human-in-the-loop patterns. None of those articles were framed as security work. They were engineering articles, focused on how agentic systems work, not how they fail.<br>On January 6, 2026, I published a piece mapping that prior work to security frameworks explicitly. The mapping was direct: Firecracker isolation maps to microsegmentation. Schema validation maps to input sanitization. Tiered memory maps to least-privilege context access. Human-in-the-loop maps to dual-approval workflows. The security concepts were already present in the engineering work. The vocabulary was different. The underlying problems were the same.<br>That article named the prerequisite for what it was. Three months of architecture writing had been answering a question the security work...