Coding agents are the first agentic workload that broke through to enterprise scale.

They’re also the first to inherit developer-level blast radius, with full access to source code, secrets, build pipelines, and production deployment paths. That combination is why coding agent security isn’t a niche within the broader agentic AI security conversation, it’s becoming the proving ground for the entire category.

Whatever security primitives mature here will define the playbook for every other agentic workload that follows.

Coding Is the Breakout AI Use Case

The data on coding agent adoption has moved past early-adopter territory and into enterprise-scale penetration. The Anthropic Economic Index found that 36% of Claude.ai usage is coding, making it the single largest use case on the platform. Cursor hit $2B in annual recurring revenue in roughly 28 months. Claude Code reached a $2.5B run-rate in under 12 months. GitHub Copilot sits at 4.7M paid seats.

The JetBrains 2025 Developer Survey found that 85% of developers now use AI tools regularly and 62% rely on at least one coding assistant as part of their daily workflow. The Octoverse 2025 report found that 80% of new GitHub developers use Copilot in their first week on the platform. Gartner projects 90% of enterprise software engineers will use AI coding assistants by 2028, up from less than 14% in early 2024.

These aren’t projections about future adoption curves, they describe what’s already happening.

Coding agents have crossed the threshold from experimental tooling to default infrastructure in how software gets written, reviewed, and shipped.

Code Volume Is Exploding

The adoption numbers tell one story, but the code volume numbers tell another, and they’re harder to ignore. GitHub is on pace for 14 billion commits in 2026, a 14x increase year over year, with weekly commit volume hitting 275 million.

Claude Code alone accounts for an estimated 4% of public GitHub commits as of early 2026, a share that doubled in roughly six weeks and is projected to reach 20% or more by year end.

The Ramp AI Index for March 2026 showed Anthropic overtaking OpenAI in business adoption at 34.4% versus 32.3%, with Claude Code reaching 326,731 daily commits by mid-March.

This is the largest expansion of write-access to production code in the history of software development. The volume of code being generated, committed, and merged is growing at a rate that outpaces any human review capacity.

As I covered in Vulnpocalypse, the math on vulnerability discovery and remediation was already unfavorable before coding agents entered the picture. The gap between the rate vulnerabilities are introduced and the rate they can be found and fixed was widening, not narrowing. Coding agents accelerate the introduction side of that equation dramatically while currently doing nothing to improve the remediation side, and the downstream implications for vulnerability management programs are significant.

The security question isn’t whether AI-generated code contains more or fewer vulnerabilities than human-written code.

It’s that the sheer volume of code entering production has grown by an order of magnitude while the capacity to review, test, and remediate has not scaled proportionally.

The denominator changed, but the security function didn’t.

The Developer Is the Highest-Value Attack Vector

The shift in attacker focus toward developer workstations and credentials isn’t new, but coding agents have made it structurally worse.

Developer machines hold source code, secrets, build pipeline configurations, cloud credentials, and now permanent agent runtimes with broad system access. The framing of developer workstations as the “new beachhead” captures the dynamic well. The workstation isn’t just where code gets written anymore. It’s where agents with persistent access to git, file systems, shell commands, and cloud SDKs operate continuously.

The open source supply chain attack data reinforces this. Sonatype’s 2026 report documented over 454,600 new malicious packages in 2025 alone, with 99% targeting npm.

The Shai-Hulud campaign became the first self-replicating npm worm, and its second wave (Shai-Hulud 2.0) compromised over 25,000 GitHub repositories and 600 to 800 npm packages. Unit 42 assessed with moderate confidence that LLMs were used to generate parts of the payload.

The named campaigns of the past 12 months, including s1ngularity targeting Nx, the chalk and debug compromises, the axios supply chain attack, the LiteLLM credential harvesting operation, and the TanStack incident, all follow the same pattern.

They target the developer environment, they target credentials, and they increasingly target the tools developers trust.

Coding agents sit directly in this attack path.

They consume packages, execute shell commands, read configuration files, and interact with the same repositories and registries that attackers are poisoning. The Nx malware campaign specifically targeted Claude Code, using flags designed to bypass its guardrails. This isn’t hypothetical risk modeling, it’s observed adversary behavior adapting to the tools developers actually use.

Coding Agents Amplify Every Existing Developer-Side Risk

The risk profile of coding agents goes beyond their role as another tool in the developer’s stack.

They inherit the user’s permissions by default, which means full local file system access, shell execution, git credentials, IDE-stored secrets, dotfiles, and write access to production repositories through commits, pull requests, and CI/CD triggers. UpGuard’s 2026 research found that 1 in 5 developers grant AI coding tools unrestricted workstation access, and almost 20% allow the AI to automatically save changes to the project’s main code repository with no human review.

The CVEs are already here too. Cursor’s CVE-2026-26268 was a sandbox escape that enabled remote code execution through malicious git repositories, rated 9.9 out of 10 in severity. Check Point disclosed CVE-2025-59536 and CVE-2026-21852 in Claude Code, enabling RCE and API key theft through malicious repository configuration files.

A separate vulnerability in Claude Code’s deny-rule implementation allowed command chains exceeding 50 subcommands to silently bypass security restrictions. These aren’t theoretical attack surfaces. They’re patched vulnerabilities that demonstrate the blast radius when a coding agent’s trust model gets exploited.

The Persistent Credential Problem Gets Worse

Credential exposure and compromise has been a persistent attack vector in every major threat report for years.

M-Trends and the DBIR consistently rank stolen credentials among the top initial access methods. Coding agents make this problem structurally harder because they are themselves new non-human identities with high-trust scopes.

They mediate access to GitHub PATs, npm tokens, cloud keys, and MCP server connections by default. Research found that 97% of NHIs are over-permissioned and that 0.01% of machine identities control 80% of cloud resources.

The breach pattern is already established. The incidents at Home Depot, Red Hat GitLab, Salesloft-Drift, and the Crimson Collective campaign all followed the same trajectory in 2025, which included leaked non-human identities to broad lateral movement.

Coding agents now sit at the intersection of all of these credential types, holding or mediating access to the same tokens and keys that attackers consistently target. The OWASP Non-Human Identities Top 10 exists for a reason, and coding agents are creating new NHI categories faster than most identity programs can inventory them.

The Emerging Security Primitives

The defensive stack for coding agents is taking shape across several layers, roughly in order of maturity.

Visibility comes first because you can’t secure what you can’t see. Which agents are running, on whose machines, with which permission scopes, connected to which MCP servers, and executing which tool calls. Most organizations can’t answer these questions today. Agent inventory and scope mapping is the baseline requirement, and without it every other layer is built on assumptions rather than evidence.

Posture management focuses on pre-deployment configuration. Deny rules, permission scoping, disabling dangerous flags like --dangerously-skip-permissions, and hardening agent configurations before they run in production environments. This is the prevention layer that reduces the attack surface before runtime, and it’s where organizations with mature configuration management practices have the clearest head start.

Governance addresses the organizational questions. Who can install which agents, which models they connect to, which plugins and extensions are approved, and what policy frameworks govern their behavior. Only 41% of employers have a formal AI tools policy according to JetBrains’ April 2026 research, which means the majority of organizations deploying coding agents are doing so without formal governance structures in place. That gap between adoption velocity and governance maturity is where the most preventable incidents will come from.

Detection and response brings runtime telemetry to agent behavior.Various vendors work on runtime security for coding agents demonstrates what this looks like in practice, applying the same continuous monitoring principles from cloud workload protection to agent execution, catching anomalous behavior patterns in tool calls, file access, and network activity. The key shift here is extending detection beyond infrastructure-level telemetry into the agent’s reasoning and action layer, where the attacks that matter most for coding agents actually occur.

Sandboxes as a Containment Boundary

Sandboxing has emerged as one of the most tangible security primitives for coding agents, and it’s the one that most directly addresses the blast radius problem. The core logic is straightforward. If a coding agent inherits the user’s full permissions by default, then constraining the environment where the agent executes is the most direct way to limit what a compromised or misbehaving agent can actually reach.

I have dove into the topic of Sandboxes for Agents with several guests and industry experts, including Alex Zenla of Edera and Luke Hinds, creator of nono.

The implementations vary significantly across platforms, and the differences matter.

Claude Code’s sandbox uses OS-level primitives, specifically Linux bubblewrap and macOS seatbelt, to restrict file system access to the current working directory and route network traffic through an external proxy.

Anthropic reported an 84% reduction in permission prompts with the sandbox enabled, which tells you something about how much unnecessary access agents were exercising by default before containment was in place.

Cursor’s sandbox takes a similar OS-native approach with Apple Seatbelt on macOS and seccomp plus Landlock on Linux, restricting file system writes to the workspace and /tmp while blocking network requests by default.

OpenAI’s Codex runs entirely in cloud-deployed microVMs with a dedicated filesystem, process space, and internet access disabled during execution, which is the strongest isolation model among the major coding agents but comes with the tradeoff of not running on the developer’s local machine.

GitHub Copilot’s cloud agent takes yet another approach, running in a sandboxed environment with a built-in firewall and recommended allowlist for package repositories and container registries. Organization admins can manage the firewall and custom allowlists across all repositories. The documentation is honest about limitations though. The firewall only applies to processes started by the agent via its Bash tool, not to MCP servers or processes started during setup steps.

The honest assessment of sandboxing is that it’s necessary but not sufficient, and the CVE history proves it. Cursor’s CVE-2026-26268 was specifically a sandbox escape. Shell built-in commands like export, cd, and echo are implicitly trusted and executed without confirmation in some implementations, creating bypass paths through environment variable manipulation.

The broader research on agent sandboxing consistently finds that environment variable exfiltration remains possible even in properly isolated sandboxes unless egress is explicitly restricted and secrets are scrubbed from the execution context. The UK’s AI Security Institute (AISI) for example found sandboxed AI agents can still learn a great deal about their hosting environments.

What sandboxes do well is establish a containment boundary that limits the blast radius of the most common failure modes, accidental file system modifications, credential reads from files and config directories, and unauthorized network calls.

What they don’t do is protect against attacks that operate within the sandbox’s permitted scope, like prompt injection that causes the agent to write malicious code to the files it’s authorized to modify or commit backdoored changes to the repository it’s authorized to push to.

Sandboxing constrains where the agent can act. Hooks and runtime enforcement constrain what the agent can do within those boundaries.

Hooks as a Key Security Primitive

One of the most significant defensive primitive emerging for coding agents is hooks, and the distinction from both sandboxes and prompt-level guidance is worth discussing further.

CLAUDE.md files and system prompts are advisory. As I wrote in a recent blog post from my Zenity team, “System Prompts Are Not Security Controls: A Deleted Production Database Proves It”, which was tied to the real-world PocketOS incident, where an agent outright ignored its system prompt and deleted production data.

The model can choose to follow them or not. Sandboxes constrain the execution environment but can’t evaluate the intent or appropriateness of actions within their permitted scope. Hooks are deterministic and semantic. They fire at the process level regardless of what the model decides, intercepting tool calls before execution and enforcing policy decisions that the agent cannot override or reason its way around.

As I covered in A Look at an Emerging Runtime Enforcement Layer for Agents, hooks represent a convergence pattern across multiple agent platforms, with implementations showing up in Claude Code, Cursor, Windsurf, Cline, GitHub Copilot, and OpenClaw.

The data supports the distinction as well. Research on runtime policy enforcement found 48% policy compliance without a reference monitor compared to 93% with one. The difference between advisory guardrails and deterministic enforcement is the difference between hoping the agent behaves and ensuring it does.

There’s a caveat worth discussing as well, as attackers and researchers seem to have an infinite amount of ingenuity as we all painfully know.

Hooks themselves are now an attack surface. The Check Point disclosure chain included malicious .claude/settings.json files that could manipulate hook configurations through compromised repositories. Trust the repo before you trust its hooks. This is the same lesson the industry learned with CI/CD pipeline configurations, where the policy enforcement mechanism is only as trustworthy as the supply chain that delivers it.

Where this is heading is becoming clearer.

Hooks become a policy-as-code layer for agentic development, playing the same role that infrastructure-as-code scanners played for cloud security. Sandboxes provide the containment boundary. Hooks provide the semantic enforcement within that boundary. Together they form the two-layer defense model that coding agent security is converging toward, one constraining the environment and the other constraining the behavior. The question isn’t whether both will be required but how fast the tooling matures to support them at enterprise scale.

The Market Opportunity

I watch this market closely, as I work at Zenity, one of the leading players in the Agentic AI Security space, where I serve as the VP Security Strategy. I’m seeing narrow focused startups focused on endpoint coding agents exclusively, as well as some agentic security/AI security startups pivot to emphasize their focus on endpoint coding agents given the market opportunity and momentum as well.

Our team at Zenity was recently named the company to beat in Agent Governance. That said, I obviously am closely watching this category and market both as someone operating at a vendor building in this space, and looking to understand it both from the market and technical perspective.

The market dynamics reflect the adoption reality.

MarketsandMarkets sizes the agentic AI security market at $1.65 billion in 2026, growing to $13.52 billion by 2032 at a 42% compound annual growth rate.

Coding agent revenue is the leading indicator. Claude Code alone hit a $2.5B run-rate in under 12 months. Information Matters’ Q1 2026 analysis estimated the broader agentic AI market at $40 billion today with a path to $140 billion by 2030.

The procurement tailwind is worth acknowledging as real, given the various sources and metrics discussed.

The gap between coding agent adoption (85% of developers using AI tools) and formal governance (only 18% of enterprises have guidelines for AI-generated code) creates the exact conditions that drive security platform buying and creates an opportunity for agentic AI security vendors. Every organization deploying coding agents without governance, visibility, and enforcement is a future buyer of these capabilities.

The security primitives maturing around coding agents today, from visibility and posture management to sandboxing, runtime detection, and hooks-based enforcement, are the same primitives that every other agentic workload category will need. The vendors building for coding agent security are building for the entire agentic security market.

Where It Goes From Here

Coding agents are the first agentic workload to hit production at scale, with measurable revenue, measurable adoption, and measurable risk.

The security category forming around them isn’t waiting for the rest of the agentic AI market to catch up, it’s setting the terms. The defensive primitives that win here, visibility, governance, sandboxing, runtime detection, and deterministic enforcement through hooks, will become the reference architecture for securing every agentic workload that follows.

Defenders who own the coding agent boundary today will own the agentic security category tomorrow.