Rogue Agents

Mythos doesn’t send one rogue agent.It sends a hundred quiet ones.

Attackers use models like Mythos to chain hundreds of agents into a single attack. It splits one goal across them, so each agent carries out only a small piece.

TOTAL Persona Rogue Fleets view: a fleet of 104 agents executing one coordinated plan, visualized converging on a single detected intent, with fleet reach and coordination metrics below.
The shape of the threat

Every agent stays under the line. The attack lives between them.

Each agent stays inside its permissions: a few more reads, a wider query, a credential used on a system it rarely touches. Nothing an individual agent does is enough to trip an alarm. The attack exists only in the sum of them.

Each agent, in scope Alarm threshold Σ the fleet Together, a breach
How TOTAL reads it

We don’t watch agents. We read the fleet as one.

Rule engines and statistical models judge one identity at a time, the gap a Mythos-style model is built for. TOTAL reasons across the whole fleet instead: not what each agent is doing, but what all of them are doing together, and whether those actions add up to a plan no single agent reveals.

TOTAL Rogue Agents architecture: steward intent drift (persona drift from identity and from cluster) and agent execution drift feed agentic reasoning logic and an AI Judge, which determines why an agent is rogue, whether external compromise, malicious insider exploitation, or governance creep from poor guardrails and over-permission, over an agent governance stack.
Persona™·The generative reasoning model behind every TOTAL application.·Read more
A moving target

The methods never stop changing. Reasoning catches them anyway.

AI produces new attack methods faster than anyone can write rules for them. TOTAL does not need to have seen an attack to catch it. It reasons about whether the behavior makes sense, while a rule can only match what it already knows.

psychology

The Turned Agent

A poisoned instruction quietly changes what it is working toward, and it still holds every permission it was trusted with.

cloud_download

Distributed Exfiltration

Each agent keeps its reads just under the DLP threshold, and the data trickles out in small pieces that add up to the whole set.

water_drop

The Poisoned Well

One poisoned record in the shared vector store is all it takes, because every agent that reads it treats it as the truth.

account_tree

The Injection Cascade

When one agent’s output feeds the next, a prompt injection rides along and works its way down the chain.

schedule

The Dormant Swarm

Spun up once and forgotten, these agents still carry credentials that never expired, and one signal wakes them all at once.

hub

Cross-Fleet Collusion

Agents that belong to different owners, even different tenants, each staying inside its own rules while quietly running the same plan.

Inside TOTAL

See a rogue agent caught. With the reasoning behind it.

TOTAL Predict case for a rogue NHI: the dwh-batch-export-agent workload flagged as rogue, with a threat brief explaining the Microsoft Graph retry storm and token-acquisition spike, a timeline of the drift events, and Mark Safe or Mark Unsafe actions.

A hundred agents. One intent.We stop it before the breach.

TOTAL reasons over millions of identities at once, and surfaces the malicious intent hidden across the fleet.