In my day job, I run AI pentest agents against real targets like banks, fintechs, and secured production stacks with paid WAFs. I also deal with multilayer infrastructure and dedicated security teams. Despite these defenses, I keep finding high and critical vulnerabilities using just an LLM agent loop, a few open-source tools, MCP servers, and Burp Suite.

The volume of traffic is increasing quickly. Agent-driven activity in web logs has shifted from occasional noise to a constant background presence. Tools like PentestGPT, CAI, Strix, and HexStrike allow you to set up fully autonomous agents against any target for under a dollar an hour of API cost. Most teams haven’t noticed this change because their tools weren’t designed to detect it.

This repetition started to concern me. Despite all the paid WAFs, the rules, and the layered infrastructure, I could still guide an AI agent through a secured target and find critical issues. So what is the actual defense?

The realization that changed my perspective: blocking doesn’t work. A 403 error is simply a signal in an LLM's context window. The agent sees "defended here," updates its model, and pivots in milliseconds. Every block provides free information that shows the attacker where your weaknesses are.

That’s why I created VeilGate as a deception proxy, not just another blocker. It sits in front of your app and operates in modes such as `observe`, `challenge`, `tarpit`, or `auto`. Each request is scored based on protocol fingerprints, behavioral signals, and online machine learning. Requests below the threshold are forwarded to your main app normally. Ambiguous traffic receives a browser proof-of-work challenge. High-confidence agent traffic gets redirected into tarpit mode, where it encounters a deception layer instead of your actual app.