Securing the Agentic Web: How to Defend Against llms.txt Poisoning, x402 Payment Fraud, and Markdown Injection

Something fundamental shifted in how the web works. AI agents are no longer just answering questions — they're browsing websites, reading documentation, and making purchases. Three protocols are converging to create what we're calling the "agentic web":

1. llms.txt — a proposed standard where websites place a markdown file at their root that gives AI agents a structured summary of the site's content. Over 784 sites have adopted it.

2. Accept: text/markdown — Cloudflare's "Markdown for Agents" feature automatically converts HTML to markdown at the edge when AI agents request it, cutting token usage by 80%.

3. x402 — Coinbase's payment protocol that revives the HTTP 402 "Payment Required" status code, enabling AI agents to make autonomous stablecoin payments without API keys or checkout flows. It's already processed over 50 million transactions.

Each of these is individually useful. Together, they create an attack surface that didn't exist six months ago. An AI agent can now discover a site's capabilities (llms.txt), consume its content in a format optimized for LLM processing (markdown), and pay for premium access (x402) — all autonomously, without human oversight.

The security implications are significant. OWASP released the Top 10 for Agentic Applications 2026, and research from UC Davis found that 94.4% of state-of-the-art LLM agents are vulnerable to prompt injection. When those agents can also spend money, the blast radius of a successful attack goes from "leaked data" to "drained wallet."

We've identified four distinct attack vectors that emerge from agentic web access. Each exploits the trust boundary between AI agents and web content.

Individual detections are useful. Correlated detections are powerful. 1-SEC's ThreatCorrelator watches for multi-module attack patterns from the same source within a time window. We've added three new attack chain definitions specifically for agentic web threats:

Content Poisoning → Agent Goal Hijack → Unauthorized Payment: When the data_poisoning module detects a content integrity violation, the ai_containment module detects a goal divergence or policy violation, and the api_fortress module detects API abuse — all from the same source — this triggers a CRITICAL correlated alert. This is the full kill chain of a poisoned llms.txt redirecting an agent to make unauthorized x402 payments.

Markdown Injection → Agent Scope Escalation: When the llm_firewall detects prompt injection patterns and the ai_containment module detects scope escalation from the same source, this indicates an attacker embedded instructions in web content to escalate agent privileges.

Web Content Poisoning → Data Exfiltration: When data_poisoning detects a content integrity violation and network_guardian detects exfiltration indicators from the same source, poisoned web content may have redirected an agent to exfiltrate data.

These chains catch attacks that no single module would flag as critical on its own. A content change on an llms.txt endpoint is LOW severity. An agent making a payment is normal. But a content change followed by a goal divergence followed by an unusual payment — that's a coordinated attack.

Before you can defend the agentic web, you need to see it. We added 6 new canonical event types to our versioned telemetry contract so 1-SEC can monitor the structured events that agent frameworks emit:

agent_web_fetch tracks URL, domain, accept header, status code, and content hash. This is the raw signal for web reconnaissance detection — every URL an agent touches is observable.

agent_markdown_ingest triggers pre-ingestion scanning before an agent consumes markdown content. It captures the full content, source URL, domain, and endpoint type (llms.txt vs Accept: text/markdown) so the MarkdownIngestionScanner can analyze it before it reaches the LLM context.

agent_payment and x402_payment are the financial transaction monitoring signals. They track amounts, recipients, currencies, protocols, merchant IDs, wallet IDs, and spending limits. The x402_payment type specifically captures HTTP 402 protocol transactions.

agent_identity_delegation is the identity verification signal. It tracks delegation chains, scopes, expiry timestamps, and cryptographic attestation — everything needed to verify that an agent acting on behalf of a human has valid, non-expired, non-escalated authority.

llms_txt_access tracks domain-level access to llms.txt and llms-full.txt endpoints, including content hashes and response sizes for integrity monitoring over time.

These event types are part of the versioned telemetry contract exposed via the /api/v1/event-schemas endpoint. Agent frameworks emit these events, and 1-SEC's modules subscribe to exactly the types they handle.

The Rust sidecar engine handles high-throughput pattern matching using Aho-Corasick prefiltering — scanning thousands of events per second for injection patterns, exfiltration indicators, and known-bad signatures. For agentic web access, this means:

Markdown content from llms.txt and Accept: text/markdown responses can be scanned at wire speed for injection patterns before the Go modules do deeper semantic analysis. The Rust engine publishes match results to the NATS event bus, and the RustMatchBridge converts them into alerts that feed the enforcement pipeline.

We added 7 new category-to-module mappings in the bridge: markdown_injection, agent_web_recon, agent_payment_fraud, x402_abuse, llms_txt_poisoning, web_content_tampering, and delegation_abuse all route to the appropriate Go modules (ai_containment and data_poisoning) for enforcement.

This two-tier architecture — Rust for speed, Go for depth — means we can scan every piece of web content an agent touches without adding latency to the agent's operations. The Rust sidecar is optional (the Go engine works fine without it), but for high-volume agent deployments, it's the difference between sampling and full coverage.

Detection without enforcement is just logging. 1-SEC's response engine executes automated actions based on configurable policies per module. For agentic web threats, the vps-agent enforcement preset (designed for AI agent hosts) includes:

ai_containment: kill_process on MEDIUM severity (agent violating containment), block_ip on HIGH (shadow AI or unauthorized endpoint), webhook notifications on all detections.

The approval gate adds human-in-the-loop for destructive actions. When an agent payment exceeds thresholds, the enforcement engine can hold the action pending human approval — with configurable TTL, auto-approve above severity thresholds, and webhook notifications to the SOC team.

For the new agentic web detections specifically:

- Markdown injection (CRITICAL): drops the connection and blocks the source IP for 8 hours - Agent spending limit exceeded (CRITICAL): kills the agent process and notifies via webhook - Unauthorized domain access (HIGH): blocks the IP and logs for audit - llms.txt probing (MEDIUM): rate-limits and logs - Delegation without attestation (MEDIUM): logs and notifies

All enforcement actions are recorded with full audit trails, and dry-run mode lets you test policies before going live.

Everything described in this post ships as a single Go binary with an optional Rust sidecar. No cloud services, no external APIs, no databases to manage. The embedded NATS event bus handles inter-component communication, LRU caches handle state, and all pattern matching is compiled into the binary.

We also shipped 24 new contextual mitigation sets — specific, actionable remediation guidance for every agentic web alert type. When the MarkdownIngestionScanner fires, the alert includes mitigations like "scan memory writes for instruction-like patterns before persistence" and "use structured memory formats that separate data from instructions." These aren't generic recommendations — they're targeted to the exact detection that fired.

This matters for agentic web security because the security layer needs to be as close to the agent as possible — ideally on the same host. If your security monitoring requires network calls to external services, you've added latency to every agent action and created a dependency that can be targeted by the same attackers you're trying to detect.

1-SEC runs as a sidecar next to your agent infrastructure. It monitors events from your agent framework (via the event bus or HTTP API), applies detection logic locally, and enforces responses in real time. The only external communication is optional — cloud dashboard reporting and webhook notifications.

To start monitoring agentic web access, enable the ai_containment and data_poisoning modules in your 1-SEC config and instrument your agent framework to emit the new event types:

agent_web_fetch — when your agent fetches any web URL agent_markdown_ingest — when your agent consumes markdown content from external sources agent_payment / x402_payment — when your agent initiates any payment agent_identity_delegation — when your agent acts on behalf of a human llms_txt_access — when your agent accesses an llms.txt endpoint

The enforcement preset "vps-agent" includes policies for all agentic web detections out of the box. Start in dry-run mode, review the alerts, then switch to live enforcement when you're confident in the policy tuning.

The agentic web is being built right now. The protocols are moving fast. The security controls need to move faster.