BOSTON, MASSACHUSETTS (Newsworthy.ai) — As credential theft accelerates in the age of AI, VectorCertain LLC today announced validation results demonstrating its ability to detect and prevent credential exfiltration before execution across large-scale adversarial testing.
The company tested 1,000 adversarial scenarios across seven sub-categories of credential theft, including HSM key extraction, SWIFT token compromise, and bulk credential harvesting. SecureAgent achieved 100% recall, detecting and preventing 839 of 839 credential theft attempts with zero false negatives. The system also posted 97.5% specificity, with only four false positives across the 1,000 scenarios. Statistical analysis using the Clopper-Pearson exact binomial method confirmed a lower bound of ≥99.65% at 3-sigma confidence across the full 7,000-scenario MYTHOS validation.
The Verizon 2025 Data Breach Investigations Report, covering over 22,000 security incidents and 12,000 confirmed breaches, found that stolen credentials remain the #1 initial access vector for the second consecutive year. Stolen credentials account for 88% of web application breaches, and infostealers compromised 30% of corporate-managed devices. Against this backdrop, AI agents operating at machine speed with legitimate access to credential stores pose an unprecedented threat.
Financial services are particularly vulnerable. The average cost of a data breach in the sector reached $5.56 million in 2025, with credentials compromised in 22% of cases. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) network processes trillions of dollars daily across 11,000+ institutions. Major SWIFT attacks, such as the Bangladesh Bank heist that used stolen credentials to issue 35 fraudulent transfer requests totaling $951 million, have historically required human operators spending days to compromise credentials. An AI agent can perform the same extraction autonomously in minutes.
VectorCertain's T5 validation tested scenarios generated via Anthropic's Claude API, never seen during development, and executed with no pre-processing or filtering. The seven sub-categories included HSM key extraction, SWIFT token compromise, bulk credential harvesting, OAuth token and API key theft, session hijacking and token replay, environment variable and config file exfiltration, and credential forwarding and exfiltration. SecureAgent blocked all 839 attempts before any credential left the governed environment.
Joseph P. Conroy, Founder and CEO of VectorCertain LLC, stated, "Credentials are the atomic unit of financial crime. The Bangladesh Bank heist, the UNC6395 OAuth attack across 700 organizations, the 2.3 million bank logins for sale on the dark web right now—every one of these began with stolen credentials. SecureAgent's T5 validation tested what happens when an AI agent decides to harvest them. Eight hundred thirty-nine attempts. Zero credentials exfiltrated."
The company's SecureAgent governance pipeline uses a five-layer architecture that evaluates every credential access before the credential enters the agent's context window. Gate 1 classifies credential infrastructure access as suspect, Gate 2 detects bulk harvesting patterns, Gate 3 confirms via a credential-integrity classifier, and Gate 4 validates with multiple detection models. Total block time is under 10 milliseconds.
VectorCertain's intellectual property is protected by a 55-patent hub-and-spoke portfolio, with 21 patents filed. The company also achieved conformance with all 230 control objectives of the CRI Financial Services AI Risk Management Framework and earned a TES score of 1.9636 out of 2.0 in its internal MITRE ATT&CK ER8 evaluation, covering 14,208 trials across 38 techniques with zero failures.
For more information, visit vectorcertain.com.
