Inferensys

Glossary

Man-in-the-Middle (MITM)

A network eavesdropping attack where an adversary secretly intercepts and potentially alters the communication between two agents or services that believe they are directly connected to each other.
Developer reviewing multi-agent chat interface on laptop, agent conversation logs visible, casual coding session at WeWork desk.
NETWORK EAVESDROPPING

What is Man-in-the-Middle (MITM)?

A foundational network attack where an adversary secretly relays and potentially alters the communication between two parties who believe they are directly communicating with each other.

A Man-in-the-Middle (MITM) attack is a cyber intrusion where an adversary covertly intercepts, and potentially modifies, the data stream between two communicating agents or services. The attacker positions themselves logically between the victims, actively relaying messages while maintaining the illusion of a normal direct connection, enabling real-time eavesdropping and data manipulation.

In agentic systems, MITM attacks target inter-agent communication protocols and API calls, often exploiting weak transport layer security or compromised Public Key Infrastructure (PKI). Mitigation requires strict mutual TLS (mTLS) enforcement, certificate pinning, and continuous remote attestation to validate the integrity of all communicating peers within a Zero Trust Architecture (ZTA).

ATTACK ANATOMY

Core Characteristics of MITM Attacks

Man-in-the-Middle attacks exploit the logical or physical positioning of an adversary between two communicating parties. The following characteristics define the technical mechanisms and objectives that distinguish MITM from simple eavesdropping.

01

Interception

The foundational step where the adversary inserts themselves into the communication channel without detection. Common techniques include ARP spoofing on local networks, DNS cache poisoning to redirect traffic, or rogue access points that mimic legitimate Wi-Fi. In agentic systems, this extends to intercepting inter-agent gRPC streams or hijacking message queue connections.

02

Decryption and Re-encryption

The adversary terminates the original TLS session and establishes a separate encrypted session with each victim. This requires presenting a forged or compromised certificate that the client accepts. The attacker decrypts incoming traffic, inspects or modifies it, re-encrypts it, and forwards it to the destination. Certificate pinning and mutual TLS (mTLS) are primary defenses.

03

Traffic Manipulation

Beyond passive observation, the attacker actively alters data in transit. This includes:

  • Payload injection: Inserting malicious commands into API calls
  • Parameter tampering: Modifying transaction amounts or recipient addresses
  • Protocol downgrade: Forcing connections to use weaker cipher suites In agent workflows, manipulating a tool-calling JSON payload can redirect an agent's actions to an attacker-controlled endpoint.
04

Session Hijacking

The attacker steals a valid session token or cookie after authentication completes, bypassing the need to crack credentials. Techniques include cross-site scripting (XSS) to exfiltrate cookies, session sidejacking on unencrypted Wi-Fi, or exploiting predictable session IDs. For autonomous agents, hijacking a JWT bearer token or OAuth 2.0 access token grants the attacker the agent's full authorized scope.

05

Relay and Replay

The attacker captures legitimate authentication material and replays it against the target service in real-time or after a delay. NTLM relay attacks in Windows environments and Kerberoasting are classic examples. In agentic architectures, an intercepted SPIFFE-issued SVID or DPoP-bound token could be relayed to impersonate a workload identity if time-window validations are insufficiently strict.

06

Stealth and Persistence

Sophisticated MITM attacks prioritize remaining undetected. Adversaries employ passive ARP monitoring rather than active probing, use kernel-level rootkits to hide network hooks, or maintain long-lived reverse shells through encrypted command-and-control channels. In agent networks, an undetected MITM can continuously poison retrieval-augmented generation (RAG) pipelines or corrupt agent memory stores over extended periods.

MAN-IN-THE-MIDDLE ATTACKS

Frequently Asked Questions

Explore the mechanics, detection methods, and mitigation strategies for one of the most persistent threats to agent-to-agent communication integrity.

A Man-in-the-Middle (MITM) attack is a cyber eavesdropping technique where an adversary secretly intercepts and potentially alters the communication between two parties who believe they are directly connected. In the context of agentic systems, the attacker positions themselves between two autonomous agents or an agent and its API endpoint. The attack typically involves two phases: interception and decryption. The adversary first gains access to the data stream through techniques like ARP spoofing, DNS cache poisoning, or rogue Wi-Fi access points. Once positioned, they can passively capture sensitive data—such as API keys, JSON Web Tokens (JWTs), or proprietary task parameters—or actively inject malicious payloads to alter agent behavior. For example, an attacker could modify a financial agent's transaction payload, changing the recipient wallet address in real-time without either the sending agent or the receiving service detecting the tampering.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.