Pretense
Back to Blog
·11 min read
BreachesSecurity2025Incidents

5 Real AI Security Incidents from 2025 — and How Pretense Stops Each One

The breaches that defined AI security in 2025: code leaked through Cursor, API keys exposed in Claude sessions, enterprise IP in Copilot context windows. Here is exactly how Pretense prevents each attack vector.

2025: The Year AI Security Became Non-Optional

The warnings were there in 2023 and 2024. Samsung engineers pasted source code into ChatGPT. Apple banned AI tools enterprise-wide. Security researchers showed how IDE context windows silently include credentials from adjacent files.

Most enterprise security teams treated these as edge cases — bugs in developer judgment, not structural vulnerabilities.

2025 changed that framing entirely. What we saw across the industry was not a wave of mistakes by careless engineers. It was systematic, predictable code exposure driven by the design of AI coding tools themselves.

Here are the five incident patterns that defined AI security in 2025, and precisely how Pretense stops each one.

Incident 1: The Context Window Credential Sweep

**The pattern.** A developer uses Cursor or Claude Code to refactor a service. The IDE automatically includes several adjacent files in the context window — standard behavior for LLM-aware editors. One of those files contains a hardcoded API key from local development, left in place because it was supposed to be gitignored.

The key is transmitted to the LLM provider. If the provider stores prompt history (and in 2025, most did by default), the key now lives in a third-party system — potentially accessible under subpoena, data breach, or insider threat.

**Why it kept happening in 2025.** Cyberhaven's research found that 11% of data developers paste into AI tools is sensitive. For IDEs that automatically build context from the filesystem, the percentage is higher still because developers never see what is being transmitted.

**How Pretense stops it.** Pretense's secrets scanner uses 47 regex patterns covering every major credential format: AWS access keys, Stripe secrets, Anthropic/OpenAI API keys, GitHub PATs, database connection strings, PEM private keys. Every API call is scanned before forwarding. Anything matching a secret pattern is blocked at the proxy layer — the call fails with a clear error before the credential touches an external system.

bash
[pretense] Intercepted POST /v1/messages
[pretense] SECRET DETECTED: aws_access_key (confidence: 99.8%)
[pretense] BLOCKED — credential not transmitted
[pretense] Error returned to client: 403 Forbidden (secret detected)

The developer sees a clear failure. The credential is not sent. The audit log records the blocked event with timestamp, developer identity, and pattern match.

Incident 2: The Proprietary Algorithm Inference Attack

**The pattern.** A financial services company's ML team uses Claude Code to optimize their pricing model. The code includes actual variable names from their risk-scoring algorithm — a genuine competitive advantage. Claude does not need the algorithm explained. From variable names like `computeRiskBand`, `liquidityAdjFactor`, `historicalDefaultWeight` — an informed adversary with prompt log access can reconstruct core logic.

**How Pretense stops it.** Mutation is the core innovation. Pretense replaces proprietary identifiers before the prompt leaves the machine.

Before (what the developer wrote):

After mutation (what Claude actually receives): _fn8c3d(_v2a9f, _v4b1e) ```

The function still exists. The call graph is intact. Claude can still refactor and optimize. But `_fn8c3d` reveals nothing about what the function does. When Claude responds, Pretense reverses the mutation byte-for-byte. Zero latency to the developer. Zero IP exposure to the provider.

Incident 3: The Cursor Code Storage Revelation

**The pattern.** In early 2025, users of popular AI coding editors discovered that conversation histories — including code snippets — were being retained on provider servers. This was technically in the terms of service, but the operational reality had not been surfaced to the security teams approving these tools.

**The audit problem.** When security teams tried to assess exposure — "what code from our codebase is stored in the AI provider's systems?" — they had no answer. No logs. No mutation maps. No record of what identifiers had been transmitted. The exposure was real but unmeasurable, which is often worse than a quantified breach from a compliance standpoint.

**How Pretense stops it.** Three layers of protection:

1. **Mutation** — real identifiers replaced with synthetics. Even if the provider stores the conversation, they store `_fn8c3d`, not `computeRiskBand`. 2. **Audit log** — every transmission is recorded with metadata: timestamp, model, mutation count, secrets blocked. 3. **Mutation map** — the mapping between real and synthetic identifiers is stored locally. If you need to know what was sent in the past 90 days, the map answers that question with complete precision.

Incident 4: The Enterprise Architecture Exposure at Scale

**The pattern.** At Fortune 500 scale: dozens of teams, hundreds of services, thousands of developers, each making hundreds of AI API calls per day. The aggregate creates a comprehensive map of the entire architecture — transmitted daily to external providers with no inventory of what has been shared.

**How Pretense stops it.** In Pro and Enterprise, mutation maps are shared across teams. Every identifier from every service is mutated with the same deterministic algorithm: the same real name always produces the same synthetic name across all machines. An adversary who could read AI provider logs would see a consistent synthetic namespace with no relationship to the real architecture — and no way to reconstruct it.

Enterprise deployments run the proxy on-premises. The AI provider receives only mutations.

Incident 5: The Claude Code MCP Server Attack Surface

**The pattern.** Claude Code's MCP (Model Context Protocol) capabilities, widely adopted in 2025, allow AI agents to read files and interact with development environments. Security researchers documented that MCP configurations, when not carefully scoped, could allow the AI model to read files beyond intended context — including credential files, environment configurations, and CI/CD secrets.

A developer might have `~/.aws/credentials`, `.env`, and `id_rsa` all accessible on their machine. With broad MCP permissions, these enter the model context via file-read operations — not because the developer pasted them, but because the AI agent accessed them while trying to be helpful.

**How Pretense stops it.** Pretense integrates directly with Claude Code via hook configuration:

json
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": ".*",
        "hooks": [{ "type": "command", "command": "pretense scan --hook" }]
      }
    ]
  }
}

The hook scans the full prompt context — including content that MCP servers have read into the context window — for secrets and proprietary identifiers before transmission. This is the difference between scanning what the developer typed and scanning what the AI agent assembled.

The Common Thread

Five different incident patterns. One structural cause: AI coding tools were designed to be maximally helpful, which means maximally including context. Security tools designed for a previous era of explicit user actions were not built for systems that silently and automatically aggregate context from the developer's environment.

The security response has to match the attack surface:

1. **Scan what actually gets transmitted**, not what the developer thinks they are sending 2. **Mutation, not redaction** — so LLM output quality is preserved while identifiers are protected 3. **Local audit logs** — because you cannot answer an audit question about data you never logged 4. **Proxy architecture** — because you cannot enforce controls on traffic you do not intercept

Every incident pattern above has a direct Pretense control. None require changing how developers work.

What 2026 Will Look Like Without Controls

AI coding tool adoption continues to accelerate. Claude Code, Cursor, and GitHub Copilot are growing at rates that put them in the hands of every developer at most engineering organizations within 12-18 months.

The organizations that will be writing incident post-mortems in 2026 are the ones that treated AI tool security as a developer education problem in 2025.

The organizations that will be writing compliance attestations and passing AI-specific SOC 2 controls are the ones that deployed technical controls in 2025, before the incident occurred.

The 30-second deploy is not marketing copy. Pretense Pro is a single proxy configuration. The audit log starts immediately.

[Deploy Pretense Free — 30 seconds, no credit card](/early-access)

Share this article

Share on XShare on LinkedIn
Get Started with Pretense →More Articles
Ask me anything