The identity problem for AI agents has been visible for over a year. When an autonomous agent reads email, executes code, moves money, or signs a contract on behalf of a human operator, the system receiving that action has no reliable way to verify who authorized it, what scope that agent was granted, or whether its instructions have been tampered with in transit. Multi-session prompt injection attacks documented across production deployments in early 2026 ran straight through it.
Lyrie.ai, built by Dubai-founded OTT Cybersecurity LLC, exited stealth on May 11, 2026 with two announcements: a public release of the Agent Trust Protocol (ATP), described as the first open cryptographic standard for AI agent identity verification, and acceptance into the inaugural cohort of Anthropic's Cyber Verification Program (CVP). A $2 million pre-seed round accompanied the exit. The announcements arrived via wire services and appeared in trade publications including CIO.com, CSO Online, DevOps.com, and Network World, primarily through paid distribution channels.
Dubai makes sense as a founding address for a company working at the intersection of AI and security infrastructure. Saudi Arabia's Public Investment Fund has committed $40 billion toward AI. The UAE is building a 5-gigawatt AI campus in Abu Dhabi, the largest outside the United States, anchored by partnerships with OpenAI, Oracle, and Nvidia. Technology spending across the Middle East and North Africa is projected to reach $169 billion in 2026. Construction is underway. That capital deployment creates demand for agentic security tooling and a regulatory appetite for open standards governments can vet on their own terms. A royalty-free, IETF-bound identity protocol for AI agents fits both requirements.
The milestones raise a precise question: does an open protocol proposal from a newly public, pre-seed company represent a genuine infrastructure contribution, or is the IETF trajectory and CVP badge doing the positioning work that revenue and adoption cannot yet provide?
What the Agent Trust Protocol Actually Specifies
ATP is organized around five cryptographic primitives: Identity (who the agent is), Scope (what it is authorized to do), Attestation (whether the agent or its instructions have been tampered with), Delegation (who delegated authority), and Revocation (whether that authority has been withdrawn). The reference implementation is published under an MIT license on GitHub under the OTT-Cybersecurity-LLC organization. IETF submission is pending.
"Every AI agent on the internet today is a stranger. You don't know who it is, what it's authorized to do, or whether it's been tampered with. ATP is the protocol that changes that."
What the announcement does not address is the adoption mechanism. IETF standards require working group formation, multiple implementation interoperability testing, and sustained community engagement. Submission is the first step in a process that typically runs two to five years. Read the positioning with that clock in mind.
The five primitives address the same class of problem my recent post on Cisco's agentic security framework covered from a different angle: multi-session attacks succeed more than 90 percent of the time against production AI agents because current guardrails were designed for single-session threat models. ATP works at the identity and authorization layer; Cisco's approach works at detection and response. A stack that has both is more defensible than one that has either.
CVP Acceptance: What the Credential Actually Confers
Anthropic's Cyber Verification Program is a free, application-based framework that allows verified dual-use cybersecurity operators to access capabilities blocked by default for general users. CVP acceptance removes those friction points for vulnerability researchers, red-team operators, and offensive security tooling builders working on authorized engagements. The credential grants operational access. It says nothing about a vendor's architecture or commercial relationship with Anthropic.
For Lyrie specifically, CVP membership enables adversarial testing workflows including Greedy Coordinate Gradient (GCG) and AutoDAN attack chains against Claude's infrastructure, along with Crescendo and Tree of Attacks with Pruning (TAP) sequences run on GPU-accelerated infrastructure. Lyrie's red-team work on Claude can proceed without the safeguard interruptions that non-verified operators routinely encounter.
CVP approval is tied to the specific organization identifier. A researcher approved under a company workspace will still hit blocks in a personal one. Organizations on Zero Data Retention agreements are not currently eligible. The program is not yet available on Amazon Bedrock or Google Vertex. For a company positioning itself as foundational security infrastructure for the AI era, those deployment surface limits matter when evaluating whether CVP membership translates into enterprise sales credibility.
The Platform Capabilities and the Business Model Question
Lyrie Hack, the platform's flagship feature, runs a seven-phase autonomous penetration test from a single command, generating proof-of-concept exploits and code-level remediation guidance. Zero-day threat monitoring claims real-time tracking across global enterprise infrastructure. The OWASP Agentic Security Initiative 2026 alignment gives the platform a standards-based compliance hook that procurement teams in regulated industries will find useful.
Lyrie's platform is positioned as unified offensive and defensive, a structurally different bet than the point-solution vendors competing for the agentic security budget. Palo Alto Networks' Prisma AIRS 3.0, announced at RSA Conference 2026, and Cisco's Galileo acquisition, an AI agent observability platform announced in April 2026, are both coming from established platform positions with existing enterprise relationships. Lyrie is entering from the protocol layer up, a longer sales cycle but a defensible position if ATP achieves adoption.
At $2 million, the pre-seed covers early engineering and go-to-market, with enterprise integration, compliance certification, and the sales cycles that follow still ahead of it.
The Open Standard as Positioning Strategy
Open the standard, build community, monetize the managed service and enterprise implementation on top. Anthropic ran this play in December 2025, donating the Model Context Protocol to the Agentic AI Foundation, a directed fund under the Linux Foundation, to keep the protocol neutral and community-governed. ATP applies the same structure to agent identity. The company that authors the spec becomes the reference implementation authority, and every adopter is a distribution channel.
That leverage only materializes with adoption. An IETF-bound standard with one reference implementation and no published adopters has not crossed the line yet. That crossing happens when a second and third implementer build against the spec independently.
Nothing in the announcement describes existing integrations, enterprise pilots, or commitments from other vendors to build against ATP. A company that exited stealth the same day it published the protocol would not have that list yet. Six months from now is when that question has teeth.
Lyrie.ai is making a protocol-layer bet: that the agentic security market consolidates around the company that defines the identity and authorization standard, rather than the one that ships the largest platform. CVP membership provides real operational capability for authorized offensive research. The $2 million pre-seed and day-one stealth exit put market traction on the roadmap.
Before evaluating Lyrie as a security infrastructure vendor, ask this: who else is building against the Agent Trust Protocol spec today, and what is the IETF working group timeline? That list, or its absence, tells you what you are actually buying.
