fatcousin
// case comparison

agent runaway vs cloud ATO

both surface OAuth grants and audit-log spikes in M365 or Google Workspace. cloud compromise is tenant-scoped policy abuse by an external actor; agent runaway is an approved integration acting outside its prompt scope. remediation diverges — revoke tenant consent vs isolate agent credentials.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

AI agent runaway action

an autonomous agent (Claude · GPT · Gemini · Copilot · custom MCP) takes actions outside its prompt scope — reads credentials it shouldn't, exfils data, installs persistence, calls an MCP tool a human wouldn't have approved. evidence is the tool-call trace, the prompt-action divergence, and the OAuth grant ledger — not the prompt itself. distinct from llm-prompt-injection (malicious input) and insider-threat (human actor).

  1. 01ai agent tool call execution trace reconstructordrop agent run log · reconstruct tool-call sequence + state mutations · runs locally
  2. 02ai agent prompt vs action divergence detectordrop agent run log · detect actions taken inconsistent with prompt · runs locally
  3. 03ai agent autonomous action accountability tracerdrop agent run log · trace responsibility for each autonomous action · runs locally
  4. 04ai agent credential handling auditdrop agent run log · audit credential usage + leakage risk · runs locally
  5. 05mcp tool call graph reconstructordrop mcp client + server log set · reconstruct tool-call dependency graph · runs locally
  6. 06ai agent persistence mechanism detectordrop agent + system state · detect persistence implanted by agent · runs locally
  7. 07ai agent network exfiltration pattern detectordrop agent network log · detect data exfiltration via agent · runs locally
case b

cloud account compromise (M365 / Workspace)

tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.

  1. 01office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  2. 02microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  3. 03o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. 04azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  5. 05saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  6. 06microsoft defender cloud apps alert forensic analyzerdrop defender cloud apps alert export · parse app + user + risk · runs locally
  7. 07fatcousin saas audit export correlatordrop saas audit log csv exports · actor + resource cross-service timeline · runs locally
  8. 08microsoft account activity export forensic analyzerdrop microsoft account activity export · parse sign-in events · flag failed login mfa changes · csv/json export · runs locally

editorial overlap

4 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
casb oauth token abuse detectorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatorsaas overprivileged oauth scope detector

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward agent runaway if you see…

  • MCP tool-call graphs, agent persistence mechanisms, or prompt-vs-action divergence on a Copilot or custom-agent integration
  • lambda or eventbridge cron added by an agent runtime while the deploying operator was offline
  • tool-call trace ledger anchored to a single agent session, not a multi-account OAuth burst

lean toward cloud ATO if you see…

  • tenant-wide third-party app consent grant or exchange transport rule tampering by an external principal
  • azure activity or okta event spread across multiple users without agent execution traces or MCP tool-call records
  • credential leak from a code repository correlated with cloudtrail IAM escalation — no agent runtime in the path
ready