Snyk acquires Invariant Labs — what it means for agentic AI security infrastructure
The security research canon for MCP and agentic systems joins Snyk's developer security platform. What the research contributed to the field and what happens to the open-source toolchain.
Snyk announced the acquisition of Invariant Labs on June 24, 2025. The announcement phrase: "deepens Snyk's research bench." This is how I've seen the best acqui-hires described — the product matters, but the research pipeline that will produce the next product matters more.
What Invariant built in two years
Invariant's published work from July 2024 to June 2025 forms the most coherent body of empirical research on agentic AI security I know of:
- The ICML 2024 formal security paper established that deterministic policy evaluation over agent traces is achievable and demonstrably more reliable than probabilistic model-based safety.
- AgentDojo (NeurIPS 2024) showed that utility and security trade off in measurable ways across current models — and that the trade-off needs to be explicitly managed, not assumed away.
- The CTF series (Summer + Autumn 2024) produced the first large-scale empirical dataset of adversarial attacks against production-style agent architectures.
- MCP-Scan, Guardrails, and Gateway (April 2025) turned the research into operational infrastructure that any team can deploy.
- The GitHub MCP disclosure (May 2025) proved that indirect prompt injection through trusted tool outputs is practical against current frontier models.
The conceptual contribution that persists
Beyond the tools, Invariant's most important contribution is a conceptual framework. Agent security is a dataflow problem, not a content filtering problem. The danger is not in any individual message but in sequences of actions — what Invariant calls toxic agent flows. Defences must be sequence-aware. Policies must operate over traces, not over individual messages. Formal guarantees require moving enforcement outside the model into deterministic infrastructure.
These ideas will influence how the field builds security infrastructure for agentic systems regardless of what happens to Invariant's specific products.
Open source continuity
MCP-Scan, AgentDojo, and the Invariant SDK were published under open-source licences before the acquisition. Snyk has a history of maintaining open-source projects it acquires. The tools should remain available.
What it means for Genie
Genie's governance architecture — the CompositePolicy, the bus-layer injection checking, the dataflow rules, the deterministic evaluation before any agent action — was built on the same architectural intuitions that Invariant's research formalised. The acquisition validates the direction rather than changing it.
Snyk's platform already secures developer code, open-source dependencies, containers, and infrastructure. Adding MCP and agentic security is a natural extension. The timing makes sense: MCP adoption crossed from early-adopter to mainstream in the first half of 2025, and the attack surface the Invariant team documented was becoming widely visible at exactly the same moment.