Cursor shipped something quietly important on April 30: Security Review, now in beta for Teams and Enterprise plans. Two always-on agents, Security Reviewer and Vulnerability Scanner, are live and scanning your AI-assisted code right now — if you've enabled them. If you haven't, you're flying blind into the most dangerous moment in enterprise AI history. This isn't a minor changelog item. It's Cursor acknowledging a threat that the broader industry has been slow to confront head-on: AI coding tools don't just write vulnerable code, they can be weaponized against the very engineers using them. The Security Review beta is the first embedded, always-on response to that threat built directly into a mainstream coding IDE. Here's why that matters, and exactly what you need to do about it.

The numbers behind this release are genuinely alarming. 96% of enterprises are running AI agents in production, but only 12% manage them centrally. That 84-point gap is the attack surface. Thousands of autonomous agents operating without centralized oversight, each one a potential vector for prompt injection, data exfiltration, or supply chain compromise.

The speed of exploitation has accelerated to a degree that should recalibrate your risk models entirely. Prompt injection attacks using hidden web commands have compressed their attack window from five months in 2023 to just ten hours as of 2026. Think about what that means operationally: your team merges a PR on Monday morning, and by Monday afternoon an attacker who embedded a malicious instruction in a dependency or documentation page has already moved laterally through your agent's context window.

Traditional AppSec tooling wasn't built for this. Static analysis catches what's in the code. It doesn't catch what's in the prompt. That's the gap Cursor is now explicitly trying to close.

Cursor's implementation deploys two distinct agents running continuously in the background for Teams and Enterprise subscribers. Security Reviewer analyzes the code being generated and modified during your AI-assisted sessions, flagging patterns consistent with injection attempts, suspicious completions, or outputs that deviate from what you'd expect given the surrounding context. Think of it as a second pair of eyes specifically trained to ask: "Did the AI just do something it wasn't asked to do?" Vulnerability Scanner operates at the code level, catching the classic categories — SQL injection, insecure deserialization, exposed secrets, improper authentication flows — but with awareness of how AI generation patterns introduce vulnerabilities that differ structurally from human-written bugs. AI-generated code tends to fail in clusters. A model that misunderstands your auth context will misunderstand it consistently across every file it touches. The scanner is calibrated to find those systematic errors, not just one-off mistakes. Both agents are opt-in during beta but designed to run always-on once enabled. The workflow change is minimal: you're not adding a step, you're adding a layer. That's the right design choice.

The competitive framing here is worth unpacking carefully, because the landscape is moving fast. Cursor is playing a specific angle: embedded security at the point of generation. The thesis is that the cheapest place to catch a vulnerability is before it exists in a committed codebase, inside the tool where the code is being written. That's a defensible position and one that GitHub Copilot hasn't matched yet. Copilot's security features remain largely advisory, surfacing CVEs in dependencies rather than analyzing the live generation context. Claude's security beta, announced around the same time, operates at the model-interaction layer rather than the IDE layer. It's a broader surface but a shallower one for coding-specific threats. Claude Security is well-suited for detecting prompt injection in customer-facing agents. Cursor's Security Review is better suited for catching what happens when your AI coding tool gets fed a poisoned context from a malicious README or compromised package documentation.

The honest caveat: purpose-built agent firewall startups are moving faster on the architectural layer. Companies like Protect AI and emerging players in the agent security space are building infrastructure that sits between your agents and the outside world, enforcing policy at the network and context level rather than the application level. Cursor's embedded agents are valuable, but they're not a firewall. If an attacker can reach your agent's context window, Security Reviewer is your last line of defense, not your first.

The table below summarizes where the major players stand:

If you're on Cursor Teams or Enterprise, there is no legitimate reason to wait. The Security Review beta is non-disruptive by design, the attack windows are measured in hours, and the cost of being the team that discovered the gap the hard way is too high. Enable both agents this week. The process is straightforward through the Cursor dashboard under your plan settings. Beta means some rough edges in the UX, not that the underlying detection is experimental.

Cursor's Security Review covers the generation layer. You still need:

The 88% of enterprises without centralized agent management need to solve that problem independently of whatever their coding tools offer. Cursor can't see what's happening in your Slack integrations, your customer support agents, or your internal knowledge base tools.

Most engineering leaders still mentally categorize prompt injection as an edge case, a clever research demo rather than a production threat. The five-month-to-ten-hour compression of attack windows should permanently retire that framing. Hidden web command hijacks work because AI agents are increasingly trusted to browse, retrieve, and act on information from sources outside your control. A compromised documentation page, a malicious Stack Overflow answer appearing in a search result, a poisoned package README: any of these can now carry instructions that redirect your agent's behavior within hours of being published. Your threat model needs to treat every external source your AI agents can read as potentially adversarial.

There's a necessary tension to acknowledge here. An always-on agent that analyzes your code generation sessions has access to exactly the data you most want to protect: your architecture, your business logic, your security patterns, and now explicitly your vulnerabilities. Cursor has published trust and privacy documentation, but enterprise teams should verify their data residency settings and confirm whether Security Review telemetry is processed locally or shipped to Cursor's infrastructure. For teams in regulated industries, this is a due diligence item before you enable beta features, not after.

Here's the strategic implication that most CTOs are underweighting: the teams that will navigate this threat landscape aren't the ones with the most engineers. They're the ones with engineers who understand how AI agents fail, how prompt injection works mechanically, and how to build systems that treat AI outputs as untrusted by default.

The AI-native engineer isn't just someone who uses Copilot or Cursor fluently. It's someone who can reason about the security properties of an AI-assisted codebase the same way a strong security engineer reasons about a distributed system. Those engineers are scarce. They're not on most resumes because the discipline barely existed 18 months ago. And traditional hiring platforms have no way to identify them because they're screening for historical credentials, not for the capability to work securely and productively in an AI-augmented environment.

The attack surface isn't going to shrink. The agents aren't going back in the box. The question is whether your team has the engineering judgment to use them without handing attackers a ten-hour window every time a dependency gets updated.

The release of Security Review is a signal, not a solution. It tells you that the most widely-used AI coding tool in enterprise engineering has concluded that prompt injection and AI-specific vulnerabilities are real, present, and serious enough to warrant always-on detection baked into the product itself. That's the industry acknowledging the threat is here. Now the question is whether your security posture is moving at the speed of the attackers, or still catching up to where the threats were five months ago.