Skip to content
Blog

Research insights

Notes, measurements, and analysis from the team measuring the agentic web.

Research

Long-form measurement & analysis

Citable empirical writing grounded in our live index data. Each post carries inline sources + a BibTeX block.

Research · Payments

What x402 going multichain looks like in the on-chain numbers

x402 launched on Base in May 2025 and expanded to Solana, Polygon, Avalanche, Sei, and Ethereum mainnet by April 2026. After three months of running a chain-aware revenue scanner across the full asset list, the distribution is sharper than the announcement implied.

Read research
Standards

A2A v1.0 §8.4 in practice: 1,211 alive agents, 8 % signed

A2A v1.0 §8.4 standardizes JWS-signed Agent Cards. Of the 1,211 agents we currently observe responding to JSON-RPC, 97 publish a signature. Why the cryptographic-trust feature is shipped in spec but mostly absent in production, and which sources do and do not adopt it.

Identity

eIDAS 2.0 mandate credentials and the agent-delegation problem

The EU Digital Identity Wallet ships a representation credential type — 'X is authorized to act on behalf of Y' — that is structurally identical to what an autonomous agent needs to prove. The credential pattern is already drafted in the EUDI Architecture and Reference Framework v2.8. Whether it lands as agent-readable infrastructure is now a presentation-protocol question, not an identity question.

MCP

Federation overlap: counting Smithery, a2aregistry, Glama, and friends

Eight months of crawling every public agent / MCP registry produces an overlap matrix. The diagonal is mostly empty: registries advertise federation but few publish the same agent. The implications for trust, deduplication, and registry-of-registries are uncomfortable for all parties involved.

Notes

From the team

MCP

19 typosquatted npm packages, one new attack surface: the AI agent's MCP configuration

Mini Shai-Hulud (May 12) compromised 160+ packages including TanStack, Mistral AI, and UiPath. SANDWORM_MODE shipped 19 typosquatted AI-coding packages. The April 4 MCP Connector Poisoning disclosure named the new payload: a rogue MCP server injected into the agent's IDE configuration. No agent-side exploit required — the trust model breaks at step 5.

Read post
Payments

Identity verification has to be cheaper than the average x402 payment. It isn't yet.

x402 has processed 165 million payments averaging about $0.30 each. Per-transaction identity verification has to fit under that ceiling, which it doesn't, and which the May 2026 cloud-provider adoptions make urgent.

MCP

What Uber had to build before it could run 1,500 agents in production

Uber's MCP Dev Summit talk got read as a 1,500-agent story. The interesting number is 10,000 — the internal services those agents reach through a centralized MCP gateway that did most of the load-bearing work.

MCP

The MCP spec requires Origin validation. Google's MCP server doesn't. It's been seven months.

Jonathan Leitschuh disclosed a DNS-rebinding flaw in Google's official MCP database server on October 14, 2025. The MCP spec is unambiguous about requiring Origin header validation. The reference SDK ships it. Google's implementation does not, seven months later.

Identity

Goose runs entirely on your machine. That changes what 'agent trust' means.

Goose is the only AAIF anchor project whose default operating mode runs entirely on the user's machine. The trust boundary distributed across vendor, registry, and remote tool collapses into the OS the user already trusts. The inversion is a different trust model, not a UX preference.

MCP

Most agent protocols ship on HTTP. SLIM bets the transport itself has to change.

AGNTCY's SLIM protocol (IETF draft, February 24, 2026) sits below A2A and MCP as a transport layer. It adds publish-subscribe and MLS end-to-end encryption that survives intermediate hops. The bet is that agent networks need a transport HTTP plus TLS cannot provide.

Identity

AGNTCY and AAIF: two Linux Foundation projects, two different bets on the agent stack

Both AGNTCY and AAIF live under the Linux Foundation. Both cover discovery, identity, and observability. They aren't the same project — they're two structurally different bets on whether the agent stack standardizes from the substrate up or from the popular projects down.

Note

AAIF picked up 170 members in four months. The question is what they're agreeing on.

The Agentic AI Foundation grew from 8 founding Platinum members to 170 total in its first four months. The growth is the demand signal; protocol convergence is the work that follows, and the gap between the two is what consumers of agent infrastructure will be reading.

MCP

Code Mode cuts MCP's token footprint by 99.9%. The trade-off is what 'tool' means.

Cloudflare's Project Think and Code Mode launches (April 15 and 16, 2026) cut the context footprint of a 2,500-endpoint MCP integration from 1.17 million tokens to roughly 1,000 by exposing two tools (search and execute) and running agent-written JavaScript in a V8 isolate. The architecture changes what 'MCP server' has to mean.

Research

Why agent capability keeps improving while reliability barely moves

Three arXiv preprints from January and February 2026 — Princeton, MAESTRO, ReliabilityBench — converge independently on the same finding: capability scales, reliability doesn't, and single-run benchmarks systematically miss the gap.

Note

Your agent's orchestration pattern matters more than the model behind it. Here's the data.

MAESTRO measured CRAG at 70.6% accuracy with $0.0010 per task and a tight latency distribution. Plan-and-Execute on comparable work: 48.3% accuracy, $0.0126 per task, latency IQR spanning an order of magnitude. Same backend models. The architecture decided everything.

Identity

Why agent telemetry has converged faster than agent identity

OpenTelemetry's GenAI Semantic Conventions formalize agent_run and tool_call as first-class spans. Datadog, New Relic, and 24+ observability platforms support them natively. The convention is still labeled 'Development'. Production has moved on.

MCP

Why reading the MCP spec won't tell you if a server is safe

Anthropic says MCP STDIO injection is by design; four independent scans of thousands of servers say a third have command-injection flaws. The two claims describe different objects.

Payments

The agent payments 'war' is actually a stack — and there's nothing at the bottom

x402, AP2, ACP, and Visa's TAP are described in the trade press as competing protocols. The primary specs say otherwise — they compose into layers. The interesting gap is the one no layer covers.

Standards

AGENTS.md is a convention, not a contract — and the difference is starting to matter

60,000 repos adopted AGENTS.md without a schema, signing, or validator. The same omissions that made adoption frictionless are the ones that come due as agents start to depend on what those files say.

Identity

What Certificate Transparency for the agent web would actually look like

Sigstore Rekor logs software signing. ERC-8004 logs on-chain identity. Merkle Tree Certificates are about to land in TLS. The agent web has every primitive needed to compose a Certificate-Transparency-style append-only log of card publications, probe results, and revocations, and none of the existing public registries is one.

Identity

Within 18 days, Google killed its pixel-level agent and Anthropic improved theirs

On April 16, Anthropic shipped Claude Opus 4.7 with 1:1 pixel-coordinate Computer Use and 3.75-megapixel vision support. On May 4, Google shut down Project Mariner and moved its features to API-first agents. Two of three frontier labs just publicly disagreed on what an agent should see, and the registry layer has nothing to say about the pixel-level branch yet.

Identity

Anthropic and OpenAI shipped agent memory this month. They picked opposite architectures.

On April 23 Anthropic put filesystem-backed memory for Claude Managed Agents into public beta. OpenAI's Agents SDK update shipped vector-database memory with project, user, and policy tiers. Two frontier labs, one goal, opposite shapes — and the registry layer has no language yet for the trust properties that distinguish them.

Field report

The cost of running an agent has five inputs. Only one of them is on the LLM rate card.

Claude Opus 4.7 and GPT-5.5 publish token rates. Production agent infrastructure analyses put those rates at roughly 38 percent of total spend — the other 62 percent is observability, orchestration, memory, and integration overhead that no public rate card describes. The largest variance in agent cost is architectural, not provider-driven.

Research

PromptArmor scores 99% on AgentDojo. AgentDyn says no defense works yet.

PromptArmor's sub-one-percent false-positive and false-negative rates on AgentDojo got the conference headlines. A five-months-later paper, AgentDyn, finds that no defense attains acceptable real-world performance against longer, more dynamic agent workloads. The gap between the two results is the actual state of the field.

Identity

A2A's Signed Agent Cards bind a card to a key. They don't bind the key to anyone.

A2A 1.0 named cryptographic identity verification as a headline feature. The spec text standardizes the JWS signature format and leaves the trust decision about the signing key to the verifier. The two are not the same thing.

MCP

Agent capabilities now ship in three layers. Most registries index only one.

Anthropic shipped Agent Skills in October 2025. Seven months later, every major coding agent reads the SKILL.md format. The result is a third layer in the agent capability stack — separate from MCP, separate from tool calls — that almost no public registry indexes today.

MCP

Anthropic packaged 10 finance agents from Skills, MCP, and subagents. The stack just got productized.

The May 6 release of 10 prebuilt finance agents for banks and insurers is the first major productization of the three-layer agent stack. Each agent is described as a composition of Skills, MCP connectors, and delegated Claude subagents, with the data integration layer pre-wired by Anthropic. Early adopters include BNY, Citadel, FIS, Carlyle, Mizuho, and Travelers.

Identity

ERC-8004 admits identity isn't enough. The rest of the agent web hasn't caught up.

ERC-8004's most architecturally honest sentence is in the EIP itself: identity registration does not prove capability. The standard then designs around that admission with three separate registries. Most agent registries hold the same property without naming it.

Identity

Europe's digital identity wallet ships in 2026. The agent case is in the next one.

Regulation (EU) 2024/1183 puts at least one government-issued EU Digital Identity Wallet in every Member State by 6 December 2026. The current Architecture and Reference Framework — v2.8.0 — explicitly removes the legal-person credential from scope and defers it to a separate 'European Business Wallet'. The credential pattern an agent acting on behalf of a company actually needs sits between the two.

Identity

Why we publish the funnel

The first post on the Agenstry blog — why a registry that hides its discovery funnel can't be trusted, and what we publish instead.

MCP

Five MCP registries publish five different server counts. Discovery is now the load-bearing problem.

Glama lists 21,000+ MCP servers, PulseMCP 11,840+, Smithery 7,000+, and the official AAIF registry a smaller curated subset. The numbers don't agree, the curation policies don't agree, and the discovery decision is now upstream of every consumer in the stack.