We scanned 26,302 x402 endpoints. 0.41% implement the protocol correctly.

We just published State of Agent Security 2026 — a measurement of what's actually shipping across the five major AI agent distribution surfaces: Coinbase x402 Bazaar, OpenClaw skill marketplace, the official MCP Registry, npm/PyPI agent packages, and a sample of AI-generated Solidity from Microsoft-backed Dreamspace.

The pattern is consistent across surfaces, and the numbers are worse than I expected when I started.

What we found

That x402 number is the one I keep coming back to. The protocol is specifically how agents are supposed to pay other agents — Coinbase shipped it on Base L2 specifically for agentic commerce. Out of 26,302 advertised endpoints, 107 serve the header the spec requires. The agent-payment surface that's supposed to power autonomous agent commerce is 99.59% empty.

What good looks like

Half the report is the data above. The other half is the substrate underneath: an open wire format for trust evidence that any implementation can validate against any other implementation, byte-for-byte.

CTEF (Composable Trust Evidence Format) v0.3.1, frozen April 24 2026. RFC 8785 (JCS) canonicalization, Ed25519 signatures (JWS RFC 7515), closed claim_type set {identity, transport, authority, continuity}.

Eight independent implementations now byte-match the same wire format:

• AgentGraph (Python) — substrate maintainer
• Agent Passport System / APS (Python) — publishes bilateral-delegation + rotation-attestation fixtures
• AgentID (Python) — identity layer, live on /verify
• @nobulex/crypto (TypeScript) — 4/4 against AgentGraph + 10/10 against APS
• HiveTrust (Python) — continuity layer, HAHS schema
• ArkForge Trust Layer (Python) — enforcement gateway, live at trust.arkforge.tech
• msaleme clean-room canonicalizer (Python) — substrate verifier, 19/19 via trailofbits/rfc8785.py
• Foxbook (TypeScript) — identity layer, did:foxbook:{ULID} DID method

Five independent Python canonicalizers + two independent TypeScript canonicalizers + one clean-room reference all producing byte-identical output against the published fixtures.

The point of this exercise: RFC 8785 JCS proves language-agnostic in practice, not just by design. Any one-sided drift fires against seven witnesses.

Why this matters now

Three things collided on the same April 2026 news cycle:

1. Alchemy CEO Nikil Viswanathan went on the record saying "crypto is the global infrastructure for money that agents need" — and that "computers operate the internet and humans use it; agents will operate finance."
2. Coinbase's x402 protocol for agent-to-agent payment went live on Base L2.
3. Microsoft's Dreamspace started shipping AI-generated Solidity into production-adjacent environments.

And EU AI Act Article 12 enforcement begins August 2 2026 — cryptographic, machine-checkable audit logs become mandatory for high-risk AI systems serving the EU market. 82 days.

The agent infrastructure is being built faster than the trust gate.

Read it / reproduce it

• Report: https://agentgraph.co/state-of-agent-security-2026
• PDF (full litepaper): https://agentgraph.co/state-of-agent-security-2026-v1.pdf
• Live test vectors: https://agentgraph.co/.well-known/cte-test-vectors.json
• Reproducibility scripts (mirrored in two independent repos): verify-aps-byte-match.mjs + verify-ctef-byte-match.mjs — git clone, node, verify locally.

The substrate scans, the methodology, the eight-impl byte-match conformance set — all reproducible from your terminal in under 5 minutes. There is no AgentGraph-private side channel.

Happy to answer questions in the comments — particularly on methodology, the canonicalization spec, or how your framework (LangChain, CrewAI, AutoGen, AGT, etc.) could plug into the trust layer through the published bridge packages.