ATLAS

The connected threat map for agentic AI

The Atlas is the research behind every finding on the canvas: each threat wired to its mitigations, the design principles it implicates, and the OWASP Agentic, MAESTRO and MITRE ATLAS sources it comes from. Start with threats and mitigations, use primers and scenarios for context, and trace any finding back to where it came from.

THREATS

T1–T49

MITIGATIONS

3 tiers

PLAYBOOKS

P1–P6

REFERENCES

PRIMERS

If you're new, start here

Read the introduction to learn why agentic AI is a new security problem, how attackers and defenders think about it, and how the rest of this handbook fits together.
Read the primers for six short pieces that give you the vocabulary (agents, RAG, MCP, agentic factors, the lethal trifecta). Ten minutes covers them all.
Skim the frameworks & standards to understand which publications own which T-numbers and how ASI01–ASI10 map onto the master threat catalog.
Browse threats by severity using the severity filter to start with the highest-rated threats; each card names the MAESTRO layer and agentic factors that drive the risk.
Read a case study for worked examples (RPA, ElizaOS, Anthropic MCP) that show how threats cluster in real architectures.
Try the threat-model workflow, where the four-question wizard uses everything above to generate an audit-ready model for your own system.

New to the terminology? The glossary defines every term used across the Atlas in one place.

Threats forty-nine

All 49 threats grouped by the OWASP v1.1 catalog's six-step Agentic Threat Decision Path. Each step shows base v1.1 threats (T1–T17) plus the multi-agent extensions from the OWASP MAS Guide (T18–T49). Every card is tagged with MAESTRO layers, agentic factors, and MITRE ATLAS techniques where a direct counterpart exists. Filter by severity, layer, or factor.

49 entries · 17 base + 32 MAS extensions · grouped by Navigator step

Mitigations what you can actually deploy

66 structured mitigation entries tiered by maturity: Tier 1 production-canonical, Tier 2 real-composable, Tier 3 research-stage. Each entry lists the OWASP threat numbers it covers. Drop one onto the canvas to recompute residual risk live. Filter by tier, authoring status, or the threat numbers a control addresses.

66 entries · 3 maturity tiers

Playbooks proactive · reactive · detective

The six mitigation playbooks from OWASP Agentic AI v1.1, one per step of the Agentic Threat Decision Path. Each playbook contains Proactive (prevention), Reactive (response), and Detective (monitoring) actions, mapped onto the Helmwart mitigations that implement them.

6 playbooks · 121 actions

Primers vocabulary first

Short orientations covering Agents, RAG, MCP, A2A, Agentic Factors, and the Lethal Trifecta, for readers who need vocabulary before threat content makes sense. Each primer is intentionally narrow. Read these first if you're new.

8 primers · 12 min total read

Case studies three worked threat models

End-to-end threat models from the OWASP MAS Guide: RPA Expense Reimbursement, ElizaOS (Web3 agent OS), and Anthropic MCP. Each study includes per-MAESTRO-layer system mapping, baseline OWASP threat numbers, 34 extended threats beyond T1–T17, cross-layer scenarios, and a matching canvas template.

3 studies · 34 extended threats

HITL program the escalation flow end-to-end

HITL is a pattern, not a threat. Six Helmwart mitigations participate. This page names the ten-step escalation flow that ties them into one program: confidence gate, moderation gate, tiered queue, and senior or dual-control review. It also surfaces the open gaps around HITL unavailability and feedback into agent calibration.

6 mitigations · 10-step flow · 2 open gaps

MAS threats T18–T49 from the MAS Guide

Helmwart's 32-entry normalized extension catalog based on the OWASP MAS Threat Modelling Guide v1.0 (Apr 2025). The guide uses some IDs for different system-specific variants; Helmwart provides stable navigation entries and displays the RPA source entries T16 / T17 as T48 / T49 to avoid collisions with v1.1. Each entry maps onto MAESTRO layers and cross-references a closest v1.1 base threat where useful.

32 threats · T18–T49 · MAS Guide v1.0 · Apr 2025

Principles security design principles for agentic AI

The complete set of security design principles as they apply to autonomous agents: Zero Trust, least privilege, least agency, the lethal trifecta, fail-securely, confused-deputy, and more. Each has a plain definition, why it changes for agents, worked scenarios, failure modes, framework mappings, the controls that uphold it, and first steps to apply it.

~40 principles · agentic failure modes · first steps

Frameworks & standards the publications we interpret

Six core taxonomy and framework publications define the threat-model structure here: two OWASP threat-model sources, two OWASP Top 10 awareness lists, the Cloud Security Alliance's MAESTRO framework as applied by the MAS Guide, and MITRE ATLAS as an external adversary-TTP knowledge base. Supporting control sources appear on the Sources page.

2 catalogs · 2 Top 10 lists · 1 framework · 1 external TTP base

Deeper detail pages

Two deeper-detail pages that build on the nine sections above. Each is self-contained but assumes you have at least skimmed the relevant section.

Tamper-evident accountability: composing five mitigations How actor-recorder split, output provenance, Sigstore, SBOM, and legal hold compose into an audit chain where no single compromise forges a complete record. Telemetry spine: observability for the mitigation catalog The OpenTelemetry GenAI semantic conventions plus the shared AnomalyEvent schema that lets cross-mitigation SIEM correlation work.

Need a guided walk-through rather than a catalogue? Try the four-question threat-modelling workflow, or read the methodology & tools primer to see how Helmwart sits next to STRIDE-GPT, IriusRisk, ASTRIDE, and the rest of the 2026 landscape.