An attacker manipulates an agent's objective, task selection, or decision pathway (via injected prompts, deceptive tool outputs, forged peer messages, or poisoned retrieval data) so that the agent pursues the attacker's goal rather than the operator's.
09 · FRAMEWORKS & STANDARDS
Frameworks & standards the source publications Helmwart interprets
Six core taxonomy and framework publications are explained here. OWASP Threats & Mitigations v1.1 owns T1–T17; Helmwart normalizes the MAS Guide's scenario-scoped extensions into stable internal navigation entries and retains the renumbered RPA source IDs as labels. Supporting NIST, CISA, and other control references are catalogued on the Sources page.
04A OWASP Agentic AI: Threats & Mitigations
Agentic AI: Threats and Mitigations v1.1 (Dec 2025) owns T1–T17. The older MAS Threat Modelling Guide v1.0 (Apr 2025) publishes scenario-specific extended threats and reuses some identifiers across its worked systems. Helmwart presents stable entries as T18–T49 and displays the RPA guide entries originally numbered T16/T17 as T48/T49. This merged numbering is Helmwart's normalization, not an OWASP-issued master catalog.
49 threats grouped by the v1.1 Decision Path. Each step lists base T1–T17 threats and the MAS Guide extensions that build on them. Cards carry MAESTRO layer, agentic factor, ATLAS technique, and mitigation chips.
04B OWASP Top 10 for Agentic Applications 2026
A separate OWASP publication ("ASI Top 10", v2026, December 2025) that surfaces ten agentic risks in the standard OWASP Top 10 format. Its Appendix A links into OWASP threat material; Helmwart additionally shows related normalized MAS scenarios as editorial cross-references. Use it as a fast on-ramp; use the T-catalog when you need detail.
An agent applies authorised tools in ways their operator did not intend, driven by prompt injection, misaligned reasoning, or manipulated tool outputs.
OWASP LLM Top 10: LLM06:2025
When an agent acts on a user's behalf it inherits that user's credentials and permissions for the duration of the task.
Third-party components that agents depend on (models, MCP servers, plug-ins, datasets, peer-agent descriptors, and update channels) may be malicious, compromised post-approval, or tampered with in transit.
OWASP LLM Top 10: LLM03:2025
In an agentic system, code generation and code execution happen in the same turn: the model emits an instruction and a tool runs it, with no human review step between.
An adversary writes malicious or misleading data into an agent's persistent memory or shared vector store, so that every future session, and every peer agent reading from the same store, operates on corrupted context.
Agents in a multi-agent system pass instructions, results, and context to one another across APIs, message buses, and shared state.
A single low-severity fault (a hallucinated value, a corrupted tool output, a poisoned memory entry) propagates across a network of agents that each build on the last agent's output, compounding into system-wide harm that is disproportionate to the original defect.
Adversaries exploit the tendency of humans to trust fluent, authoritative-sounding agents: an agent presents plausible justification for a harmful action, the human approves it, and the resulting audit trail reads as deliberate human authorisation.
A rogue agent is one whose behavioural objective has drifted from its authorised purpose, yet its identity still checks out, its actions remain inside its permissions, and its logs look clean.
Source: OWASP Top 10 for Agentic Applications 2026 → · Side-by-side explainer: DeepTeam framework summary →
04C OWASP LLM Top 10 for LLM Applications 2025
The OWASP LLM Top 10 (2025) ranks the highest-impact risks for LLM-based applications. It predates agentic systems but stays load-bearing: every agent runs on an LLM, so every LLM Top 10 risk surfaces in the agent loop with a different blast radius. Each card links to the Helmwart "in agentic systems" page, where the OWASP definition is preserved and the agentic delta is added.
User or indirect prompts override model instructions, redirecting its behaviour.
LLM outputs expose confidential data from training or context windows.
Compromised models, datasets, plugins, or integrations poison the LLM pipeline.
Related ASI Top 10: ASI04
Training or fine-tuning data is manipulated to embed backdoors or biases.
Unsanitised LLM outputs reach downstream systems and enable injection attacks.
Agents are granted more permissions or autonomy than the task requires.
Confidential system prompt contents are revealed through model responses.
Flaws in vector stores and embeddings enable poisoning and data extraction.
Related ASI Top 10: ASI06
LLMs produce plausible but false outputs that propagate as trusted facts.
Excessive or uncontrolled resource use leads to denial of service and cost runaway.
Source: OWASP LLM Top 10 for LLM Applications 2025 →
04D MAESTRO: seven layers + cross-layer
MAESTRO (OWASP, v1.0 Apr 2025) decomposes an agentic system into seven architectural layers (L1–L7) plus a Cross-Layer category for emergent multi-agent failures. Each card shows the layer's scope, how many catalog threats touch it, and example T-numbers. Open a card for the full layer prose.
The LLMs themselves: weights, training data, alignment.
touches T1T7T17 +2
Vector stores, RAG corpora, training pipelines, ingest.
touches T1T12T17 +4
Orchestration, planning, reflection, tool routing.
touches T2T5T6 +14
Sandboxes, runtimes, network egress, secrets.
touches T3T4T11 +6
Logs, traces, evals, post-hoc audit.
touches T8T10T23 +2
Identity, policy, regulated-data boundaries, HITL.
touches T3T7T24 +3
A2A protocol, MCP, peer agents, third-party tools.
touches T9T13T14 +6
Emergent failures that only exist between layers, not modellable inside any one.
touches T1T2T3 +11
Full MAESTRO reference: seven-layer overview with per-layer prose →
04E MAS Threat Modelling Guide
The OWASP MAS Guide v1.0 (Apr 2025) is the older companion publication containing multi-agent scenario threats that Helmwart normalizes as T18–T49. Because the source guide reuses some IDs between worked systems, this site provides stable navigation entries rather than claiming a one-to-one OWASP catalog. The renumbered RPA source entries T16 and T17 are displayed as Helmwart T48 and T49 with their source IDs alongside them.
Layer-grouped browse of the MAS Guide threats, each linking to its detail page with the base v1.1 threat it extends. Use this when you want layer-first reading rather than Decision-Path-first.
04F MITRE ATLAS
ATLAS is MITRE's adversary-techniques knowledge base for AI systems. Helmwart surfaces ATLAS IDs on threat cards where a clean mapping exists, so detection engineers can move from a Helmwart finding to TTP-level indicators. It is not part of the OWASP source material; the MAESTRO guide briefly discusses how the two compose.
AML.T#### technique IDs across reconnaissance, initial access, model evasion, exfiltration, and impact. Helmwart maps a threat → ATLAS only where the upstream document or our editorial review supports the link; uncertain cases are left empty rather than fabricated.