REFERENCE · UPSTREAM
Helmwart draws its base T1–T17 entries from the OWASP Agentic Security Initiative catalog and its normalized MAS scenario extensions from the OWASP MAS Guide, which applies the Cloud Security Alliance's MAESTRO framework. The OWASP Top 10 for Agentic Applications 2026 is a practitioner-format on-ramp. MITRE ATLAS is included as a downstream pivot. Per-mitigation upstream docs are catalogued separately in research/RESOURCES.md.
OWASP Agentic AI – Threats and Mitigations v1.1 (Dec 2025) defines T1–T17. The older MAS Threat Modelling Guide v1.0 (Apr 2025) applies MAESTRO to worked systems and reuses some extended IDs for system-specific variants. Helmwart provides stable normalized entries and renumbers the colliding RPA T16 / T17 entries to T48 / T49.
Primary taxonomy of agentic threats T1–T17 plus named attack scenarios per threat.
What we use: Drives the threat IDs, names, definitions, and mitigation associations across this site.
Top-10 format on-ramp (ASI01–ASI10) over the T1–T17 catalog. Appendix A cross-walks every entry to LLM Top 10, T-numbers, and AIVSS core risks.
What we use: Drives the Top 10 grid on the Frameworks page and the "covered by" badges on threat detail pages.
Applies the Cloud Security Alliance MAESTRO framework to MAS scenarios and records extended threat scenarios.
What we use: Drives the seven-layer model, cross-layer band, agentic factors, and normalized MAS scenario entries on the Frameworks page.
LLM01–LLM10 covering injection, supply-chain, output handling, agency, system-prompt leakage, and unbounded consumption at the LLM application layer.
What we use: Per-threat cross-walk: each agentic threat detail page links the matching LLM01–LLM10 entries so practitioners can pivot between the agentic and the LLM-app frames.
Named control IDs (#AI PROGRAM, #SEC PROGRAM, #LEAST MODEL PRIVILEGE, #OVERSIGHT, #UNWANTED BIAS TESTING, …) that map to mitigation classes Helmwart recommends.
What we use: Mitigation pages cite the matching OWASP AI Exchange control ID so readers can pivot to the wider AI-application security taxonomy.
Seven tenets of Zero Trust; the PE / PA / PEP (Policy Engine / Policy Administrator / Policy Enforcement Point) model; non-perimeter access patterns.
What we use: Canonical reference for identity, privilege, and inter-agent-communication mitigations (m-spiffe, m-rbac-abac, m-message-signing, m-token-lifetime, m-time-bound-priv).
Govern / Map / Measure / Manage functions for AI risk; "stop-build authority"; third-party oversight.
What we use: Governance backbone for mitigations addressing policy enforcement, oversight, anomaly detection, and continuous validation.
Twelve GAI risk categories (Confabulation, Information Integrity, Information Security, Value Chain Integration, …), each with Govern/Map/Measure/Manage actions.
What we use: Standards-grounded cross-walk for hallucination, supply-chain, memory, and output-moderation controls.
Joint government guidance: five agentic-AI risk categories (Privilege, Design & Configuration, Behavioral, Structural, Accountability) with concrete deployment recommendations.
What we use: Cited on mitigation pages addressing privilege scoping, identity, observability, and cascading-failure containment.
Four practical Zero-Trust principles applied to agents: scoped identity + contextual authz, delegated token exchange (RFC 8693), continuous verification + audit, workload attestation.
What we use: Implementation-oriented citation for SPIFFE, message signing, MFA-on-high-priv, NHI lifecycle, and time-bound privilege mitigations.
Adversarial tactics & techniques against AI/ML systems (AML.TXXXX IDs). External to OWASP; not referenced by the Top 10 2026, only briefly cited in the T1–T17 catalog.
What we use: Per-threat external pivot: where a T-number has a concrete adversary technique catalogued in ATLAS, the technique ID surfaces on the threat card. T8 has no clean ATLAS match; T7/T10 use loose pivots noted on each page.
Every Helmwart threat row mapped to its source family, MAESTRO layer, and ATLAS counterpart where available. Click a column header to sort. Em-dash where no mapping exists.
| Helmwart | Title | Source family | MAESTRO layer(s) | MITRE ATLAS |
|---|---|---|---|---|
| T1 | Memory Poisoning | T1 | L1 · L2 · CL | AML.T0020 · AML.T0070 · AML.T0080 · AML.T0080.000 |
| T2 | Tool Misuse | T2 | L3 · CL | AML.T0053 · AML.T0086 · AML.T0110 |
| T3 | Privilege Compromise | T3 | L4 · L6 · CL | AML.T0012 · AML.T0055 · AML.T0083 · AML.T0098 |
| T4 | Resource Overload | T4 | L4 · CL | AML.T0029 · AML.T0034 · AML.T0034.002 · AML.T0046 |
| T5 | Cascading Hallucination Attacks | T5 | L3 · CL | AML.T0031 · AML.T0060 · AML.T0062 |
| T6 | Intent Breaking and Goal Manipulation | T6 | L3 · CL | AML.T0051 · AML.T0051.001 · AML.T0054 · AML.T0065 |
| T7 | Misaligned and Deceptive Behaviours | T7 | L1 · L6 · CL | AML.T0067 · AML.T0067.000 · AML.T0077 |
| T8 | Repudiation and Untraceability | T8 | L5 · CL | n/a |
| T9 | Identity Spoofing and Impersonation | T9 | L7 · CL | AML.T0073 · AML.T0074 · AML.T0088 |
| T10 | Overwhelming Human-in-the-Loop (HITL) | T10 | L5 | AML.T0046 · AML.T0080 |
| T11 | Unexpected RCE and Code Attacks | T11 | L3 · L4 | AML.T0049 · AML.T0050 · AML.T0072 · AML.T0102 |
| T12 | Agent Communication Poisoning | T12 | L2 · CL | AML.T0080 · AML.T0080.000 |
| T13 | Rogue Agents in Multi-Agent Systems | T13 | L4 · L7 · CL | AML.T0061 · AML.T0081 · AML.T0110 |
| T14 | Human Attacks on Multi-Agent Systems | T14 | L4 · L7 · CL | AML.T0073 · AML.T0053 · AML.T0086 |
| T15 | Human Manipulation | T15 | L7 · CL | AML.T0052 · AML.T0067 · AML.T0067.000 · AML.T0077 |
| T16 | Insecure Inter-Agent Protocol Abuse | T16 | L3 · L7 · CL | AML.T0073 · AML.T0074 · AML.T0080 |
| T17 | Supply Chain Compromise | T17 | L1 · L2 · L3 | AML.T0010 · AML.T0019 · AML.T0058 · AML.T0109 |
| T18 | RAG Input Manipulation Leading to Policy Bypass | MAS-derived | L2 | AML.T0051.001 · AML.T0070 · AML.T0080 |
| T19 | Unintended Workflow Execution | MAS-derived | L3 | AML.T0053 · AML.T0081 · AML.T0067 |
| T20 | Framework Vulnerability Leading to Code Injection | MAS-derived | L3 | AML.T0049 · AML.T0050 · AML.T0072 |
| T21 | Inconsistent Workflow State | MAS-derived | L3 | AML.T0053 · AML.T0081 |
| T22 | Service Account Exposure | MAS-derived | L4 | AML.T0055 · AML.T0083 · AML.T0012 |
| T23 | Selective Log Manipulation | MAS-derived | L5 | AML.T0081 · AML.T0046 |
| T24 | Dynamic Policy Enforcement Failure | MAS-derived | L6 | AML.T0012 · AML.T0081 · AML.T0067 |
| T25 | Workflow Disruption via Dependency Exploitation | MAS-derived | L7 | AML.T0029 · AML.T0034 · AML.T0046 |
| T26 | Model Instability Leading to Inconsistent Blockchain Interactions | MAS-derived | L1 | AML.T0031 · AML.T0067 |
| T27 | Vector Database Poisoning with Malicious Smart Contract Data | MAS-derived | L2 | AML.T0070 · AML.T0051.001 · AML.T0080 |
| T28 | RAG Data Exfiltration | MAS-derived | L2 | AML.T0085 · AML.T0086 · AML.T0012 |
| T29 | Plugin Vulnerability Leading to Agent Compromise | MAS-derived | L3 | AML.T0010 · AML.T0110 · AML.T0109 |
| T30 | Insecure Inter-Agent Communication Protocol | MAS-derived | L3 | AML.T0073 · AML.T0080 · AML.T0051 |
| T31 | Insufficient Isolation Between Agent Actions | MAS-derived | L3 | AML.T0053 · AML.T0086 · AML.T0110 |
| T32 | Runaway Agent on Solana | MAS-derived | L3 | AML.T0034 · AML.T0034.002 · AML.T0029 |
| T33 | Blockchain Reorganisation Attack (Indirect) | MAS-derived | L4 | AML.T0031 · AML.T0067 |
| T34 | Wallet Key Compromise | MAS-derived | L4 | AML.T0055 · AML.T0083 · AML.T0073 |
| T35 | Manipulation of Proof of Sampling (PoSP) | MAS-derived | L5 | AML.T0081 · AML.T0067 |
| T36 | Smart Contract Vulnerability Leading to Agent Impersonation | MAS-derived | L6 | AML.T0073 · AML.T0049 · AML.T0074 |
| T37 | Cross-Chain Bridge Attack (Indirect) | MAS-derived | L7 | AML.T0010 · AML.T0109 · AML.T0049 |
| T38 | Emergent Collusion on Blockchain | MAS-derived | L7 | AML.T0061 · AML.T0081 · AML.T0031 |
| T39 | Unintended Resource Consumption via MCP | MAS-derived | L3 | AML.T0034.002 · AML.T0029 · AML.T0053 |
| T40 | MCP Client Impersonation | MAS-derived | L3 | AML.T0073 · AML.T0012 · AML.T0055 |
| T41 | Schema Mismatch Leading to Errors | MAS-derived | L3 | AML.T0067 · AML.T0031 |
| T42 | Cross-Client Interference via Shared Server | MAS-derived | L3 | AML.T0080 · AML.T0053 · AML.T0073 |
| T43 | Network Exposure of MCP Server | MAS-derived | L4 | AML.T0049 · AML.T0012 |
| T44 | Insufficient Logging in MCP Server / Client | MAS-derived | L5 | AML.T0046 · AML.T0081 |
| T45 | Insufficient Isolation of MCP Server Permissions | MAS-derived | L6 | AML.T0012 · AML.T0055 · AML.T0098 |
| T46 | Data Residency / Compliance Violation via MCP Server | MAS-derived | L6 | AML.T0085 · AML.T0086 |
| T47 | Rogue MCP Server in Ecosystem | MAS-derived | L7 | AML.T0074 · AML.T0110 · AML.T0109 · AML.T0058 |
| T48 | Model Inconsistency Leading to Variable Approvals | MAS-derived | L1 | AML.T0031 · AML.T0065 |
| T49 | Semantic Drift in Expense Policy Embeddings | MAS-derived | L2 | AML.T0070 · AML.T0020 · AML.T0080 |
Helmwart is an interpretive layer over upstream material. We preserve OWASP T1–T17, normalize conflicting MAS scenario IDs for site navigation, and apply MAESTRO/ATLAS cross-references editorially. We add (a) a graph runtime that suggests which threats apply to an architecture, (b) prose tying threats to mitigations with current sources, and (c) editorial primers.
This is not a substitute for security review. Use the canvas as a structured way to enumerate likely threats; use it as input to a real security review, not in place of one.
The primary and case-study references behind the security design principles page. Grouped; all verified against live sources, May 2026.
Foundational
OWASP
CSA
Vendor & standards
Case studies & patterns