+
DRAG AGENTS ONTO CANVAS
Blank canvas
Start from nothing. Drag in agents, memory, tools, externals, and humans from the palette.
Want a guided walk-through that starts from one of these? Open the four-question wizard →
Consumer Fintech
10-agent consumer fintech: chat and voice frontends, an autonomous orchestrator, a policy/compliance reviewer, and specialists for accounts, transactions, fraud, recommendations, and support. An MCP tool bus and a HITL gate sit between the agent fleet and external KYC / payments / banking APIs.
Defensive playbooks
P1 Preventing AI Agent Reasoning Manipulation P3 Securing AI Tool Execution & Preventing Unauthorised Actions Across Supply Chains P4 Strengthening Authentication, Identity & Privilege Controls P5 Protecting HITL & Preventing Decision Fatigue Exploits P6 Securing Multi-Agent Communication & Trust Mechanisms
Personal RAG assistant
A single chat agent backed by a user-uploaded document corpus and live web fetch. Designed to surface the EchoLeak-style Lethal Trifecta on the simplest possible system.
Customer Support Automation
A user-facing chat agent backed by a RAG knowledge store, a ticket-system API the agent writes to, and a human escalation gate. Untrusted user input flows into a RAG-and-write-capable agent under partial-provenance memory and an unsigned audit log.
MCP-based tool server
A single third-party MCP server exposes shell and write-capable tools to multiple client agents through one shared protocol channel. Concentrates descriptor-injection, cross-client interference, and third-party trust-anchor risk on one server.
RPA: Expense Reimbursement
RPA agent that extracts, validates (via policy RAG), and routes expense claims. Matches the OWASP MAS Guide §3 worked threat model. Open the case study for the full per-layer threat list.
Real-world case studies
ElizaOS (Web3 agent OS)
An ElizaOS-style agent system: multi-LLM, plugin tool bus, Solana blockchain integration, multi-platform clients. Matches the OWASP MAS Guide §4 worked threat model. Runaway-loop, wallet-key compromise, and plugin-vulnerability scenarios all surface on this graph.
Real-world case studies
Anthropic MCP: host + multiple servers
An MCP host (Claude Desktop / IDE) with multiple MCP Clients each connecting to a distinct MCP Server, mapping to the OWASP MAS Guide §5 worked threat model. Surfaces protocol-abuse, schema-mismatch, network-exposure, and rogue-server scenarios.
Real-world case studies
Healthcare diagnostic
Patient management with regulated data flowing through specialist agents into the EHR. Repudiation, identity spoofing, and overreliance dominate.
SDLC / coding agents
Code-execution scope, supply-chain risk, prompt injection from repository content. Sandbox is the centerpiece control.
| # | Template | Status | Agents | Edges | Findings | Trifecta | Frameworks | Action |
|---|---|---|---|---|---|---|---|---|
| 00 | Blank canvas Start from nothing. Drag in agents, memory, tools, externals, and humans from the palette. | Ready | 0 | 0 | 0 | 0 | Open → | |
| 01 | Consumer Fintech 10-agent consumer fintech: chat and voice frontends, an autonomous orchestrator, a policy/compliance reviewer, and specialists for accounts, transactions, fraud, recommendations, and support. An MCP tool bus and a HITL gate sit between the agent fleet and external KYC / payments / banking APIs. | Ready | 10 | 40 | 29 | 1 | MAESTROOWASP | Open → |
| 02 | Personal RAG assistant A single chat agent backed by a user-uploaded document corpus and live web fetch. Designed to surface the EchoLeak-style Lethal Trifecta on the simplest possible system. | Ready | 1 | 5 | 9 | 1 | ATLASOWASP | Open → |
| 03 | Customer Support Automation A user-facing chat agent backed by a RAG knowledge store, a ticket-system API the agent writes to, and a human escalation gate. Untrusted user input flows into a RAG-and-write-capable agent under partial-provenance memory and an unsigned audit log. | Ready | 1 | 6 | 12 | 0 | OWASP | Open → |
| 04 | MCP-based tool server A single third-party MCP server exposes shell and write-capable tools to multiple client agents through one shared protocol channel. Concentrates descriptor-injection, cross-client interference, and third-party trust-anchor risk on one server. | Ready | 2 | 13 | 20 | 0 | MAESTROOWASP | Open → |
| 05 | RPA: Expense Reimbursement RPA agent that extracts, validates (via policy RAG), and routes expense claims. Matches the OWASP MAS Guide §3 worked threat model. Open the case study for the full per-layer threat list. | Ready | 3 | 15 | 15 | 1 | MAESTROOWASP | Open → |
| 06 | ElizaOS (Web3 agent OS) An ElizaOS-style agent system: multi-LLM, plugin tool bus, Solana blockchain integration, multi-platform clients. Matches the OWASP MAS Guide §4 worked threat model. Runaway-loop, wallet-key compromise, and plugin-vulnerability scenarios all surface on this graph. | Ready | 2 | 12 | 32 | 2 | MAESTROOWASP | Open → |
| 07 | Anthropic MCP: host + multiple servers An MCP host (Claude Desktop / IDE) with multiple MCP Clients each connecting to a distinct MCP Server, mapping to the OWASP MAS Guide §5 worked threat model. Surfaces protocol-abuse, schema-mismatch, network-exposure, and rogue-server scenarios. | Ready | 1 | 12 | 21 | 1 | MAESTROOWASP | Open → |
| 08 | Healthcare diagnostic Patient management with regulated data flowing through specialist agents into the EHR. Repudiation, identity spoofing, and overreliance dominate. | Phase 2 | · | · | · | · | HIPAA | |
| 09 | SDLC / coding agents Code-execution scope, supply-chain risk, prompt injection from repository content. Sandbox is the centerpiece control. | Phase 2 | · | · | · | · |