Documentation Index Fetch the complete documentation index at: https://docs.agentguardian.io/llms.txt
Use this file to discover all available pages before exploring further.
What this is One row per shipped probe in src/agent_guardian/probes/. Each row
binds the probe’s id and name to its OWASP ASI 2026 category, the
specific OWASP scenario it operationalises, the MITRE ATLAS techniques
it exercises, and the CSA Agentic Risk category it lands in.
This is what scan.json writes into every findings[].asi /
findings[].mitre_atlas / findings[].csa_category triple — the same
mapping every emitter (JSON, SARIF, JUnit, Markdown, PDF) carries.
When to use this
You opened a finding and want to know exactly which OWASP /
MITRE / CSA buckets it touches.
You’re filling out a compliance matrix and need a per-control trace
back to the probe that exercises it.
You want to know which probes are missing for a specific OWASP
scenario before opening a contribution PR.
You need to convince a reviewer that “ASI03” in the report is the
same ASI03 OWASP shipped in 2026, not an internal taxonomy.
How the mapping is generated The rows below are extracted from the asi, owasp_scenario,
mitre_atlas, and csa_category keys on every *.yaml under
src/agent_guardian/probes/. The loader at
src/agent_guardian/probes/loader.py is the same code path that
populates the canonical scan.json — there is no second table, no
human-curated rewrite. Source-of-truth = the YAML files.
# Regenerate this view locally from the probe corpus. uv run python -c " import yaml, pathlib for f in sorted(pathlib.Path('src/agent_guardian/probes').rglob('*.yaml')): d = yaml.safe_load(f.read_text()) if not d.get('asi'): continue print(d['id'], d['asi'], d['owasp_scenario'], d.get('mitre_atlas'), d.get('csa_category')) "
ASI category totals 96 probes ship in this release, distributed across the ten OWASP ASI
2026 categories. Coverage in the table below is the probe count
that lands in each category; Severity floor is the lowest severity
shipped in that category (severities are assigned per-probe and
flow straight through to the emitter).
OWASP ASI 2026 Probes Severity floor CSA category ASI01 — Prompt Injection / Goal Hijack9 high goal-instruction-manipulationASI02 — Tool Misuse8 high agent-critical-system-interactionASI03 — Privilege Compromise9 high authorization-control-hijackingASI04 — Resource Overload / Supply Chain8 medium supply-chain-dependencyASI05 — Cascading Hallucination → Code Execution8 critical agent-critical-system-interactionASI06 — Memory Poisoning13 high memory-context-manipulation, knowledge-base-poisoning, checker-out-of-the-loopASI07 — Misalignment / A2A Trust8 high multi-agent-exploitationASI08 — Cascading Failure8 medium impact-chain-blast-radiusASI09 — Identity Spoofing / Output Handling17 medium hallucination-exploitation, resource-service-exhaustionASI10 — Untraceability / Goal Drift8 low agent-untraceability
Canonical probe → OWASP mapping ASI01 — Prompt Injection / Goal Hijack Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI01-GH-001goal-redirect-direct OWASP_ASI01_DirectGoalHijackAML.T0051, AML.T0054goal-instruction-manipulationASI01-GH-002indirect-via-doc OWASP_ASI01_OperatorPromptInjectionViaWebContentAML.T0054, AI Agent Context Poisoninggoal-instruction-manipulationASI01-GH-003role-swap-pretext OWASP_ASI01_InceptionAttackOnChatGPTAML.T0054goal-instruction-manipulationASI01-GH-004scheduled-prompt-drift OWASP_ASI01_GoalLockDriftViaScheduledPromptsAML.T0054goal-instruction-manipulationASI01-GH-005dialect-roleplay OWASP_ASI01_DirectGoalHijackAML.T0054, AI Agent Context Poisoninggoal-instruction-manipulationASI01-GH-006echoleak-zero-click OWASP_ASI01_EchoLeakAML.T0051, AI Agent Context Poisoninggoal-instruction-manipulationASI01-GH-007time-anchor-redirect OWASP_ASI01_GoalLockDriftViaScheduledPromptsAML.T0054goal-instruction-manipulationASI01-GH-008tool-output-ipi OWASP_ASI01_OperatorPromptInjectionViaWebContentAML.T0051, AI Agent Context Poisoninggoal-instruction-manipulationASI01-T4-014persona-break-jailbreak OWASP_ASI01_PromptInjectionAML.T0054goal-instruction-manipulation
Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI02-TA-001tool-arg-injection OWASP_ASI02_UnvalidatedInputForwardingAML.T0050, Exfiltration via AI Agent Tool Invocationagent-critical-system-interactionASI02-TA-002dns-exfil-via-approved-tool OWASP_ASI02_InternalQueryExternalExfiltrationAML.T0024, Exfiltration via AI Agent Tool Invocationagent-critical-system-interactionASI02-TA-003scope-expansion OWASP_ASI02_OverPrivilegedAPIAML.T0050, Modify AI Agent Configurationagent-critical-system-interactionASI02-TA-004tool-name-typosquat OWASP_ASI02_ToolNameImpersonationPublish Poisoned AI Agent Tool agent-critical-system-interactionASI02-TA-005recursion-bomb OWASP_ASI02_LoopAmplificationAML.T0034agent-critical-system-interactionASI02-TA-006parameter-smuggle OWASP_ASI02_ApprovedToolMisuseAML.T0050agent-critical-system-interactionASI02-TA-007chain-exfil OWASP_ASI02_ToolNameImpersonationExfiltration via AI Agent Tool Invocation agent-critical-system-interactionASI02-TA-008edr-bypass-via-legit-chain OWASP_ASI02_EDRBypassViaToolChainingExfiltration via AI Agent Tool Invocation agent-critical-system-interaction
ASI03 — Privilege Compromise Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI03-PII-001cross-tenant-pii-read OWASP_ASI03_IdentityImpersonationAML.T0048, RAG Credential Harvestingauthorization-control-hijackingASI03-PR-001jit-credential-bypass OWASP_ASI03_DelegatedPrivilegeAbuseAML.T0048authorization-control-hijackingASI03-PR-002non-human-identity-coerce OWASP_ASI03_SyntheticIdentityInjectionAML.T0048authorization-control-hijackingASI03-PR-003role-inherit-escalate OWASP_ASI03_UnscopedPrivilegeInheritanceAML.T0050authorization-control-hijackingASI03-PR-004scope-token-replay OWASP_ASI03_MemoryBasedEscalationAML.T0048authorization-control-hijackingASI03-PR-005impersonate-supervisor OWASP_ASI03_ForgedAgentPersonaAML.T0050authorization-control-hijackingASI03-PR-006toctou-workflow-drift OWASP_ASI03_WorkflowAuthorizationDriftAML.T0050authorization-control-hijackingASI03-PR-007memory-cached-cred-reuse OWASP_ASI03_MemoryBasedEscalationAML.T0048, RAG Credential Harvestingauthorization-control-hijackingASI03-PR-008device-code-phish-relay OWASP_ASI03_DeviceCodePhishingAcrossAgentsAML.T0048authorization-control-hijacking
ASI04 — Resource Overload / Supply Chain Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI04-SC-001mcp-server-poison OWASP_ASI04_MaliciousMCPServerImpersonatingPostmarkPublish Poisoned AI Agent Tool supply-chain-dependencyASI04-SC-002dynamic-template-inject OWASP_ASI04_PoisonedPromptTemplatesLoadedRemotelyAML.T0051supply-chain-dependencyASI04-SC-003agent-in-middle-via-card OWASP_ASI04_AgentSmithPromptHubProxyAttackAML.T0051supply-chain-dependencyASI04-SC-004poisoned-finetune-checkpoint OWASP_ASI04_CompromisedNPMPackageAML.T0058supply-chain-dependencyASI04-SC-005registry-spoof OWASP_ASI04_CompromisedMCPRegistryServerPublish Poisoned AI Agent Tool supply-chain-dependencyASI04-SC-006plugin-hijack OWASP_ASI04_AgentInTheMiddleViaAgentCardsPublish Poisoned AI Agent Tool supply-chain-dependencyASI04-SC-007coding-agent-poison-dep OWASP_ASI04_CompromisedNPMPackagePublish Poisoned AI Agent Tool supply-chain-dependencyASI04-SC-008runtime-tool-substitution OWASP_ASI04_CompromisedNPMPackagePublish Poisoned AI Agent Tool supply-chain-dependency
ASI05 — Cascading Hallucination → Code Execution Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI05-CE-001eval-smuggle OWASP_ASI05_UnsafeFunctionCallsAndEvalAML.T0050agent-critical-system-interactionASI05-CE-002memory-system-rce OWASP_ASI05_MemorySystemRCEMemory Manipulation agent-critical-system-interactionASI05-CE-003unsafe-pickle OWASP_ASI05_UnsafeObjectDeserializationAML.T0050agent-critical-system-interactionASI05-CE-004shell-meta-injection OWASP_ASI05_DirectShellInjectionAML.T0050, Escape to Hostagent-critical-system-interactionASI05-CE-005exec-chain-construction OWASP_ASI05_MultiToolChainExploitationAML.T0050, Escape to Hostagent-critical-system-interactionASI05-CE-006vibe-coding-runaway OWASP_ASI05_ReplitVibeCodingRunawayExecutionEscape to Host agent-critical-system-interactionASI05-CE-007lockfile-poisoning OWASP_ASI05_DependencyLockfilePoisoningPublish Poisoned AI Agent Tool agent-critical-system-interactionASI05-CE-008sandbox-escape-primitive OWASP_ASI05_MemorySystemRCEEscape to Host agent-critical-system-interaction
ASI06 — Memory Poisoning Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI06-MP-001rag-corpus-inject OWASP_ASI06_RAGAndEmbeddingsPoisoningAML.T0029, Memory Manipulationknowledge-base-poisoningASI06-MP-002persistent-trigger-token OWASP_ASI06_SystemicMisalignmentAndBackdoorsAML.T0029, Memory Manipulationmemory-context-manipulationASI06-MP-003cross-session-payload OWASP_ASI06_ContextWindowExploitationMemory Manipulation memory-context-manipulationASI06-MP-004embedding-collision OWASP_ASI06_CrossTenantVectorBleedAML.T0029knowledge-base-poisoningASI06-MP-005false-memory-plant OWASP_ASI06_TravelBookingMemoryPoisoningMemory Manipulation memory-context-manipulationASI06-MP-006iterative-fact-reinforcement OWASP_ASI06_TravelBookingMemoryPoisoningMemory Manipulation memory-context-manipulationASI06-MP-007cross-tenant-vector-bleed OWASP_ASI06_CrossTenantVectorBleedAML.T0029knowledge-base-poisoningASI06-MP-008validator-bypass-via-memory OWASP_ASI06_MemoryPoisoningForSystemMemory Manipulation checker-out-of-the-loopASI06-HITL-009plan-execution-without-review OWASP_ASI06_MemoryPoisoningForSystemMemory Manipulation checker-out-of-the-loopASI06-HITL-010sign-off-spoofing OWASP_ASI06_MemoryPoisoningForSystemMemory Manipulation checker-out-of-the-loopASI06-HITL-011after-hours-autonomous-action OWASP_ASI06_SystemicMisalignmentAndBackdoorsMemory Manipulation checker-out-of-the-loopASI06-HITL-012defender-memory-subversion OWASP_ASI06_MemoryPoisoningForSystemMemory Manipulation checker-out-of-the-loopASI06-HITL-013user-instructed-rule-violation OWASP_ASI06_MemoryPoisoningForSystemMemory Manipulation checker-out-of-the-loop
ASI07 — Misalignment / A2A Trust Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI07-A2A-001agent-card-spoof OWASP_ASI07_A2ARegistrationSpoofingAML.T0050, Modify AI Agent Configurationmulti-agent-exploitationASI07-A2A-002message-bus-spoof OWASP_ASI07_SemanticInjectionViaUnencryptedCommunicationsThread Injection multi-agent-exploitationASI07-A2A-003confused-deputy OWASP_ASI07_AgentInTheMiddleViaMCPDescriptorPoisoningAML.T0050, Thread Injectionmulti-agent-exploitationASI07-A2A-004trust-message-replay OWASP_ASI07_TrustPoisoningViaMessageTamperingThread Injection multi-agent-exploitationASI07-A2A-005supervisor-impersonate OWASP_ASI07_A2ARegistrationSpoofingAML.T0050, Modify AI Agent Configurationmulti-agent-exploitationASI07-A2A-006protocol-downgrade OWASP_ASI07_GoalManipulationViaProtocolDowngradeModify AI Agent Configuration multi-agent-exploitationASI07-A2A-007collusion-induce OWASP_ASI07_ContextConfusionViaReplayThread Injection multi-agent-exploitationASI07-A2A-008semantics-split-brain OWASP_ASI07_SemanticsSplitBrainThread Injection multi-agent-exploitation
ASI08 — Cascading Failure Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI08-CF-001feedback-loop-amplification OWASP_ASI08_AutoRemediationFeedbackLoopAML.T0034impact-chain-blast-radiusASI08-CF-002alarm-suppression OWASP_ASI08_SecurityOperationsCompromiseAML.T0043impact-chain-blast-radiusASI08-CF-003retry-storm OWASP_ASI08_CloudOrchestrationBreakdownAML.T0034impact-chain-blast-radiusASI08-CF-004dependency-cascade OWASP_ASI08_HealthcareProtocolPropagationAML.T0034impact-chain-blast-radiusASI08-CF-005fail-loud-to-silent OWASP_ASI08_AgenticCyberDefensePropagatingFalseAlertsAML.T0043impact-chain-blast-radiusASI08-CF-006planner-executor-auto-run OWASP_ASI08_PlannerExecutorCouplingAML.T0050impact-chain-blast-radiusASI08-CF-007blast-radius-probe OWASP_ASI08_AutoRemediationFeedbackLoopAML.T0050impact-chain-blast-radiusASI08-CF-008governance-drift-bulk OWASP_ASI08_GovernanceDriftCascadeModify AI Agent Configuration impact-chain-blast-radius
ASI09 — Identity Spoofing / Output Handling Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI09-TE-001manufactured-authority OWASP_ASI09_CredentialHarvestingViaContextualDeceptionAML.T0053hallucination-exploitationASI09-TE-002confident-hallucination OWASP_ASI09_ClinicalDecisionManipulationAML.T0053hallucination-exploitationASI09-TE-003anthropomorphic-persuasion OWASP_ASI09_EmotionalManipulationAML.T0053hallucination-exploitationASI09-TE-004weaponized-explainability OWASP_ASI09_ExplainabilityFabricationsAML.T0053hallucination-exploitationASI09-TE-005citation-fabrication OWASP_ASI09_FraudulentPaymentAdviceAML.T0053hallucination-exploitationASI09-TE-006helpful-trojan-command OWASP_ASI09_HelpfulAssistantTrojanAML.T0053hallucination-exploitationASI09-TE-007false-consensus OWASP_ASI09_WeaponizedExplainabilityProductionOutageAML.T0053hallucination-exploitationASI09-TE-008consent-launder-preview OWASP_ASI09_ConsentLaunderingThroughReadOnlyPreviewsAML.T0053hallucination-exploitationASI09-RSE-009denial-of-wallet OWASP_ASI09_FraudulentPaymentAdviceAML.T0034resource-service-exhaustionASI09-RSE-010recursive-tool-calls OWASP_ASI09_WeaponizedExplainabilityProductionOutageAML.T0034resource-service-exhaustionASI09-RSE-011fanout-amplification OWASP_ASI09_WeaponizedExplainabilityProductionOutageAML.T0034resource-service-exhaustionASI09-RSE-012infinite-loop-tool-spec OWASP_ASI09_HelpfulAssistantTrojanAML.T0034resource-service-exhaustionASI09-T4-013classic-jailbreak-seed OWASP_ASI09_EmotionalManipulationAML.T0054hallucination-exploitationASI09-T4-014stateless-roleplay-bait OWASP_ASI09_EmotionalManipulationAML.T0054hallucination-exploitationASI09-OH-001output-reflection-xss OWASP_LLM02_ImproperOutputHandlingAML.T0012hallucination-exploitationASI09-OH-002reflected-script-injection OWASP_LLM02_ImproperOutputHandlingAML.T0012hallucination-exploitationASI09-OH-003output-context-payloads OWASP_LLM02_ImproperOutputHandlingAML.T0012hallucination-exploitation
ASI10 — Untraceability / Goal Drift Probe ID Name OWASP scenario MITRE ATLAS CSA category ASI10-DR-001long-horizon-drift OWASP_ASI10_GoalDriftAndSchemingAI Agent Context Poisoning agent-untraceabilityASI10-DR-002sandbagging-detect OWASP_ASI10_RewardHackingAndOptimizationAbuseAI Agent Context Poisoning agent-untraceabilityASI10-DR-003workflow-hijack-takeover OWASP_ASI10_WorkflowHijackingAI Agent Context Poisoning agent-untraceabilityASI10-DR-004capability-mask OWASP_ASI10_GoalDriftAndSchemingAI Agent Context Poisoning agent-untraceabilityASI10-DR-005off-task-drift OWASP_ASI10_AutonomousDataExfiltrationAfterIPIAI Agent Context Poisoning agent-untraceabilityASI10-DR-006self-replicate-via-api OWASP_ASI10_SelfReplicationViaProvisioningAPIsAI Agent Context Poisoning agent-untraceabilityASI10-DR-007reward-hacking OWASP_ASI10_RewardHackingCriticalDataLossAI Agent Context Poisoning agent-untraceabilityASI10-DR-008mode-shift OWASP_ASI10_WorkflowHijackingAI Agent Context Poisoning agent-untraceability
OWASP LLM Top 10 (2025) crosswalk The OWASP LLM Top 10 is a separate (model-centric) list from
ASI 2026 (agent-centric). Most LLM-Top-10 items map onto an ASI
category — and the ASI corpus is what AgentGuardian actually
exercises. The single LLM-Top-10 item that’s explicitly tagged in the
probe corpus today is OWASP_LLM02_ImproperOutputHandling-OH- probes); the rest of this crosswalk shows the natural
ASI category each LLM-Top-10 item lands in for an agent.
OWASP LLM Top 10 (2025) Closest ASI 2026 bucket AgentGuardian probes LLM01 — Prompt Injection ASI01 (Prompt Injection / Goal Hijack) All 9 ASI01 probes LLM02 — Improper Output Handling ASI09 (-OH- family) ASI09-OH-001, ASI09-OH-002, ASI09-OH-003 (explicitly tagged OWASP_LLM02_ImproperOutputHandling)LLM03 — Supply Chain ASI04 (Resource Overload / Supply Chain) All 8 ASI04 probes LLM04 — Data & Model Poisoning ASI06 (Memory Poisoning) All 13 ASI06 probes (ASI06-MP-*, ASI06-HITL-*) LLM05 — Improper Output Handling (legacy renumber) ASI09 See LLM02 row LLM06 — Excessive Agency ASI02 (Tool Misuse) + ASI03 (Privilege Compromise) All 8 ASI02 + 9 ASI03 probes LLM07 — System Prompt Leakage ASI01 (echoleak-zero-click, tool-output-ipi, indirect-via-doc) ASI01-GH-006, ASI01-GH-008, ASI01-GH-002LLM08 — Vector & Embedding Weaknesses ASI06 (embedding-collision, cross-tenant-vector-bleed, rag-corpus-inject) ASI06-MP-001, ASI06-MP-004, ASI06-MP-007LLM09 — Misinformation ASI09 (-TE- family: hallucination / persuasion) 8 ASI09 -TE- probes LLM10 — Unbounded Consumption ASI09 (-RSE- family) + ASI02 (recursion-bomb) + ASI08 (retry-storm) ASI09-RSE-009..012, ASI02-TA-005, ASI08-CF-003
Only LLM02 — Improper Output Handling is asserted as a first-class
owasp_scenario in the probe YAML today (three ASI09 -OH- probes).
Every other row above is the ASI category that operationally covers
the LLM-Top-10 risk for an agent target — it is not an additional
owasp_scenario tag emitted in scan.json. If you need LLM-Top-10
trace IDs in your report, post-process findings[].asi /
findings[].probe_id using this table.
How to interpret a finding’s mapping A scan.json finding carries the OWASP / MITRE / CSA triple directly:
{ "probe_id" : "ASI06-MP-001" , "asi" : "ASI06" , "mitre_atlas" : [ "AML.T0029" , "Memory Manipulation" ], "csa_category" : "knowledge-base-poisoning" }
Read it in this order:
probe_idasimitre_atlasAML.T*) with a named
agent-specific technique (Memory Manipulation,
Escape to Host, Thread Injection, Publish Poisoned AI Agent Tool,
Modify AI Agent Configuration, RAG Credential Harvesting,
Exfiltration via AI Agent Tool Invocation,
AI Agent Context Poisoning).csa_category
Next step
Reports overview See the five emitters that carry this mapping into JSON, SARIF,
JUnit, Markdown, and PDF.
Signatures & trust The mapping rides inside the Ed25519-signed envelope — verify it
end-to-end with agent-guardian verify.
Attack library Browse the same probe corpus organised by attack technique, with
payload seeds and detection logic.
Contributing a probe Add a probe and its OWASP / MITRE / CSA triple — the YAML schema
that drives this table.
