OWASP Agentic Top 10: How 71 ATR Rules Cover All 10 Categories

Why OWASP Matters for AI Agents

OWASP (Open Worldwide Application Security Project) has defined security standards for web applications for over two decades. Their Top 10 lists are the baseline that every security team measures against. In early 2026, OWASP published the Agentic Security Top 10 (ASI01-ASI10) -- the first official taxonomy of threats specific to AI agent systems. This is the starting point for any serious AI agent security program.

The 10 Categories in Plain Language

ASI01 -- Prompt Injection: An attacker embeds instructions in data that the agent processes. The agent follows the injected instructions instead of the user intent. This is the most common and most dangerous attack against AI agents. ASI02 -- Unsafe Tool/Function Execution: The agent calls a tool with parameters that cause unintended side effects. A file reader that accepts `../../etc/passwd` as a path. A shell executor that does not sanitize input. ASI03 -- Tool Argument Manipulation: An attacker manipulates the arguments passed to a tool call, causing the tool to operate on different data or with different permissions than intended. ASI04 -- Information Disclosure: The agent leaks sensitive information through its responses, tool calls, or logs. System prompts, API keys, user data, or internal architecture details exposed to unauthorized parties. ASI05 -- Agent Memory Poisoning: Persistent storage (RAG databases, conversation history, learned preferences) is corrupted with malicious data that influences future agent behavior.

ASI06 -- Insufficient Sandboxing: The agent or its tools run with more system access than necessary. No process isolation, no filesystem restrictions, no network policy. A compromised tool can access everything the agent can access. ASI07 -- Multi-Agent Trust: In multi-agent systems, agents trust messages from other agents without verification. A compromised agent can influence the entire system through trusted inter-agent communication. ASI08 -- Supply Chain Vulnerabilities: Malicious or compromised tools, skills, or dependencies are installed. This includes typosquatting, dependency confusion, and backdoored packages. ASI09 -- Excessive Permissions: Agents or tools are granted broader permissions than required for their function. A weather-checking skill should not have filesystem write access. ASI10 -- Insufficient Logging: Agent actions, tool calls, and decisions are not logged with enough detail for security monitoring, incident response, or forensic analysis.

ATR Coverage Map

ATR v0.4.0 has 71 rules with 77 total mappings to the OWASP Agentic Top 10 (some rules map to multiple categories). The coverage breaks down into two tiers: ### STRONG Coverage (8+ rules per category) ASI01 -- Prompt Injection: 13 rules ATR-PI-001 through ATR-PI-013 cover identity override, instruction hijacking, jailbreak patterns, stealth block injection, eval injection, and social engineering. These rules use context signals to distinguish between injection in tool descriptions (high severity) and injection in documentation (suppressed). ASI02 -- Unsafe Tool Execution: 10 rules Reverse shell detection, command injection patterns, path traversal, SQL injection in tool parameters, and unsafe deserialization. Each rule includes code-block suppression to avoid false positives on documentation examples. ASI03 -- Tool Argument Manipulation: 8 rules Parameter pollution, type confusion, overflow patterns, and encoding tricks used to bypass input validation on tool arguments. ASI04 -- Information Disclosure: 9 rules Secret patterns (AWS keys, GitHub tokens, private keys, connection strings), system prompt leakage, error message information disclosure, and debug output detection. ASI05 -- Agent Memory Poisoning: 8 rules RAG injection patterns, memory write from untrusted sources, conversation history manipulation, and preference poisoning. ASI06 -- Insufficient Sandboxing: 12 rules Filesystem access outside declared scope, process spawning, network connections, capability escalation, and container escape patterns.

### MODERATE Coverage (4-7 rules per category) ASI07 -- Multi-Agent Trust: 7 rules A2A validation bypass, identity spoofing between agents, unsigned message acceptance, and delegation chain attacks. This category is growing -- multi-agent architectures are still emerging. ASI08 -- Supply Chain: 6 rules postinstall script detection, typosquatting distance calculation, dependency confusion patterns, behavioral change between versions. We plan to add more rules as the MCP registry ecosystem matures. ASI09 -- Excessive Permissions: 4 rules Permission scope mismatch (declared vs. actual), overprivileged tool definitions, wildcard permissions, and unnecessary capability requests. ASI10 -- Insufficient Logging: 5 rules Missing audit trail for tool calls, no error logging, silent failure patterns, and insufficient context in log entries.

Gaps and Roadmap

MODERATE coverage means the rules catch the most common attack patterns in each category but may miss sophisticated variants. Our priority for ATR v0.5.0 is to bring ASI07-ASI10 to STRONG coverage. Specific additions planned: - ASI07: Mutual authentication patterns for multi-agent protocols (A2A, MCP gateway) - ASI08: Registry-level integrity verification, SBOM analysis for MCP packages - ASI09: Automated permission scope analysis using manifest declarations - ASI10: Log completeness scoring and minimum logging requirements

How to Check Your Coverage

Run ATR against your MCP configuration and get an OWASP coverage report: ```bash npm install -g [email protected] atr scan --owasp-report . ``` This generates a per-category breakdown showing which rules triggered, which passed, and which categories have coverage gaps for your specific deployment. The report maps directly to the OWASP Agentic Top 10 so you can use it in compliance documentation.

The full OWASP mapping is maintained at `docs/OWASP-MAPPING.md` in the ATR repository and updated with every rule release.