Agent Threat Matrixv1.0
OpenA2A · Threat intelligence

The attacks against AI agents, mapped and graded.

An evidence-graded kill chain for agent systems: 9 tactics, 61 techniques, 40attack classes. Each one is tied to something real: observed in the wild, reproduced in the lab, or adapted from established attacks. Built to complement MITRE ATT&CK and OWASP, not replace them.

9
Tactics
61
Techniques
40
Attack classes
132
Evidence records
22 techniques
Coverage dashboard

What the evidence says

Every technique carries an evidence grade and a source trail. These panels are computed live from the matrix at build time. Nothing here is estimated.

Evidence grade mix
61
techniques
Observed 16
Validated 42
Adapted 3
Observed in the wild · reproduced in lab · adapted from prior art.
Evidence by source
HackMyAgent123
Shodan7
AgentPwn2
Records aggregated across all techniques.
Most evidenced techniques
T-3006 · Context Window Credential Leak20
T-3003 · Tool Response Credential Capture15
T-2005 · Tool Description Injection9
T-9006 · Supply Chain Compromise9
T-6004 · Skill/Plugin Backdoor8
T-9001 · Data Manipulation8
Total evidence records per technique.
Defensive coverage
Techniques with HackMyAgent detection61/61 · 100%
Techniques with OASB mitigation61/61 · 100%

Detection maps to HackMyAgent checks; mitigation maps to OASB controls. A technique without either is a gap worth closing. See Coverage & gaps.

The matrix

Kill-chain grid

Nine stages, left to right, the way an agent compromise actually unfolds. Search, filter by evidence grade, or surface only what's active right now. Every cell links to the full technique dossier.

61 of 61 techniques
Sort
Evidence gradeObservedValidatedAdapted123evidence recordsactive threat
Stage 01
Reconnaissance
7 tech
T-10012
Endpoint Enumeration
T-1002
Tool Discovery
T-1003
System Prompt Extraction
T-10041
Security Level Probing
T-10051
Capability Mapping
T-10066
Agent Card Discovery
T-1007
Context Window Probing
Stage 02
Initial Access
9 tech
T-20012
Direct Prompt Injection
T-2002
Indirect Prompt Injection
T-2003
Role-Play Jailbreak
T-2004
Context Window Exploitation
T-20059
Tool Description Injection
T-20065
Unicode/Encoding Bypass
T-2007
Multi-Turn Manipulation
T-2008
System Prompt Boundary Bypass
T-2009
Parser Differential Exploitation
Stage 03
Credential Harvest
6 tech
T-3001
System Prompt Credential Extraction
T-3002
Environment Variable Leakage
T-300315
Tool Response Credential Capture
T-3004
Memory Credential Mining
T-3005
Configuration File Access
T-300620
Context Window Credential Leak
Stage 04
Privilege Escalation
7 tech
T-4001
Capability Override
T-4002
Admin Impersonation
T-4003
Tool Parameter Injection
T-4004
Delegation Abuse
T-40055
Policy Bypass via Encoding
T-4006
Safety Instruction Displacement
T-4007
Tool Impersonation and Squatting
Stage 05
Lateral Movement
6 tech
T-5001
SSRF via Tool
T-50024
A2A Agent Pivoting
T-5003
MCP Server Hopping
T-5004
Credential Reuse
T-5005
Database Pivoting
T-5006
Internal API Discovery
Stage 06
Persistence
7 tech
T-60012
Memory Injection
T-60022
Self-Replicating Memory Entry
T-60034
Configuration Modification
T-60048
Skill/Plugin Backdoor
T-60054
Scheduled Task Injection
T-6006
Tool Registration Persistence
T-6007
Persistent Agent State Manipulation
Stage 07
Collection
7 tech
T-7001
File System Enumeration
T-7002
Database Extraction
T-7003
API Data Harvesting
T-7004
Memory Dump
T-7005
Configuration Harvesting
T-70061
PII Discovery
T-7007
Context Assembly Pipeline Attack
Stage 08
Exfiltration
6 tech
T-8001
Email Exfiltration
T-8002
HTTP Callback
T-8003
DNS Exfiltration
T-8004
Tool Chain Exfiltration
T-8005
Conversation Exfiltration
T-8006
Webhook Exfiltration
Stage 09
Impact
6 tech
T-90018
Data Manipulation
T-90028
Service Disruption
T-90038
Malicious Code Deployment
T-9004
Multi-Agent Consensus Manipulation
T-90058
Reputation Poisoning
T-90069
Supply Chain Compromise
The standard

Nothing here is hand-waved

Every technique carries one of three evidence grades. The grade tells you exactly how much to trust it.

Observed16 techniques

Confirmed in real-world production systems, security incidents, or internet-wide exposure assessments.

Validated42 techniques

Reproduced in a controlled lab (DVAA) with documented steps and independent verification. DVAA

Adapted3 techniques

A well-understood traditional technique applied to the agent context. Not yet observed agent-specifically.

Positioning

Where this fits

Infrastructure layer

MITRE ATT&CK

Enterprise network and endpoint attacks. The layer below the agent.

Model layer

MITRE ATLAS

Adversarial ML and model-level attacks. The layer below the agent.

Agent layer

Agent Threat Matrix

Infrastructure, governance, protocols, memory, and identity: the agent layer, between model and user.

See which techniques aren't covered by OWASP or MITRE →