AI Agent Threat Matrix

Classifying attacks against AI agent systems

9 tactics. 57 techniques. 36 attack classes. Every technique is grounded in observed adversary behavior or validated in a controlled lab environment. Designed to complement MITRE ATT&CK and OWASP, not replace them.

Tactics

Techniques

Attack Classes

28%

Observed

67%

Validated

Threat Matrix

Reconnaissance

Stage 1

Map the target agent's attack surface, capabilities, and behavioral boundaries

T-1001Endpoint Enumerationobserved T-1002Tool Discoveryvalidated T-1003System Prompt Extractionvalidated T-1004Security Level Probingvalidated T-1005Capability Mappingvalidated T-1006Agent Card Discoveryobserved T-1007Context Window Probingvalidated

Initial Access

Stage 2

Gain control over agent behavior through prompt manipulation or input exploitation

T-2001Direct Prompt Injectionobserved T-2002Indirect Prompt Injectionobserved T-2003Role-Play Jailbreakobserved T-2004Context Window Exploitationvalidated T-2005Tool Description Injectionvalidated T-2006Unicode/Encoding Bypassobserved T-2007Multi-Turn Manipulationvalidated T-2008System Prompt Boundary Bypassvalidated

Credential Harvest

Stage 3

Extract API keys, tokens, and credentials from agent context and connected services

T-3001System Prompt Credential Extractionobserved T-3002Environment Variable Leakageobserved T-3003Tool Response Credential Capturevalidated T-3004Memory Credential Miningvalidated T-3005Configuration File Accessobserved T-3006Context Window Credential Leakvalidated

Privilege Escalation

Stage 4

Escalate capabilities beyond declared scope or bypass authorization

T-4001Capability Overridevalidated T-4002Admin Impersonationvalidated T-4003Tool Parameter Injectionvalidated T-4004Delegation Abusevalidated T-4005Policy Bypass via Encodingvalidated T-4006Safety Instruction Displacementvalidated

Lateral Movement

Stage 5

Pivot from compromised agent to connected services or other agents

T-5001SSRF via Toolvalidated T-5002A2A Agent Pivotingvalidated T-5003MCP Server Hoppingvalidated T-5004Credential Reuseobserved T-5005Database Pivotingvalidated T-5006Internal API Discoveryvalidated

Persistence

Stage 6

Establish persistent access surviving restarts and session changes

T-6001Memory Injectionvalidated T-6002Self-Replicating Memory Entryvalidated T-6003Configuration Modificationobserved T-6004Skill/Plugin Backdoorvalidated T-6005Scheduled Task Injectionobserved T-6006Tool Registration Persistencevalidated

Collection

Stage 7

Gather and stage data from databases, file systems, and APIs

T-7001File System Enumerationvalidated T-7002Database Extractionvalidated T-7003API Data Harvestingvalidated T-7004Memory Dumpvalidated T-7005Configuration Harvestingobserved T-7006PII Discoveryvalidated

Exfiltration

Stage 8

Transfer collected data out of target environment

T-8001Email Exfiltrationvalidated T-8002HTTP Callbackvalidated T-8003DNS Exfiltrationadapted T-8004Tool Chain Exfiltrationvalidated T-8005Conversation Exfiltrationvalidated T-8006Webhook Exfiltrationobserved

Impact

Stage 9

Modify data, deploy malicious code, or disrupt services

T-9001Data Manipulationvalidated T-9002Service Disruptionvalidated T-9003Malicious Code Deploymentobserved T-9004Multi-Agent Consensus Manipulationadapted T-9005Reputation Poisoningadapted T-9006Supply Chain Compromiseobserved

Evidence Standard

observed16 techniques

Confirmed in real-world production systems, security incidents, or internet-wide exposure assessments.

validated38 techniques

Reproduced in controlled lab environment (DVAA) with documented steps and independent verification.

adapted3 techniques

Well-understood traditional technique applied to the AI agent context. Not yet observed agent-specifically.

Where This Fits

MITRE ATT&CK

Enterprise network and endpoint attacks. Covers the infrastructure layer below the agent.

MITRE ATLAS

Adversarial ML and model-level attacks. Covers the model layer below the agent.

Agent Threat Matrix

Agent infrastructure, governance, protocols, memory, and identity. Covers the agent layer between the model and the user.

View the full gap analysis showing which of our 57 techniques are not covered by OWASP or MITRE →