Gap Analysis
How the AI Agent Threat Matrix relates to existing frameworks. This analysis shows which techniques are covered, partially covered, or not addressed by OWASP Top 10 for LLM and MITRE ATLAS.
19 of 57 techniques (33%) in the AI Agent Threat Matrix are not covered by either OWASP Top 10 for LLM or MITRE ATLAS. These are agent-layer threats that existing frameworks were not designed to address.
Techniques Not Covered by OWASP or ATLAS (19)
| ID | Technique | Tactic | Class |
|---|---|---|---|
| T-4006 | Safety Instruction Displacement | privilege-escalation | SOUL-DRIFT |
| T-5001 | SSRF via Tool | lateral-movement | SKILL-EXFIL |
| T-5002 | A2A Agent Pivoting | lateral-movement | AGENT-IMPERSONATE |
| T-5004 | Credential Reuse | lateral-movement | RETROACTIVE-PRIV |
| T-5005 | Database Pivoting | lateral-movement | MCP-EXPLOIT |
| T-5006 | Internal API Discovery | lateral-movement | MCP-EXPLOIT |
| T-6003 | Configuration Modification | persistence | GATEWAY-EXPLOIT |
| T-6005 | Scheduled Task Injection | persistence | HEARTBEAT-RCE |
| T-6006 | Tool Registration Persistence | persistence | SKILL-FRONTMATTER |
| T-7002 | Database Extraction | collection | CODE-INJECTION |
| T-7003 | API Data Harvesting | collection | SKILL-EXFIL |
| T-8001 | Email Exfiltration | exfiltration | SKILL-EXFIL |
| T-8002 | HTTP Callback | exfiltration | SKILL-EXFIL |
| T-8003 | DNS Exfiltration | exfiltration | SKILL-EXFIL |
| T-8004 | Tool Chain Exfiltration | exfiltration | SKILL-EXFIL |
| T-8006 | Webhook Exfiltration | exfiltration | SKILL-EXFIL |
| T-9002 | Service Disruption | impact | NEMO-SUPPLY-CHAIN |
| T-9004 | Multi-Agent Consensus Manipulation | impact | ORG-SKILL-SPREAD |
| T-9005 | Reputation Poisoning | impact | ORG-SKILL-SPREAD |
Framework Scope
OWASP Top 10 for LLM
Covers: prompt injection, output handling, supply chain, info disclosure, excessive agency, overreliance
Does not cover: agent protocols (MCP, A2A), governance file manipulation, memory persistence, cross-agent lateral movement, sandbox escape, heartbeat attacks, identity attacks
MITRE ATLAS
Covers: reconnaissance, initial access (adversarial ML), credential access, model extraction, data poisoning
Does not cover: agent infrastructure, skill supply chain, MCP/A2A exploitation, governance files, memory poisoning, heartbeat persistence, webhook exfiltration
Agent Threat Matrix
Covers: the agent layer between the model and the user: governance, protocols, memory, identity, skills, and infrastructure
Does not cover: model-level attacks (adversarial examples, training poisoning), enterprise network attacks