Agent Threat Matrixv1.0
Coverage · Cross-framework

What the existing frameworks don't see.

The Agent Threat Matrix sits alongside OWASP Top 10 for LLM and MITRE ATLAS. This page measures the overlap, and the agent-layer threats that neither framework was built to address.

61
Total techniques
30
In OWASP LLM
19
In MITRE ATLAS
23
In neither
38% of the matrix
The measurement

How much falls through the cracks

23 of 61 techniques (38%) in the matrix are covered by neither OWASP Top 10 for LLM nor MITRE ATLAS. These are the threats that live in the agent layer: governance, protocols, memory, identity, skills, and infrastructure.

38%
In neither
Covered 38
Not covered 23
OWASP Top 10 for LLM30/61 · 49%
MITRE ATLAS19/61 · 31%
Covered by at least one framework38/61 · 62%
Covered by neither23/61 · 38%
Each cell ≈ 1% of the 61 techniques. Rose marks the agent-layer gap.
The gap

Not covered by OWASP or ATLAS · 23

Every technique below is unaddressed by both external frameworks. They are the reason the matrix exists.

T-2009PARSER-DIFFERENTIAL
Parser Differential Exploitation
initial-access
T-4006SOUL-DRIFT
Safety Instruction Displacement
privilege-escalation
T-4007FAKETOOL-INJECT
Tool Impersonation and Squatting
privilege-escalation
T-5001SKILL-EXFIL
SSRF via Tool
lateral-movement
T-5002AGENT-IMPERSONATE
A2A Agent Pivoting
lateral-movement
T-5004RETROACTIVE-PRIV
Credential Reuse
lateral-movement
T-5005MCP-EXPLOIT
Database Pivoting
lateral-movement
T-5006MCP-EXPLOIT
Internal API Discovery
lateral-movement
T-6003GATEWAY-EXPLOIT
Configuration Modification
persistence
T-6005HEARTBEAT-RCE
Scheduled Task Injection
persistence
T-6006SKILL-FRONTMATTER
Tool Registration Persistence
persistence
T-6007PERSIST-STATE
Persistent Agent State Manipulation
persistence
T-7002CODE-INJECTION
Database Extraction
collection
T-7003SKILL-EXFIL
API Data Harvesting
collection
T-7007ASSEMBLY-INJECT
Context Assembly Pipeline Attack
collection
T-8001SKILL-EXFIL
Email Exfiltration
exfiltration
T-8002SKILL-EXFIL
HTTP Callback
exfiltration
T-8003SKILL-EXFIL
DNS Exfiltration
exfiltration
T-8004SKILL-EXFIL
Tool Chain Exfiltration
exfiltration
T-8006SKILL-EXFIL
Webhook Exfiltration
exfiltration
T-9002NEMO-SUPPLY-CHAIN
Service Disruption
impact
T-9004ORG-SKILL-SPREAD
Multi-Agent Consensus Manipulation
impact
T-9005ORG-SKILL-SPREAD
Reputation Poisoning
impact
Scope

Where each framework draws the line

The three efforts are complementary. Each owns a layer; together they span model, agent, and exposure.

OWASP Top 10 for LLM

Covers

Prompt injection, output handling, supply chain, info disclosure, excessive agency, overreliance.

Does not cover

Agent protocols (MCP, A2A), governance file manipulation, memory persistence, cross-agent lateral movement, sandbox escape, heartbeat attacks, identity attacks.

MITRE ATLAS

Covers

Reconnaissance, initial access (adversarial ML), credential access, model extraction, data poisoning.

Does not cover

Agent infrastructure, skill supply chain, MCP/A2A exploitation, governance files, memory poisoning, heartbeat persistence, webhook exfiltration.

Agent Threat Matrix

Covers

The agent layer between the model and the user: governance, protocols, memory, identity, skills, and infrastructure.

Does not cover

Model-level attacks (adversarial examples, training poisoning), enterprise network attacks.

By framework

Uncovered by each, individually

Looked at one framework at a time, before intersecting them, the blind spots are wider still.

Not in OWASP LLM

31

of 61techniques fall outside OWASP's LLM Top 10.

Outside OWASP31/61 · 51%

Not in MITRE ATLAS

42

of 61 techniques fall outside MITRE ATLAS.

Outside ATLAS42/61 · 69%
← Back to matrix