Path A
API Agent Full Compromise
LegacyBot to ToolBot: recon, inject, harvest creds, pivot, enumerate files, exfiltrate
Kill chains
Attack Paths
Complete kill-chain traversals demonstrated in DVAA (Damn Vulnerable AI Agent), the OpenA2A intentionally-broken agent for validating attack chains. Each path shows how techniques chain together across multiple tactics to achieve a specific attacker objective.
Storylines
Four ways an agent falls
Read each row left to right: an attacker advances one technique at a time, each step compounding the last. Amber marks the progression of escalation.
Path B
Memory Persistence Chain
MemoryBot: recon, inject, persist in memory, dump memory, exfiltrate via conversation
Path C
Multi-Agent A2A Chain
Orchestrator to Worker to ToolBot: discover agent card, inject, impersonate admin, pivot via A2A, modify data
Path D
Supply Chain to Full Compromise
PluginBot to ProxyBot: discover tools, inject via tool description, backdoor skill, hop MCP servers, compromise downstream