Agent Threat Matrixv1.0
Matrix/Reconnaissance/T-1002
T-1002ValidatedEmerging

Tool Discovery

Enumerate available tools and their schemas via MCP tools/list or equivalent discovery endpoints

Tactic

Reconnaissance · Stage 1

Map the target agent's attack surface, capabilities, and behavioral boundaries

Attack class

MCP-EXPLOIT

Attacking Model Context Protocol server configurations, tool registrations, and inter-server trust

Evidence grade
Validated

Reproduced in a controlled lab environment (DVAA) with documented steps.

DVAA validation

ToolBot tools/list

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

Honeypot

AgentPwn coverage

Live
mcp-exploitationagentpwn.com/learn ↗

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

The Tool Discovery tier asks the agent to enumerate its MCP tools and schemas.

Detect

Detection · HackMyAgent

Live1 live · 0 queued
MCP-011
npx hackmyagent secure --ciLive = implemented in hackmyagent; queued = declared
Defend

Defense · OASB controls

Live1 live · 0 queued
OASB 10.5
Live = documented at oasb.ai; queued = declared
Reference

How to cite

AI Agent Threat Matrix T-1002 (Tool Discovery). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-1002
← Back to the matrix