How our 35 threat categories map to the OWASP Agentic Top 10 (2026 edition, published Dec 2025). Verified against the official PDF. 6 risks covered, 1 partial, 3 honest gaps.
"Attackers can manipulate an agent's objectives, task selection, or decision pathways through a variety of techniques — including, but not limited to, prompt-based manipulation, deceptive tool outputs, malicious artefacts, forged agent-to-agent messages, or poisoned external data."
This is our core surface: prompt injection (direct + indirect), hidden instructions, memory poisoning, and tool-output manipulation that steer agent behavior.
"Agents can misuse legitimate tools due to prompt injection, misalignment, or unsafe delegation or ambiguous instruction — leading to data exfiltration, tool output manipulation or workflow hijacking."
We detect MCP/tool-metadata poisoning, agent-workflow violations, and tool-invocation patterns that suggest misuse or privilege escalation via tool chains.
"Identity & Privilege Abuse exploits dynamic trust and delegation in agents to escalate access and bypass controls by manipulating delegation chains, role inheritance, control flows, and agent context."
Our auth-bypass, privilege escalation, sandbox escape, and credential patterns detect the input-layer triggers for these attacks.
"Arise when agents, tools, and related artefacts they work with are provided by third parties and may be malicious, compromised, or tampered with in transit… including models and model weights, tools, plug-ins, datasets, other agents, agentic interfaces — MCP (Model Context Protocol), A2A (Agent2Agent) — agentic registries and related artifacts, or update channels."
We scan the runtime expression of supply-chain compromise: malicious tool descriptions, poisoned MCP metadata, and patterns in third-party artifacts. Model-weight scanning is not our surface.
"Agentic systems — including popular vibe coding tools — often generate and execute code. Attackers exploit code-generation features or embedded tool access to escalate actions into remote code execution (RCE), local misuse, or exploitation of internal systems."
We catch dangerous payloads the agent would execute: shell injection, deserialization, path traversal, SSRF.
"In Memory and Context Poisoning, adversaries corrupt or seed this context with malicious or misleading data, causing future reasoning, planning, or tool use to become biased, unsafe, or aid exfiltration."
Direct match for our memory_poisoning and parasitic_injection categories.
"Weak inter-agent controls for authentication, integrity, confidentiality, or authorization let attackers intercept, manipulate, spoof, or block messages."
Not yet covered. Sunglasses today scans content before ingestion — not A2A protocol payloads in motion. Planned for v0.3.0 output scanning: we will inspect agent-to-agent messages the same way we inspect tool outputs, detecting prompt-injection and tool-poisoning patterns in inter-agent content.
"Agentic cascading failures occur when a single fault (hallucination, malicious input, corrupted tool, or poisoned memory) propagates across autonomous agents, compounding into system-wide harm."
Not covered. Cascading failure detection requires system-level behavior monitoring and orchestration awareness — outside our pattern-level surface. See Arthur Shield, Dreadnode, Mindgard for system-behavior red-teaming.
"Adversaries or misaligned designs may exploit this trust to influence user decisions, extract sensitive information, or steer outcomes for malicious purposes."
We detect the input-side triggers for social engineering and UI-based deception. We do not detect an agent's own anthropomorphic overreach — that's a model-alignment problem.
"Rogue Agents are malicious or compromised AI Agents that deviate from their intended function or authorized scope, acting harmfully, deceptively, or parasitically within multi-agent or human-agent ecosystems."
Not covered. Rogue-agent detection is a behavior/reputation problem that operates at the agent-identity and run-history layer, not at the content layer. See Pillar Security, Straiker, Zenity for agent-posture and governance.
| OWASP ASI Risk | Coverage | Primary Sunglasses Categories |
|---|---|---|
| ASI01 Agent Goal Hijack | COVERED | prompt_injection family, memory_poisoning, tool_poisoning |
| ASI02 Tool Misuse and Exploitation | COVERED | tool_poisoning, mcp_threat, agent_workflow, privilege_escalation |
| ASI03 Identity and Privilege Abuse | COVERED | auth_bypass, privilege_escalation, sandbox_escape, secret_detection |
| ASI04 Agentic Supply Chain | COVERED | supply_chain, mcp_threat, tool_poisoning (runtime signals) |
| ASI05 Unexpected Code Execution (RCE) | COVERED | command_injection, deserialization, path_traversal, ssrf |
| ASI06 Memory & Context Poisoning | COVERED | memory_poisoning, parasitic_injection, hidden_instruction |
| ASI07 Inter-Agent Communication | GAP → v0.3.0 | A2A payload scanning (planned) |
| ASI08 Cascading Failures | GAP | System-level behavior (out of surface) |
| ASI09 Human-Agent Trust Exploitation | PARTIAL | social_engineering, ui_injection (input-side only) |
| ASI10 Rogue Agents | GAP | Agent-behavior monitoring (out of surface) |
Official source: genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026 (PDF, CC BY-SA 4.0, Dec 2025).