Agentic AI security · OWASP Agentic Top 10 · AIVSS v0.8

Is the AI agent you’re shipping actually safe?

Agentic risks are mostly design risks — no CVE feed will catch them. Score your agent against the OWASP Agentic Top 10 and the AIVSS scoring system in one sitting. Start with the 30-second trifecta screen, then run the calculator. 100% in your browser.

Run the 30-second screen ↓ AIVSS calculator ↓

The Lethal Trifecta — 30-second screen

An agent is acutely dangerous when it has all three at once. Tick what applies:

Access to private datakeys, credentials, wallet/browser data, internal records Exposure to untrusted contentskill instructions, memory, emails, web pages, tool output Ability to communicate externallynetwork egress, webhooks, outbound API calls, curl

AIVSS calculator v0.8

CVSS v4.0 base × agentic amplification. Score a single finding, then read the band. How scoring works →

CVSS v4.0 base score

10 agentic amplification factors — each None / Partial / Full:

Autonomy Tools Language Context Non-Determinism Opacity Persistence Identity Multi-Agent Self-Mod

Exploit maturity (ThM) Mitigation strength

The OWASP Agentic Top 10 (2026)

The ten risk classes specific to autonomous agents, each with a real, publicly-disclosed incident. Official OWASP framework →

ASI01Agent Goal HijackAn attacker manipulates the agent's objectives, instructions or decision path — via prompt injection or poisoned inputs — so it pursues unintended outcomes.⚡ In the wild: EchoLeak (2025): a zero-click email made Microsoft Copilot leak confidential data outside its scope. — Microsoft / Aim Security
ASI02Tool Misuse & ExploitationThe agent uses connected tools in unsafe ways, or attackers exploit tool interfaces — abuse that often stays within the agent's granted privileges.⚡ In the wild: OpenAI Codex CLI (2025): a sandbox-config flaw let agent-generated code write outside the intended workspace. — NVD
ASI03Identity & Privilege AbuseAgents inherit or delegate credentials without proper scoping, creating an attribution gap and paths to privilege escalation.⚡ In the wild: A2A "Agent-in-the-Middle" (2025): a rogue agent published a fake agent card falsely claiming high trust. — Trustwave
ASI04Agentic Supply Chain VulnerabilitiesMalicious or compromised tools, MCP servers, agent cards and registries in the runtime ecosystem the agent pulls from.⚡ In the wild: Claude "Skills" (2025): malicious plugins were re-uploaded to deploy MedusaLocker ransomware. — Cato CTRL
ASI05Unexpected Code Execution (RCE)Agent-generated or "vibe-coded" execution paths run unintended code and bypass controls.⚡ In the wild: OpenAI Codex CLI (2025): model-generated code escaped the sandbox to run beyond its scope. — NVD
ASI06Memory & Context PoisoningPersistent corruption of an agent's memory, embeddings or shared context steers its future decisions.⚡ In the wild: EchoLeak (2025): a crafted email poisoned Copilot's context to drive data exfiltration. — Microsoft / Aim Security
ASI07Insecure Inter-Agent CommunicationWeak agent-to-agent protocols, discovery and semantic validation let messages be spoofed, tampered or misrouted.⚡ In the wild: A2A protocol spoofing (2025): a fake agent card let a rogue agent intercept inter-agent traffic. — Trustwave
ASI08Cascading FailuresOne fault or compromise propagates across agents and workflows, amplifying a small issue into a system-wide one.⚡ In the wild: Copilot / Cursor (2025): AI-suggested backdoors and logic flaws propagated into production code. — Pillar Security
ASI09Human-Agent Trust ExploitationAnthropomorphism and authority bias are weaponised to subvert human oversight and approvals.⚡ In the wild: Copilot / Cursor (2025): developers trusted AI suggestions that injected backdoors and leaked API keys. — Pillar Security
ASI10Rogue AgentsCompromised, misaligned or drifting agents keep operating in unintended ways — behavioural drift, collusion, self-replication.⚡ In the wild: A2A "Agent-in-the-Middle" (2025): a rogue agent claimed high trust and exfiltrated sensitive data. — Trustwave

Real-world examples are publicly-disclosed incidents from the OWASP Agentic Security Initiative Exploits & Incidents Tracker.

Straight with you: this is a free, informational readiness tool built on the public OWASP Agentic Top 10 and AIVSS v0.8 standards. It helps you understand, score and evidence your agentic risk — but it is not a certification, audit, or legal advice, and a low score does not mean your agent is secure. Several of these risks need human red-teaming to assess properly. Disclaimer · All compliance editions.

Frequently asked

What is the OWASP Agentic Top 10?

The OWASP Top 10 for Agentic Applications (2026) is a peer-reviewed list of the ten most critical security risks specific to autonomous and semi-autonomous AI agents — ASI01 to ASI10. Unlike traditional app risks, most are architectural: goal hijack, tool misuse, identity abuse, supply chain, memory poisoning and more.

What is AIVSS?

The Agentic AI Vulnerability Scoring System (AIVSS, an OWASP project) scores how much an agent’s capabilities amplify a vulnerability. It takes the CVSS v4.0 base score and adds an agentic uplift from ten factors (autonomy, tool scope, memory, self-modification and so on), producing a contextual 0–10 score. This tool implements AIVSS v0.8 and pins that version to every score.

Is this a certification or audit?

No. This is a free, informational readiness tool built on the public OWASP/AIVSS standards. It helps you understand and score your agentic risk and produce evidence — it is not a certification, an audit, or legal advice, and a low score never means “you are secure.” Risks that need human red-teaming are called out as such.

Does my assessment data leave my browser?

No. The quick screen and the AIVSS calculator run entirely in your browser. Nothing is uploaded.