What is AIVSS? The Agentic AI Vulnerability Scoring System, explained
A plain-English guide · score your agents free at /agentic · all security terms → · updated June 2026
AIVSS (Agentic AI Vulnerability Scoring System) is an OWASP framework for scoring how risky a vulnerability is inside an autonomous AI agent. It keeps a familiar CVSS base score but adds ten factors unique to agents — autonomy, tool access, memory, multi-agent interaction and more — because the same flaw is far more dangerous in something that can act on its own.
What does AIVSS stand for?
AIVSS stands for Agentic AI Vulnerability Scoring System. It is published by the OWASP AIVSS project (aivss.owasp.org). IsItPatched implements the v0.8 methodology, with the spec version pinned on every score so assessments stay reproducible as the standard evolves.
How AIVSS differs from CVSS
CVSS scores a vulnerability as if it lives in conventional, static software. AIVSS recognises that the same flaw is much more dangerous inside an agent that plans, calls tools, holds memory across sessions and talks to other agents. It scales the gap between the CVSS base and 10 by ten agent-specific amplification factors — so a merely Medium CVSS flaw in a highly autonomous, tool-wielding agent can land in the High or Critical band.
The AIVSS formula
The v0.8 calculation is:
- Risk Gap = 10 − CVSS base score.
- AARS (Agentic AI Risk Score) = Risk Gap × (sum of the ten factors ÷ 10) × Threat Multiplier.
- AIVSS = (CVSS base + AARS) × Mitigation Factor, rounded to one decimal.
The Threat Multiplier reflects exploit maturity — actively exploited 1.0, proof-of-concept 0.97, theoretical 0.50. The Mitigation Factor reflects defences in place — none/weak 1.0, partial 0.83, strong 0.67 (no mitigation can fully remove agentic residual risk).
The ten amplification factors
Each factor scores 0 (none), 0.5 (partial) or 1.0 (full):
- Execution Autonomy — can it commit actions without a human co-sign?
- External Tool Control Surface — breadth and privilege of the tools/APIs it can call.
- Natural Language Interface — does unstructured language drive control logic?
- Contextual Awareness — does it use sensors/environment state to decide?
- Behavioral Non-Determinism — output variance that can change outcomes.
- Opacity & Reflexivity — can you trace why an action was taken?
- Persistent State Retention — does it retain memory across sessions?
- Dynamic Identity — can it change role/permissions at runtime?
- Multi-Agent Interactions — does it coordinate with other agents?
- Self-Modification — can it alter its own goals, prompts, tools or code?
Severity bands
AIVSS uses the same bands as CVSS so you can triage on a scale you already know: Critical 9.0–10.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9, None 0.0.
Score your AI agents, free
IsItPatched has a live AIVSS v0.8 calculator and a reference to the OWASP Agentic Top 10 — in your browser, no account needed.
- Agentic AI security — run the AIVSS calculator and screen for the Lethal Trifecta.
- What is the Lethal Trifecta? — the three conditions that make an agent dangerous.
- OWASP Agentic Top 10 — the ten core agentic risks (ASI01–ASI10).
Frequently asked questions
What is AIVSS?
AIVSS — the Agentic AI Vulnerability Scoring System — is an OWASP scoring framework for vulnerabilities in agentic AI systems. It starts from a standard CVSS base score and amplifies it using ten factors specific to autonomous agents (autonomy, tool access, memory, multi-agent interaction and more), then adjusts for exploit maturity and the strength of any mitigations. The result is a single 0–10 score that reflects how risky a flaw is in an agent, not just in static software.
What does AIVSS stand for?
AIVSS stands for Agentic AI Vulnerability Scoring System. It is published by the OWASP AIVSS project (aivss.owasp.org). IsItPatched implements the v0.8 methodology.
How is AIVSS different from CVSS?
CVSS scores a vulnerability as if it sits in conventional software. AIVSS keeps the CVSS base score but recognises that the same flaw is far more dangerous inside an autonomous agent that can act on its own, call tools, hold memory and coordinate with other agents. It scales the gap between the base score and 10 by ten agent-specific amplification factors, so a moderate CVSS flaw in a highly autonomous, tool-wielding agent can land in the High or Critical band.
How is the AIVSS score calculated?
Risk Gap = 10 − CVSS base. The Agentic AI Risk Score (AARS) = Risk Gap × (sum of the ten factors ÷ 10) × Threat Multiplier. The final AIVSS = (CVSS base + AARS) × Mitigation Factor, rounded to one decimal. Each of the ten factors scores 0 (none), 0.5 (partial) or 1.0 (full). The Threat Multiplier reflects exploit maturity (actively exploited 1.0, proof-of-concept 0.97, theoretical 0.50) and the Mitigation Factor reflects defences in place (none/weak 1.0, partial 0.83, strong 0.67).
What are the ten AIVSS amplification factors?
Execution Autonomy, External Tool Control Surface, Natural Language Interface, Contextual Awareness, Behavioral Non-Determinism, Opacity & Reflexivity, Persistent State Retention, Dynamic Identity, Multi-Agent Interactions and Self-Modification. Each captures a property of agentic systems that makes a vulnerability easier to exploit or more damaging.
What are the AIVSS severity bands?
Critical 9.0–10.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9, and None 0.0 — mirroring the familiar CVSS bands so teams can triage agentic risk on the same scale they already use.
IsItPatched is independent and not affiliated with OWASP, AIVSS, CISA or NIST. AIVSS scores are an aid to prioritisation, not a guarantee. See our disclaimer.