OWASP Agentic Top 10 — Vectimus Mapping Analysis
This document maps the OWASP Top 10 for Agentic Applications 2026 (ASI01-ASI10) to enforceable Cedar policies within Vectimus. Vectimus operates at the tool hook level: it sees one action at a time (a shell command, a file write, a web request, an MCP tool call). It does not see conversation history, agent memory, multi-agent communication or behavioural patterns over time.
Some OWASP categories map cleanly to Cedar rules. Others do not. This document is honest about the distinction.
ASI01: Agent Goal Hijack
Summary: Attackers redirect an agent’s objectives through prompt injection, poisoned documents or forged messages, causing the agent to pursue goals it was not instructed to pursue.
Enforceability at hook level: PARTIAL
Goal hijack itself is invisible at the action level. Vectimus cannot see the prompt or determine whether the agent’s current goal has been altered. However, the consequences of goal hijack are often visible: data exfiltration via web requests, DNS tunnelling via shell commands, base64-encoded data sent to external endpoints. Vectimus can intercept these exfiltration patterns.
Detectable patterns:
- Shell commands encoding data in base64 and sending via curl/wget to external hosts
- DNS exfiltration patterns in shell commands (e.g.
nslookupordigwith encoded subdomains) - Shell commands piping sensitive file contents to network tools
- Web requests to known data-exfiltration patterns (e.g. webhook.site, requestbin)
Out of scope patterns:
- Prompt injection detection (requires inspecting LLM input/output, not tool calls)
- Detecting goal drift over multiple steps (requires session-level analysis)
- Forged agent-to-agent messages (requires inter-agent protocol inspection)
- Behavioural deviation from baseline (requires historical pattern matching)
ASI02: Tool Misuse and Exploitation
Summary: Agents misuse legitimate tools due to prompt injection or misalignment, leading to data exfiltration, resource overload or unintended destructive operations.
Enforceability at hook level: HIGH
Tool misuse produces visible tool calls. Destructive shell commands, overuse of costly APIs, and unintended file modifications are all interceptable at the hook level. The base pack already covers many destructive command patterns. The OWASP pack adds patterns specific to agentic tool-chaining attacks.
ASI03: Identity and Privilege Abuse
Summary: Agents exploit dynamic trust and delegation to escalate access, inherit credentials or bypass authorisation controls.
Enforceability at hook level: PARTIAL
Vectimus cannot inspect delegation chains, token inheritance or multi-agent trust relationships. It can detect specific tool calls that access credential stores, assume elevated privileges, or operate in other users’ directories.
ASI04: Agentic Supply Chain Vulnerabilities
Summary: Agents consume tools, packages and prompts from third parties that may be malicious, compromised or tampered with in transit.
Enforceability at hook level: HIGH
Supply chain attacks manifest as specific tool calls: installing packages from untrusted sources, modifying lockfiles, altering CI/CD pipelines, pulling prompt templates from external URLs. These are highly detectable at the hook level.
ASI05: Unexpected Code Execution (RCE)
Summary: Agents generate and execute code that results in remote code execution, sandbox escape or persistent compromise.
Enforceability at hook level: HIGH
Code execution is directly visible in shell commands and file writes. Vectimus can detect eval patterns, script creation and immediate execution, unsafe deserialization commands and reverse shell patterns.
ASI06: Memory and Context Poisoning
Summary: Adversaries corrupt stored agent context, conversation memory or RAG data to bias future reasoning and tool usage.
Enforceability at hook level: PARTIAL
Memory poisoning is primarily an internal agent concern. Vectimus cannot inspect what gets written to agent memory or RAG stores. However, it can detect writes to agent configuration files and instruction files that alter agent behaviour across sessions.
ASI07: Insecure Inter-Agent Communication
Enforceability at hook level: LOW
Requires protocol-level controls beyond hook evaluation. No Cedar rules proposed.
ASI08: Cascading Failures
Enforceability at hook level: LOW
Requires system-level monitoring of fault propagation. No Cedar rules proposed. Vectimus contributes indirectly by blocking the triggering actions that often initiate cascades.
ASI09: Human-Agent Trust Exploitation
Enforceability at hook level: LOW
Requires output/conversation inspection, not tool call evaluation. No Cedar rules proposed.
ASI10: Rogue Agents
Enforceability at hook level: PARTIAL
Rogue agent behaviour manifests through specific observable actions: data exfiltration, unauthorised agent spawning, self-replication attempts, and resource abuse. While Vectimus cannot detect the behavioural drift itself, it can block the harmful actions that rogue agents attempt.
Summary table
| Category | Name | Enforceability | Notes |
|---|---|---|---|
| ASI01 | Agent Goal Hijack | PARTIAL | Data exfiltration patterns detectable. Goal manipulation itself is not. |
| ASI02 | Tool Misuse & Exploitation | HIGH | Agent-specific misuse patterns. Base pack covers general destructive commands. |
| ASI03 | Identity & Privilege Abuse | PARTIAL | Credential access and privilege escalation commands detectable. |
| ASI04 | Supply Chain Vulnerabilities | HIGH | Lockfile tampering, registry poisoning, untrusted installs. |
| ASI05 | Unexpected Code Execution | HIGH | Reverse shells, eval patterns, download-execute chains all detectable. |
| ASI06 | Memory & Context Poisoning | PARTIAL | Writes to instruction files and config directories detectable. |
| ASI07 | Insecure Inter-Agent Comms | LOW | Requires protocol-level controls. |
| ASI08 | Cascading Failures | LOW | Requires system-level monitoring. |
| ASI09 | Human-Agent Trust Exploitation | LOW | Requires output inspection. |
| ASI10 | Rogue Agents | PARTIAL | Log tampering and persistence mechanisms detectable. |
What Vectimus does not cover
Vectimus enforces deterministic pre-action controls. It evaluates each tool call in isolation against Cedar policies. This design gives it strong coverage of categories where attacks manifest as specific, recognisable tool invocations (ASI02, ASI04, ASI05). It provides partial coverage where attack consequences produce detectable tool calls even though the root cause is invisible (ASI01, ASI03, ASI06, ASI10).
Three categories sit entirely outside the scope of pre-action policy evaluation:
-
ASI07 (Insecure Inter-Agent Communication) requires protocol-level controls: mutual authentication, message signing, encrypted channels and semantic validation between agents.
-
ASI08 (Cascading Failures) describes fault propagation patterns across agents and systems. Detecting cascades requires monitoring action rates, identifying feedback loops and tracking cross-domain spread.
-
ASI09 (Human-Agent Trust Exploitation) operates at the human-agent interaction layer. The attack vector is the agent’s conversational output, not its tool calls.
Organisations should pair Vectimus with complementary controls for these categories.