OWASP Agentic Top 10:Vectimus Mapping Analysis
This document maps the OWASP Top 10 for Agentic Applications 2026 (ASI01-ASI10) to enforceable Cedar policies within Vectimus. Vectimus operates at the tool hook level: it sees one action at a time (a shell command, a file write, a web request, an MCP tool call). It does not see conversation history, agent memory, multi-agent communication or behavioural patterns over time.
Some OWASP categories map cleanly to Cedar rules. Others do not. This document is honest about the distinction.
ASI01: Agent Goal Hijack
Summary: Attackers redirect an agent’s objectives through prompt injection, poisoned documents or forged messages, causing the agent to pursue goals it was not instructed to pursue.
Enforceability at hook level: PARTIAL
Goal hijack itself is invisible at the action level. Vectimus cannot see the prompt or determine whether the agent’s current goal has been altered. However, the consequences of goal hijack are often visible: data exfiltration via web requests, DNS tunnelling via shell commands, base64-encoded data sent to external endpoints. Vectimus can intercept these exfiltration patterns.
Detectable patterns:
- Shell commands encoding data in base64 and sending via curl/wget to external hosts
- DNS exfiltration patterns in shell commands (e.g.
nslookupordigwith encoded subdomains) - Shell commands piping sensitive file contents to network tools
- Web requests to known data-exfiltration patterns (e.g. webhook.site, requestbin)
Out of scope patterns:
- Prompt injection detection (requires inspecting LLM input/output, not tool calls)
- Detecting goal drift over multiple steps (requires session-level analysis)
- Forged agent-to-agent messages (requires inter-agent protocol inspection)
- Behavioural deviation from baseline (requires historical pattern matching)
ASI02: Tool Misuse and Exploitation
Summary: Agents misuse legitimate tools due to prompt injection or misalignment, leading to data exfiltration, resource overload or unintended destructive operations.
Enforceability at hook level: HIGH
Tool misuse produces visible tool calls. Destructive shell commands, overuse of costly APIs and unintended file modifications are all interceptable at the hook level. The base pack already covers many destructive command patterns. The OWASP pack adds patterns specific to agentic tool-chaining attacks.
ASI03: Identity and Privilege Abuse
Summary: Agents exploit dynamic trust and delegation to escalate access, inherit credentials or bypass authorisation controls.
Enforceability at hook level: PARTIAL
Vectimus cannot inspect delegation chains, token inheritance or multi-agent trust relationships. It can detect specific tool calls that access credential stores, assume elevated privileges, or operate in other users’ directories.
ASI04: Agentic Supply Chain Vulnerabilities
Summary: Agents consume tools, packages and prompts from third parties that may be malicious, compromised or tampered with in transit.
Enforceability at hook level: HIGH
Supply chain attacks manifest as specific tool calls: installing packages from untrusted sources, modifying lockfiles, altering CI/CD pipelines, pulling prompt templates from external URLs. These are highly detectable at the hook level.
ASI05: Unexpected Code Execution (RCE)
Summary: Agents generate and execute code that results in remote code execution, sandbox escape or persistent compromise.
Enforceability at hook level: HIGH
Code execution is directly visible in shell commands and file writes. Vectimus can detect eval patterns, script creation and immediate execution, unsafe deserialization commands and reverse shell patterns.
ASI06: Memory and Context Poisoning
Summary: Adversaries corrupt stored agent context, conversation memory or RAG data to bias future reasoning and tool usage.
Enforceability at hook level: PARTIAL
Memory poisoning is primarily an internal agent concern. Vectimus cannot inspect what gets written to agent memory or RAG stores. However, it can detect writes to agent configuration files and instruction files that alter agent behaviour across sessions.
ASI07: Insecure Inter-Agent Communication
Summary: Agents communicate with other agents through unprotected channels, enabling message spoofing, amplification attacks and privilege escalation via delegation.
Enforceability at hook level: PARTIAL
Full protocol-level controls (mutual authentication, message signing, encrypted channels) are beyond hook evaluation. However, the dangerous consequences of insecure inter-agent communication are visible as tool calls: broadcast message amplification, privilege cascade via bypassPermissions delegation, and shutdown requests that terminate peer agents.
Detectable patterns:
- Broadcast messages to all agents (amplification and noise injection)
- Sub-agent spawns with
bypassPermissionsordontAskmode (privilege cascade) - Shutdown requests sent between peer agents (agent termination attacks)
Out of scope patterns:
- Message authentication and integrity verification between agents
- Encrypted inter-agent communication channels
- Semantic validation of inter-agent message content
ASI08: Cascading Failures
Summary: A failure in one agent propagates across a multi-agent system, causing resource exhaustion, feedback loops and system-wide degradation.
Enforceability at hook level: PARTIAL
System-level monitoring of fault propagation is beyond hook evaluation. However, the triggering actions that initiate cascades are visible as tool calls: runaway execution with excessive turn counts, uncontrolled team/swarm creation, background agents with unrestricted permissions, and spawn/message floods.
Detectable patterns:
- Agent spawns with excessive
max_turnsvalues (runaway execution) - Uncontrolled
TeamCreatecalls (swarm amplification) - Background agents spawned with
bypassPermissions(unmonitored cascades) - Session-level spawn floods and message floods (rate-based detection)
Out of scope patterns:
- Cross-system fault propagation tracking
- Feedback loop detection across agent boundaries
- Cascading failure recovery and circuit-breaking
ASI09: Human-Agent Trust Exploitation
Enforceability at hook level: PARTIAL
Trust exploitation ultimately manifests through tool calls: an agent convinced to bypass safety flags, escalate privileges or disable oversight. Vectimus cannot inspect conversational output or detect social engineering in model responses. But it can block the actions a manipulated agent attempts.
Cedar rules:
vectimus-agentgov-001through004: Block spawning AI tools with permission bypass flags (skip-permissions, yolo, trust-all, generic force/skip flags)vectimus-agentgov-006: Block spawning sub-agents with elevated permissionsvectimus-agentgov-010: Block background agents with unrestricted permissionsvectimus-agentgov-013: Block agents from disabling or clearing audit logs
These rules enforce that even if an agent is socially engineered into attempting dangerous actions, the tool calls are still evaluated against policy. The agent cannot bypass its own governance layer regardless of what it was told to do.
What is not covered: Detecting manipulation in the agent’s conversational output. If the attack stays entirely within the conversation (e.g. the agent gives bad advice without making tool calls), Vectimus has no visibility. Output inspection requires a different kind of tool.
ASI10: Rogue Agents
Enforceability at hook level: PARTIAL
Rogue agent behaviour manifests through specific observable actions: data exfiltration, unauthorised agent spawning, self-replication attempts, and resource abuse. While Vectimus cannot detect the behavioural drift itself, it can block the harmful actions that rogue agents attempt.
Summary table
| Category | Name | Enforceability | Notes |
|---|---|---|---|
| ASI01 | Agent Goal Hijack | PARTIAL | Data exfiltration patterns detectable. Goal manipulation itself is not. |
| ASI02 | Tool Misuse & Exploitation | HIGH | Agent-specific misuse patterns. Base pack covers general destructive commands. |
| ASI03 | Identity & Privilege Abuse | PARTIAL | Credential access and privilege escalation commands detectable. |
| ASI04 | Supply Chain Vulnerabilities | HIGH | Lockfile tampering, registry poisoning, untrusted installs. |
| ASI05 | Unexpected Code Execution | HIGH | Reverse shells, eval patterns, download-execute chains all detectable. |
| ASI06 | Memory & Context Poisoning | PARTIAL | Writes to instruction files and config directories detectable. |
| ASI07 | Insecure Inter-Agent Comms | PARTIAL | Broadcast, privilege delegation and shutdown attacks detectable. Protocol-level controls are not. |
| ASI08 | Cascading Failures | PARTIAL | Runaway turns, swarm creation, spawn/message floods detectable. Cross-system propagation is not. |
| ASI09 | Human-Agent Trust Exploitation | PARTIAL | Tool-call consequences blocked (permission bypass, privilege escalation, audit tampering). Conversational manipulation is not. |
| ASI10 | Rogue Agents | PARTIAL | Log tampering and persistence mechanisms detectable. |
What Vectimus does not cover
Vectimus enforces deterministic pre-action controls. It evaluates each tool call in isolation against Cedar policies. This design gives it strong coverage of categories where attacks manifest as specific, recognisable tool invocations (ASI02, ASI04, ASI05). It provides partial coverage where attack consequences produce detectable tool calls even though the root cause is invisible (ASI01, ASI03, ASI06, ASI09, ASI10).
No category is entirely uncovered, but one has limited reach:
- ASI09 (Human-Agent Trust Exploitation) partly operates at the conversational layer. Vectimus blocks the tool-call consequences of manipulation (permission bypass flags, privilege escalation, audit tampering) but cannot inspect model output for social engineering or deceptive responses.
Two categories have partial coverage through the agent-governance pack but retain significant gaps:
-
ASI07 (Insecure Inter-Agent Communication) — Vectimus blocks dangerous inter-agent actions (broadcast amplification, privilege delegation, peer shutdown) but cannot enforce protocol-level controls like mutual authentication, message signing or encrypted channels.
-
ASI08 (Cascading Failures) — Vectimus blocks the triggering actions that initiate cascades (runaway turns, swarm creation, spawn/message floods) but cannot detect cross-system fault propagation or feedback loops.
Organisations should pair Vectimus with complementary controls for ASI09. For ASI07 and ASI08, Vectimus provides a meaningful first line of defence but protocol-level and system-level monitoring adds depth.