Agentic Threat Radar
SecurityRecipes is positioned as the secure context layer for agentic AI. That claim is stronger when the site can prove that its controls track the current threat landscape, not only a static set of prompts. The Agentic Threat Radar does that by turning external guidance into a generated evidence pack:
- Source-backed threat signals from OWASP, MCP, NIST, CISA, Microsoft, OpenAI, and CSA.
- Mapped SecurityRecipes capabilities such as the Secure Context Trust Pack, Context Poisoning Guard, MCP Gateway Policy, Agent Identity Ledger, Red-Team Drill Pack, Readiness Scorecard, Agentic System BOM, and this radar.
- Buyer triggers that explain when an enterprise should care.
- Product roadmap actions that keep the open knowledge base aligned with a future hosted MCP/server business.
Generated artifact
- Source registry:
data/intelligence/agentic-threat-radar-sources.json - Generator:
scripts/generate_agentic_threat_radar.py - Evidence pack:
data/evidence/agentic-threat-radar.json - MCP tool:
recipes_agentic_threat_radar
Regenerate and validate the pack:
python3 scripts/generate_agentic_threat_radar.py
python3 scripts/generate_agentic_threat_radar.py --checkCurrent source-backed signals
| Signal | Priority | Why it matters |
|---|---|---|
| Indirect prompt injection as social engineering | Critical | Agents now process hostile emails, websites, documents, tickets, and tool results; string filters are not enough. |
| MCP token passthrough and scope creep | Critical | Remote MCP servers need audience-bound tokens, resource indicators, precise scopes, and default-deny gateway policy. |
| Agent identity explosion | Critical | Agents are becoming their own non-human identity class, with ownership, delegation, token lifetime, and revocation needs. |
| Tool poisoning and shadow MCP | High | Tool descriptions, schemas, local servers, and connector updates are now part of the attack surface. |
| Context over-sharing and memory poisoning | High | Retrieval and egress policy need provenance, freshness, data-class gates, tenant isolation, and destination controls before context reaches or leaves agents. |
| Audit telemetry and evidence chain | High | Enterprises need correlated records for context retrieval, tool calls, policy decisions, reviews, and scanner proof. |
| Human approval and tool safeguards | High | Approval must become a typed, policy-enforced control for high-risk or irreversible actions. |
| AI data security and provenance | High | Guidance is converging on data integrity, monitoring, lifecycle governance, and provenance for AI operations. |
| Continuous red-team replay and evals | High | Model, prompt, connector, and context drift can invalidate a previously safe workflow. |
| Secure-by-design agentic products | Medium | Procurement and diligence will reject products that rely on careful prompting instead of safe defaults. |
How to use it
AI platform review. Use the radar to decide which agentic workflows can move from pilot to production. Critical or high signals should map to enforced policy, identity, context, evidence, or red-team coverage before scale.
MCP server intake. Ask for signals tied to mcp-gateway-policy,
mcp-connector-trust-pack, or agent-identity-ledger before approving
new MCP servers or connector namespaces.
Quarterly threat model. Treat the radar as the agenda for a quarterly agentic security review. If a source changes, regenerate the pack and review affected capabilities.
Acquisition diligence. Use the generated pack to show that SecurityRecipes is not only content. It is a machine-readable control story: sources, mapped risks, product surfaces, MCP tools, and roadmap actions.
MCP examples
Get critical signals:
{
"priority": "critical"
}Get signals that support the secure context layer:
{
"capability_id": "secure-context-trust-pack",
"minimum_score": 85
}Get signals tied to outbound context movement:
{
"capability_id": "context-egress-boundary"
}Get one signal with sources and mapped capabilities:
{
"signal_id": "indirect-prompt-injection-social-engineering"
}Source anchors
The source registry should be updated when major guidance changes. The current anchors include:
- OWASP Top 10 for Agentic Applications
- OWASP MCP Top 10
- MCP Authorization Specification
- MCP Security Best Practices
- Microsoft guidance on indirect prompt injection
- OpenAI guidance on prompt injections
- OpenAI Agent Builder safety guidance
- NIST AI RMF
- NIST AI RMF Generative AI Profile
- CISA AI Data Security guidance
- CISA Secure by Design for AI
- CSA MCP Security Resource Center announcement
- CSA agentic AI and MCP identity guidance