OWASP Agentic AI Top 10

Offensive Expansion · Deep-Dive SDD-B01 · Course 2B

45 minutes · The red-team playbook for every OWASP ASI row (ASI01–ASI10)

B9 handed you the defense checklist. This is the same ten rows read as an attacker — the attack in depth, the evasion that defeats the standard defense, and the chaining that turns a single-row finding into compound impact.

Deep-Dives

The thesis — same numbering, different artifact

B9 reads it as a BUILDER

One risk, one control, one test. Eight rows PASS/FAIL, two MEASURED. The scored report.

SDD-B01 reads it as an ATTACKER

One risk, one attack procedure, the evasion that defeats the control, and the chain across rows. The reproduced finding.

The gap between the two readings is the entire engagement. A control that PASSes its B9 test in isolation is not a control that survives an adversary who arrives on the indirect channel the test never exercised.

The evasion pattern — why PASS is not closed

B9 test verifies

The DIRECT surface. Taint gate tested against direct injection. Enumeration tested against extra tools. Normalization tested against ../.

Attacker arrives on

The INDIRECT surface. Injection inside a trusted tool output. Over-scoped credential beneath enumeration. Semantic path confusion in the selection layer.

Every defense has a known evasion, and it is almost always the indirect channel. The test closed the vector it names; the attacker arrives on the class beneath. The two MEASURED rows are where the standard admits the residual — the eight PASS/FAIL rows are where it does not.

Input & state surface — the semantic residuals

RowStandard defense (B9)Offensive evasion (SDD-B01)
ASI01
Goal Hijacking
Taint gate, instruction hierarchy, goal reaffirmationDrift via trusted tool output; bypasses gate. Multi-turn framing shift, no single instruction hijacks.
ASI02
Prompt Leakage
System-prompt canary, egress verificationMulti-turn rapport; paraphrased, canary-free disclosure distributed across turns.
ASI04
Memory Poisoning
Harness-managed writes, provenance taggingTaint-laundering via a legitimate trusted write tool; entry inherits the tool's trust, not the injection's taint.
ASI06
Cascading Hallucination
Verification, source citationUnverified-claim propagation; the agent's inference/summary propagates as fact — verifier inspects citations, not reasoning.
Four rows where the semantic boundary makes every defense probabilistic. The two MEASURED rows (01, 06) are where the standard admits it; 02 and 04 are PASS/FAIL only because the test closed one vector.

Permission & tool surface — the class beneath the vector

RowStandard defense (B9)Offensive evasion (SDD-B01)
ASI03
Excessive Agency
Capability enumeration, minimalityThe load-bearing capability that survived minimization — the over-scoped credential a benign task required.
ASI05
Tool/Skill Abuse
Path normalization, schema validationSemantic path confusion in the selection layer; description-collision routes to the wrong tool.
ASI08
Supply Chain
Signed manifests, registry, agent SBOMSigned-but-malicious; signature verifies the publisher, not the benignity. Typosquatted evil twin.
ASI10
Broken Access Control
Principal binding, tenant isolationInter-agent trust escalation; a compromised sub-agent's message executes under the orchestrator's trust. Binding holds.
Four rows where the structural boundary looks deterministic. The test closed the named vector; the attacker finds the class beneath — the residual the PASS/FAIL result cannot express.

Output & resource surface — the entry point & amplifier

ASI07 Insecure Output Handling

Output-as-input to a downstream agent. Sanitizer-valid JSON consumed by an agent that interprets a field as an instruction. No escape syntax exists for "data, not instruction" in a natural-language field.

ASI09 Resource Exhaustion

Under-threshold tool loop. Each call under the per-call cap and within rate limit; 10,000 individually-legitimate calls. Per-call breaker never trips; session-level cap is the layer most omit.

ASI07 is the entry point of the most common compound chain. ASI09 is the amplifier (and, in cost-sensitive deployments, the impact). Both PASS their B9 test; both are open at the class.

The cross-row chains — the compound is the finding

CHAIN 1
Exfiltration

ASI07 → 01 → 05 → 03
output-as-input → goal drift → tool dispatched → over-scoped cap exercised. Data exfiltration / lateral movement.

CHAIN 2
Persistence

ASI02 → 04 → 06
capability disclosed → memory poisoned via trusted write → poisoned entry propagates as unverified fact. Backdoor survives restarts.

CHAIN 3
Escalation

ASI08 → 05 → 10
signed-but-malicious MCP → dispatch via collision → action under orchestrator trust. Privileged action, forged authority.

The offensive value of the Top 10 is the chaining, not any single row. B9 tests rows in isolation and reports eight PASS; the attacker reads the same eight PASS and chains across the boundaries the isolation created.

MEASURED honesty vs PASS/FAIL illusion

2 MEASURED rows

ASI01 (detector + compliance bypass rate), ASI06 (hallucination miss rate). The standard admits the residual.

8 PASS/FAIL rows

Closed at the vector, open at the class. The over-scoped credential, the selection ambiguity, the signed-but-malicious package, the trust assumption — residuals the PASS/FAIL result cannot express.

Every row has a residual. The two MEASURED rows are where the standard admits it. The eight PASS/FAIL rows are where it does not — and that silence is the offense team's first opening. Treating them as fully closed is the first mistake.

The B9 → SDD-B01 reading order

Phase 1 — B9 (builder)

Per-row test, isolated execution, scored report. Proves the controls are present and passing.

Phase 2 — SDD-B01 (attacker)

Per-row offensive procedure, chained execution, reproduced findings. Finds the residuals the test cannot express.

A row that PASSed B9 and FAILed the offensive expansion is NOT a contradiction — it is the definition of a residual the deterministic test cannot express. B12 packages both: the scored report (B9) and the chains (SDD-B01). Neither alone is sufficient.

Anti-patterns

"B9 PASSed all eight, so we're secure." The deterministic test closed the named vector, not the class. Read every PASS/FAIL row as "closed at the vector, open at the class" and run the offensive procedure.
Testing ASI rows in isolation. The offensive value is the chaining. A red team reporting ten separate row-results has missed the finding. Design engagements as chains.
Single-shot goal-hijack payloads. Deployed agents resist Ignore previous instructions. Test multi-turn framing drift and score goal divergence against a baseline, not single-shot success.
Assuming the sanitizer covers the downstream agent. No escape syntax exists for "data, not instruction" in natural language. Treat agent-to-agent outputs as untrusted at the receiving instruction boundary.

What you can now do

  1. For each ASI row (01–10), state the full offensive procedure: attack in depth, scenario, evasion-vs-standard-defense, chaining.
  2. Explain why every defense has a known evasion — the indirect channel the per-row test does not exercise.
  3. Construct the three cross-row chains (exfiltration, persistence, escalation) and explain why the compound is the finding.
  4. Distinguish the 2 MEASURED rows from the 8 PASS/FAIL rows, and why treating the eight as closed is the offense team's first opening.
  5. Articulate the gap between "the control passed its B9 test" and "the system holds under the offensive procedure."
The lab: run the offensive expansion against a sample agent that PASSed its B9 checklist — one procedure per ASI row, then the ASI07→01→05→03 cross-row chain. Confirm which rows produce findings despite the PASS.

Next: SDD-B02 — Microsoft Failure Mode Taxonomy v2.0