{ "standard": "ATD — Agentic Threat Detection", "status": "Editor's Draft", "version": "0.1.0", "generated": "2026-06-14", "license": "CC-BY-4.0", "stats": { "techniques": 26, "withLiveRule": 9, "withCve": 9, "tactics": 9 }, "tactics": [ { "id": "ATD-TA1", "name": "Protocol & Interconnect" }, { "id": "ATD-TA2", "name": "Memory & Context Integrity" }, { "id": "ATD-TA3", "name": "Goal, Planning & Reasoning" }, { "id": "ATD-TA4", "name": "Identity, Authz & Delegation" }, { "id": "ATD-TA5", "name": "Tool & Supply Chain" }, { "id": "ATD-TA6", "name": "Execution & Autonomy" }, { "id": "ATD-TA7", "name": "Multi-Agent Dynamics" }, { "id": "ATD-TA8", "name": "Model-Intrinsic & Governance" }, { "id": "ATD-TA9", "name": "Agentic Commerce (forward)" } ], "techniques": [ { "atd_id": "ATD-T0001", "schema_version": "0.1.0", "title": "Shell metacharacter injection through MCP tool parameters", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "high", "description": "Unsanitized MCP tool input reaches execSync/exec, yielding RCE on the server host.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI05", "ASI02" ], "mitre_atlas": [ "AML.T0053" ], "cwe": [ "CWE-77" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53355" } ], "atr_rule": "ATR-2026-01927" }, { "atd_id": "ATD-T0002", "schema_version": "0.1.0", "title": "curl-fallback command injection in an MCP server", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A failed fetch falls back to exec'ing curl with an unsanitized URL, enabling RCE.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI05", "ASI02" ], "mitre_atlas": [ "AML.T0053" ], "cwe": [ "CWE-420" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53967" } ], "atr_rule": "ATR-2026-01928" }, { "atd_id": "ATD-T0003", "schema_version": "0.1.0", "title": "Command injection in a scaffolded MCP stdio server", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "critical", "description": "Generated server concatenates tool input into exec(), giving RCE to anything built from it.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI04", "ASI05" ], "mitre_atlas": [ "AML.T0010.005" ], "cwe": [ "CWE-78" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54994" } ], "atr_rule": "ATR-2026-00577" }, { "atd_id": "ATD-T0004", "schema_version": "0.1.0", "title": "Line-jumping — tool-description injection at listing time", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "high", "description": "Hidden instructions in a tool description enter the model context at tools/list, before any call.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI04", "ASI01" ], "mitre_atlas": [ "AML.T0110", "AML.T0104" ], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "research", "url": "https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/" } ], "atr_rule": "ATR-2026-00579" }, { "atd_id": "ATD-T0005", "schema_version": "0.1.0", "title": "Rug pull — silent mutation of an approved tool", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A server approved once later changes a tool's definition with no integrity re-check.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI04" ], "mitre_atlas": [ "AML.T0109", "AML.T0110" ], "cwe": [ "CWE-494" ] }, "references": [ { "type": "research", "url": "https://github.com/invariantlabs-ai/mcp-injection-experiments" } ], "atr_rule": "ATR-2026-00581" }, { "atd_id": "ATD-T0006", "schema_version": "0.1.0", "title": "Missing-auth MCP proxy command execution", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "critical", "description": "No auth between client and MCP proxy lets any local/web-driven request spawn MCP processes.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI03", "ASI05" ], "mitre_atlas": [], "cwe": [ "CWE-306" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49596" } ] }, { "atd_id": "ATD-T0007", "schema_version": "0.1.0", "title": "RCE from a malicious upstream MCP server", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "critical", "description": "A client is RCE'd via a crafted authorization_endpoint URL in an untrusted server's response.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI04", "ASI05" ], "mitre_atlas": [ "AML.T0010.005" ], "cwe": [ "CWE-78" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6514" } ] }, { "atd_id": "ATD-T0008", "schema_version": "0.1.0", "title": "DNS-rebinding to a localhost MCP server", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A malicious page rebinds DNS to reach an unauthenticated localhost MCP server cross-origin.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI07", "ASI03" ], "mitre_atlas": [], "cwe": [ "CWE-1188" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66416" } ] }, { "atd_id": "ATD-T0009", "schema_version": "0.1.0", "title": "Session ID / auth token placed in a URL query string", "tactic": "ATD-TA1", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "A credential in the query string leaks via server logs, proxies, CDNs, history, and Referer.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI03", "ASI07" ], "mitre_atlas": [], "cwe": [ "CWE-598" ] }, "references": [ { "type": "research", "url": "https://vulnerablemcp.info/" } ], "atr_rule": "ATR-2026-00580" }, { "atd_id": "ATD-T0010", "schema_version": "0.1.0", "title": "Serialized-object smuggling through an LLM response field", "tactic": "ATD-TA2", "abstraction": "base", "status": "experimental", "severity": "critical", "description": "Injected output carries a serialization marker; deserialization rehydrates it as trusted and exfiltrates secrets.", "detection_surface": [ "memory_op" ], "mappings": { "owasp_asi": [ "ASI06", "ASI01" ], "mitre_atlas": [ "AML.T0051.001" ], "cwe": [ "CWE-502" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68664" } ] }, { "atd_id": "ATD-T0011", "schema_version": "0.1.0", "title": "Persistent memory / context-store poisoning", "tactic": "ATD-TA2", "abstraction": "base", "status": "experimental", "severity": "high", "description": "Attacker-controlled content is written into data the agent later reads back as trusted context.", "detection_surface": [ "memory_op" ], "mappings": { "owasp_asi": [ "ASI06" ], "mitre_atlas": [ "AML.T0080" ], "cwe": [ "CWE-349" ] }, "references": [ { "type": "research", "url": "https://atlas.mitre.org/" } ] }, { "atd_id": "ATD-T0012", "schema_version": "0.1.0", "title": "Indirect prompt injection via tool / API response", "tactic": "ATD-TA3", "abstraction": "base", "status": "experimental", "severity": "high", "description": "Malicious text in returned tool data overrides the agent's plan and redirects its actions.", "detection_surface": [ "content", "tool_response" ], "mappings": { "owasp_asi": [ "ASI01" ], "mitre_atlas": [ "AML.T0051.001", "AML.T0099" ], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "research", "url": "https://arxiv.org/abs/2403.02691" } ], "atr_rule": "ATR-2026-00584" }, { "atd_id": "ATD-T0013", "schema_version": "0.1.0", "title": "System-prompt / guardrail extraction to plan evasion", "tactic": "ATD-TA3", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "Crafted queries coerce the agent to reveal its hidden system prompt, exposing control logic.", "detection_surface": [ "content", "tool_response" ], "mappings": { "owasp_asi": [ "ASI01", "ASI09" ], "mitre_atlas": [ "AML.T0056" ], "cwe": [ "CWE-200" ] }, "references": [ { "type": "research", "url": "https://atlas.mitre.org/" } ] }, { "atd_id": "ATD-T0014", "schema_version": "0.1.0", "title": "Confused-deputy token passthrough in an MCP server", "tactic": "ATD-TA4", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A server forwards a held token to a downstream API without audience validation, escalating privilege.", "detection_surface": [ "tool_input" ], "mappings": { "owasp_asi": [ "ASI03" ], "mitre_atlas": [], "cwe": [ "CWE-441" ] }, "references": [ { "type": "research", "url": "https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization" } ] }, { "atd_id": "ATD-T0015", "schema_version": "0.1.0", "title": "Agent reads .env / secret files without consent", "tactic": "ATD-TA5", "abstraction": "base", "status": "experimental", "severity": "high", "description": "An agent tool reads credential files (.env, credentials, .npmrc) outside any user-approved scope.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI02", "ASI06" ], "mitre_atlas": [ "AML.T0053" ], "cwe": [ "CWE-538" ] }, "references": [ { "type": "research", "url": "https://github.com/modelcontextprotocol-security/vulnerability-db" } ], "atr_rule": "ATR-2026-00583" }, { "atd_id": "ATD-T0016", "schema_version": "0.1.0", "title": "Hallucinated-dependency squatting (slopsquatting)", "tactic": "ATD-TA5", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "The model recommends a fabricated package name an attacker pre-registers, pulling code into the agent env.", "detection_surface": [ "tool_input", "tool_response" ], "mappings": { "owasp_asi": [ "ASI04", "ASI08" ], "mitre_atlas": [ "AML.T0060", "AML.T0062" ], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "research", "url": "https://atlas.mitre.org/" } ] }, { "atd_id": "ATD-T0017", "schema_version": "0.1.0", "title": "Path-traversal blacklist bypass via non-canonical paths", "tactic": "ATD-TA6", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "Exact-string path checks are bypassed with ../, /./, redundant slashes to reach sensitive files.", "detection_surface": [ "tool_input", "trace" ], "mappings": { "owasp_asi": [ "ASI02", "ASI03" ], "mitre_atlas": [ "AML.T0053" ], "cwe": [ "CWE-22" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66689" } ], "atr_rule": "ATR-2026-00578" }, { "atd_id": "ATD-T0018", "schema_version": "0.1.0", "title": "MCP filesystem sandbox escape via symlink following", "tactic": "ATD-TA6", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A symlink inside an allowed directory resolves to an out-of-scope path, granting system file access.", "detection_surface": [ "tool_input", "trace" ], "mappings": { "owasp_asi": [ "ASI02", "ASI05" ], "mitre_atlas": [ "AML.T0053" ], "cwe": [ "CWE-59" ] }, "references": [ { "type": "cve", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53109" } ] }, { "atd_id": "ATD-T0019", "schema_version": "0.1.0", "title": "Prompt-injection-to-RCE via an agent's file-write capability", "tactic": "ATD-TA6", "abstraction": "base", "status": "experimental", "severity": "critical", "description": "Injected instructions drive the agent to write a startup/config file that yields persistent code execution.", "detection_surface": [ "tool_input", "trace" ], "mappings": { "owasp_asi": [ "ASI05", "ASI01" ], "mitre_atlas": [ "AML.T0053", "AML.T0051.001" ], "cwe": [ "CWE-94" ] }, "references": [ { "type": "research", "url": "https://www.pillar.security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity" } ] }, { "atd_id": "ATD-T0020", "schema_version": "0.1.0", "title": "Agent Card poisoning to capture A2A task routing", "tactic": "ATD-TA7", "abstraction": "base", "status": "experimental", "severity": "high", "description": "A rogue A2A agent advertises an instruction-laden Agent Card so the orchestrator routes tasks to it.", "detection_surface": [ "inter_agent_msg" ], "mappings": { "owasp_asi": [ "ASI07", "ASI10" ], "mitre_atlas": [ "AML.T0051.001" ], "cwe": [ "CWE-345" ] }, "references": [ { "type": "research", "url": "https://www.levelblue.com/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks" } ] }, { "atd_id": "ATD-T0021", "schema_version": "0.1.0", "title": "Cross-agent injection propagation (cascading compromise)", "tactic": "ATD-TA7", "abstraction": "base", "status": "experimental", "severity": "high", "description": "One compromised agent emits content that injects the next downstream agent, cascading through the swarm.", "detection_surface": [ "inter_agent_msg" ], "mappings": { "owasp_asi": [ "ASI08", "ASI07", "ASI10" ], "mitre_atlas": [ "AML.T0051.001", "AML.T0080" ], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "research", "url": "https://arxiv.org/abs/2403.02691" } ] }, { "atd_id": "ATD-T0022", "schema_version": "0.1.0", "title": "Trace tampering / non-tamper-evident agent audit logs", "tactic": "ATD-TA8", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "An agent logs reasoning but not the actual tool call, or logs are mutable — defeating after-the-fact audit.", "detection_surface": [ "trace" ], "mappings": { "owasp_asi": [ "ASI10" ], "mitre_atlas": [], "cwe": [ "CWE-778" ] }, "references": [ { "type": "research", "url": "https://artificialintelligenceact.eu/article/12/" } ] }, { "atd_id": "ATD-T0023", "schema_version": "0.1.0", "title": "Adversarial transaction steering of a purchasing agent", "tactic": "ATD-TA9", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "Injected content in a listing/page steers an autonomous-commerce agent to overpay or leak payment authority.", "detection_surface": [ "payment_mandate" ], "mappings": { "owasp_asi": [ "ASI01", "ASI02", "ASI09" ], "mitre_atlas": [], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "vendor", "url": "https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol" } ] }, { "atd_id": "ATD-T0024", "schema_version": "0.1.0", "title": "Payment-mandate forgery in an agent-to-agent handshake", "tactic": "ATD-TA9", "abstraction": "base", "status": "experimental", "severity": "medium", "description": "A rogue agent spoofs delegated payment authority or mandate scope in an agentic-commerce exchange.", "detection_surface": [ "payment_mandate" ], "mappings": { "owasp_asi": [ "ASI03", "ASI07" ], "mitre_atlas": [], "cwe": [ "CWE-345" ] }, "references": [ { "type": "vendor", "url": "https://fidoalliance.org/fido-alliance-to-develop-standards-for-trusted-ai-agent-interactions/" } ] }, { "atd_id": "ATD-T0026", "schema_version": "0.1.0", "title": "Sleeper (dormant) memory poisoning", "tactic": "ATD-TA2", "abstraction": "base", "status": "experimental", "severity": "high", "description": "Attacker-controlled external content is written into the agent's persistent memory and lies dormant across sessions, re-emerging in later conversations to steer actions — decoupling the injection event from the malicious effect in time. The deterministic detection chokepoint is the memory-write boundary.", "detection_surface": [ "memory_op" ], "mappings": { "owasp_asi": [ "ASI06" ], "mitre_atlas": [ "AML.T0080" ], "cwe": [ "CWE-349" ] }, "references": [ { "type": "research", "url": "https://arxiv.org/abs/2605.15338" } ] }, { "atd_id": "ATD-T0025", "schema_version": "0.1.0", "title": "Acoustic prompt injection of a voice agent", "tactic": "ATD-TA8", "abstraction": "base", "status": "experimental", "severity": "high", "description": "An imperceptible adversarial audio perturbation mixed into normal speech drives a voice / audio-LLM agent to issue real tool calls, under audio-data-only access and with no textual user instruction. Text-layer rules cannot see it; detection is limited to the trace plane (a voice-initiated session producing high-risk tool calls with no corresponding textual instruction).", "detection_surface": [ "trace" ], "mappings": { "owasp_asi": [ "ASI01" ], "mitre_atlas": [], "cwe": [ "CWE-1427" ] }, "references": [ { "type": "research", "url": "https://arxiv.org/abs/2604.14604" } ] } ] }