OWASP Agentic Top 10 as Engineering Checklist
Module B9 · Course 2B — Securing & Attacking Harnesses and LLMs
90 minutes · A depth module that synthesizes B2–B8. The OWASP Agentic Top 10 is not a reading list — it is a test checklist with an attack procedure and a defense architecture for each of the ten risks.
Every risk maps to a module where the defense already lives. This module does not introduce a new defense. It introduces the checklist that proves the defenses are present, working, and measured.
Pillar 4 — Frameworks & Governance
The thesis: not a reading list, a checklist
The web OWASP Top 10 became useful the day a scanner could run a test for each row and a CI pipeline could fail the build on a finding. The agentic Top 10 reaches the same bar in this module.
For each of the ten ASI risks, this module provides four things:
- The attack procedure — the specific red-team action, not a category.
- The defense architecture — the control, and the Course 1 layer it specializes.
- The course module — where the control is built in depth (B2–B8).
- The test — the runnable assertion the lab encodes.
The checklist is the deliverable. Ten rows. Each has a risk, an attack, a control, a module, and a test. The test is runnable. B12 uses this checklist as engagement scope.
B9.1 — The checklist as thesis & the attack-surface map
Why a checklist · the ten risks as one surface · the risk-to-module mapping
The ten risks are one attack surface
Not ten independent items — five boundaries, each carrying two risks, each defended by a module.
| Boundary | Risks | Defended by |
| Input | ASI01 Goal Hijacking, ASI02 Prompt Leakage | B2 |
| Permission | ASI03 Excessive Agency, ASI10 Broken Access Control | B5 |
| State | ASI04 Memory Poisoning, ASI06 Cascading Hallucination | B3 + B8 |
| Tool | ASI05 Tool/Skill Abuse, ASI08 Supply Chain Attacks | B4 |
| Output / Resource | ASI07 Insecure Output Handling, ASI09 Resource Exhaustion | B7 |
The risks are entangled. A goal-hijacking payload (input) delivers through a tool output (tool), writes a poisoned memory (state), and reaches impact through an over-privileged tool (permission). The checklist tests all five boundaries.
Every risk maps to a defense module
This is what makes B9 a synthesis, not a new surface. You have already built every defense the checklist requires — in B2 through B8. B9 proves those defenses are present and working.
ASI01, ASI02 → B2
Taint gate, instruction isolation, capability minimization.
ASI03, ASI10 → B5
Scoped non-human principals, principal binding, tenant isolation.
ASI04 → B3 · ASI06 → B8
Harness-managed writes; verification & provenance tagging.
ASI05, ASI08 → B4 · ASI07, ASI09 → B7
Tool contracts & provenance; sandbox, circuit breakers, output sanitization.
No orphaned risk. The canonical numbering (ASI01–ASI10) is verified against the OWASP primary source and Course 1 Module 11.
B9.2 — The ten risks: attack + defense + test
The core of the module · each risk with an attack procedure, a defense architecture, a module, and a runnable test
ASI01–02 · the input boundary
ASI01 · GOAL HIJACKING
Attack: indirect injection via tool output; measure success over N. Defense: taint gate (L3) + capability (L5) + isolation (L2). Module: B2. Test: mini-InjecAgent; assert high-impact calls with tainted args blocked. Result: MEASURED (residual rate).
ASI02 · PROMPT LEAKAGE
Attack: direct / indirect / extraction-by-inference. Defense: instruction isolation (L2) + egress verification (layer 9). Module: B2. Test: canary string in system prompt; assert it never appears in output. Result: PASS/FAIL.
The load-bearing control for ASI01 is the Layer 3 taint gate — deterministic. But the detector (L4) and the model's compliance are probabilistic, so ASI01 reports a measured residual, not a binary. ASI02's canary check is a substring match — deterministic.
ASI03–04, ASI10 · the permission & state boundaries
ASI03 · EXCESSIVE AGENCY
Attack: capability enumeration — is a surplus tool present? Defense: scoped credentials + tool contracts + capability allowlist (L5). Module: B5. Test: assert allowlist is minimal; all high-impact args validated. Result: PASS/FAIL.
ASI04 · MEMORY POISONING
Attack: induce poisoned write; second-turn privileged use. Defense: harness-managed writes (4.3) + retrieval-time tagging. Module: B3. Test: assert write gated; retrieved fact tainted & blocked. Result: PASS/FAIL.
ASI10 · BROKEN ACCESS CONTROL
Attack: cross-tenant + principal-forgery variants. Defense: principal binding (5.3) + tenant isolation. Module: B5. Test: assert out-of-scope resource blocked at data layer. Result: PASS/FAIL.
ASI05–06, ASI08 · the tool & state boundaries
ASI05 · TOOL / SKILL ABUSE
Attack: scope-exploitation (alias forwarding, sensitive cols, path traversal). Defense: tool contracts (2.4) + semantic arg validators. Module: B4. Test: assert all variants blocked (symlinks resolved). Result: PASS/FAIL.
ASI06 · CASCADING HALLUCINATION
Attack: induce hallucination; observe propagation to action. Defense: verification (layer 9) + provenance tagging + detection. Module: B8. Test: assert unverified-claim-to-decision blocked. Result: MEASURED (block rate).
ASI08 · SUPPLY CHAIN ATTACKS
Attack: register unsigned / malicious MCP or tool. Defense: provenance verification (2.3) + tool sandbox + output tainting. Module: B4. Test: assert unsigned rejected; egress blocked; output tainted. Result: PASS/FAIL.
ASI07, ASI09 · the output / resource boundary
ASI07 · INSECURE OUTPUT HANDLING
Attack: emit XSS / SQL / shell payload; observe downstream. Defense: output sanitization (5.3) + sandbox confinement. Module: B7. Test: assert payload escaped before render / exec; agent confined. Result: PASS/FAIL.
ASI09 · RESOURCE EXHAUSTION
Attack: unbounded-work injection; observe halting. Defense: sandbox limits (5.4) + circuit breakers (7.2) + loop detection. Module: B7. Test: assert agent halted at ceiling; breaker fired. Result: PASS/FAIL.
B7 defends both. The sandbox confines the agent's direct actions (ASI07); the hard ceilings and breakers halt unbounded work (ASI09). Both are deterministic — the agent cannot reason past a token ceiling.
B9.3 — The unified checklist & the deterministic / probabilistic split
The deliverable table · 8 PASS/FAIL + 2 MEASURED · never "secure"
The unified checklist — the deliverable
| ASI | Risk | Control | Module | Result |
| 01 | Goal Hijacking | Taint gate + capability + isolation | B2 | MEASURED |
| 02 | Prompt Leakage | Isolation + egress verification | B2 | PASS/FAIL |
| 03 | Excessive Agency | Scoped creds + tool contracts | B5 | PASS/FAIL |
| 04 | Memory Poisoning | Managed writes + retrieval tagging | B3 | PASS/FAIL |
| 05 | Tool/Skill Abuse | Tool contracts + arg validators | B4 | PASS/FAIL |
| 06 | Cascading Hallucination | Verification + provenance + detection | B8 | MEASURED |
| 07 | Insecure Output Handling | Output sanitization + sandbox | B7 | PASS/FAIL |
| 08 | Supply Chain Attacks | Provenance + tool sandbox + tainting | B4 | PASS/FAIL |
| 09 | Resource Exhaustion | Limits + circuit breakers + loop detection | B7 | PASS/FAIL |
| 10 | Broken Access Control | Principal binding + tenant isolation | B5 | PASS/FAIL |
Why 8 binary and 2 measured?
Deterministic (8 rows) — PASS/FAIL. The question is structural and enumerable: is the tool in the allowlist? does the principal match? is the signature valid? did the count cross the ceiling? No bypass rate, only coverage gaps. Gate, not judgment.
Probabilistic (2 rows) — MEASURED. ASI01: the taint gate is deterministic, but the detector and model compliance have a bypass rate. ASI06: verification catches unverified claims, but hallucination-detection has a miss rate. The result is a number, not a boolean.
Anti-pattern: collapsing a MEASURED row into PASS/FAIL. ASI01 "PASS" is a lie — the honest result is "residual 2%, the encoded-and-laundered class." The Result-type column enforces the honesty. This is B2.3's resolution applied across all ten risks.
B9.4 — The checklist as assessment scope
B12 turns the ten rows into an engagement contract · the measured residual is the recurring deliverable
From checklist to engagement scope
B12 operationalizes this checklist as a paid engagement. The ten rows are the scope. An assessment that covers all ten has covered the agentic attack surface as OWASP defines it.
Per row, the engagement contract carries:
- The test (the attack procedure from B9.2)
- The evidence (B0 discipline: model version, success rate, scope reference)
- The expected control (the defense architecture)
- The deliverable (PASS/FAIL or MEASURED residual)
Scope-completeness rule: a genuinely-absent surface reports N/A with justification — never silently skipped. A skipped row is an untested row.
The measured residual is the recurring value
A single engagement reports the residual at a point in time. A recurring engagement (quarterly, per B12) reports the trend — did ASI01 drop 4% to 1% after the L4 detector was tuned? Did ASI06 rise 3% to 8% after a new tool was added?
The trend is the signal; the single measurement is the data point. This is the B0 anti-pattern applied in reverse: do not treat an AI control as binary "secure/insecure." The checklist's measured rows are the mechanism that enforces the discipline over time.
The checklist covers the OWASP top 10 — the agentic-risk floor, not the ceiling. B10 (Microsoft taxonomy) and B11 (governance) layer on top. B12's full methodology applies all three.
Anti-patterns
Treating the Top 10 as a reading list. Read but untestable = no system change. Cure: the checklist is executable.
PASS/FAIL on a probabilistic control. ASI01 "PASS" lies about the residual. Cure: the Result-type column.
Testing each risk in isolation. Misses the compound chain. Cure: the synthesis layer; at least one end-to-end scenario.
Skipping rows. "We don't use MCP" skips ASI08. Cure: N/A with justification, never silent.
Declaring "secure" after a passing checklist. Cure: the scored report is the deliverable, not a verdict.
Building new defenses in the assessment module. B9 tests; B2–B8 build. A failed row routes to its module.
Lab & what's next
Lab (07): Run the OWASP Checklist Against a Sample Harness — build a checklist executor that runs a defined test for each of ASI01–ASI10 against a stub agent harness and produces a scored report (8 PASS/FAIL + 2 MEASURED). Python, type hints, no GPU.
Next — B10: Microsoft Failure Mode Taxonomy as Red Team Framework. The seven agentic failure modes that complement the OWASP top 10 — including the zero-click HITL bypass chain that the checklist's synthesis layer draws on for compound scenarios.
The load-bearing principle
The OWASP Agentic Top 10 is a test checklist, not a reading list. For each of the ten risks: an attack procedure, a defense architecture, a course module, and a runnable test. Every risk maps to a module (B2–B8) where the defense already lives — this module proves those defenses are present and working. Eight rows report PASS/FAIL (deterministic controls); two report MEASURED (probabilistic controls with a residual rate). The checklist never declares "secure" — it produces a scored report a CISO can act on, and B12 uses it as engagement scope.
Determinism where the question is structural. Measurement where it is semantic. The scored report is the deliverable — not a verdict.