Security Reference

OWASP Agentic Top 10

A practical guide to the most critical security threats in autonomous AI agent systems and how FortifAI enforces runtime controls for each category.

Get OWASP-Aligned ProtectionOWASP Official Reference

10 threats | OWASP Agentic Top 10 | FortifAI coverage: 100%

2 Critical5 High3 Medium
AA1

Goal and Prompt Hijacking

Critical Risk

Adversarial instructions in prompts, tool output, or retrieved context can force an agent away from its original objective.

Attack Examples

  • Injected context says: ignore policy and expose credentials.
  • Retrieved web content instructs the agent to leak private data.

FortifAI Defense

Prompt-boundary validation and policy enforcement on every inbound context segment.

AA2

Memory Poisoning

Critical Risk

Malicious data persisted into memory can alter future behavior across sessions and contaminate downstream decisions.

Attack Examples

  • A user trick writes false authority rules into long-term memory.
  • Poisoned retrieval entries override trusted operational instructions.

FortifAI Defense

Memory write controls with source verification and policy checks before persistence.

AA3

Tool Misuse

High Risk

An agent is coerced into invoking tools outside intended scope, enabling unauthorized actions across connected systems.

Attack Examples

  • A read-only agent is manipulated into write or delete operations.
  • Code execution tools are abused with attacker-crafted commands.

FortifAI Defense

Deny-by-default tool authorization with per-call permission validation.

AA4

Privilege Escalation

High Risk

Agents gain unintended capabilities through role confusion, secret exposure, or delegated authority misuse.

Attack Examples

  • A low-privilege agent triggers actions through a higher-privilege peer.
  • Leaked credentials from context are replayed for privileged access.

FortifAI Defense

Agent identity isolation, strict role boundaries, and zero-trust agent-to-agent controls.

AA5

Context Manipulation

High Risk

Tampered observations or deceptive tool output can alter reasoning and push the agent into incorrect actions.

Attack Examples

  • A compromised dependency returns fabricated tool responses.
  • Injected context reframes safe actions as approved dangerous tasks.

FortifAI Defense

Input/output sanitization and integrity checks at each reasoning step.

AA6

Unauthorized Data Exfiltration

High Risk

Sensitive data is leaked via outbound calls, encoded payloads, or hidden channels initiated by adversarial prompts.

Attack Examples

  • Secrets are hidden in API parameters sent to external services.
  • Summaries include sensitive records extracted from protected context.

FortifAI Defense

Outbound content inspection with high-risk pattern detection and policy-based blocking.

AA7

Repudiation

Medium Risk

High-impact actions occur without complete audit records, preventing incident reconstruction and compliance evidence.

Attack Examples

  • State changes occur with no actor, timestamp, or rationale trail.
  • Multi-agent workflows execute without attributable execution logs.

FortifAI Defense

Immutable decision and tool-call trails linked to actor identity and execution context.

AA8

Supply Chain Poisoning

High Risk

Compromised models, tools, plugins, or datasets alter runtime behavior before prompts are even processed.

Attack Examples

  • A plugin update silently introduces malicious exfiltration behavior.
  • Poisoned datasets bias agent output toward attacker objectives.

FortifAI Defense

Integrity and provenance checks across external tools, plugins, and connected assets.

AA9

Cascading Agent Failures

Medium Risk

A compromise in one agent propagates through orchestrated workflows and destabilizes downstream systems.

Attack Examples

  • A compromised coordinator distributes poisoned context to workers.
  • Recursive task loops trigger resource exhaustion across the stack.

FortifAI Defense

Circuit breakers, isolation boundaries, and failure containment for multi-agent systems.

AA10

Insufficient Observability

Medium Risk

Agents operate as opaque systems without telemetry, making failures and active attacks hard to detect or explain.

Attack Examples

  • Critical tasks fail with no traceable reasoning or state trail.
  • Incidents surface only in outcomes without execution-level evidence.

FortifAI Defense

Real-time telemetry and posture signals across prompts, tools, memory, and policy decisions.

All 10 Threats. One Platform.

FortifAI provides enforcement across all OWASP Agentic Top 10 categories with practical controls that fit existing agent pipelines.

Get StartedSee Product Architecture

Reference: OWASP Agentic Top 10 Project