// mcp attack surface
The OWASP Agentic Top 10 — attack, control, detection
Give a model tools and autonomy and you inherit a new attack surface. The
OWASP Top 10 for Agentic Applications (2026)
is the benchmark for what goes wrong.
I assume the model itself will be jailbroken — so prevention lives in the
server , not the prompt. And because prevention fails, each risk also needs an
answer to the question defenders actually ask: how would I know?
Each card is a prism — click the right half to turn it forward, the left half back
(or use ← →): attack → detection → control .
ASI01 : 2026
Agent Goal Hijack
Attack
Injected text in a tool result quietly rewrites the agent's objective.
ASI01
Control · prevent
Tool output is structured and isolated from the system prompt, never read as instructions, and DLP-scanned. Content can't rewrite the goal.
ASI01
Detection · SOC
Flag tool-call chains whose target diverges from the session's stated task, and scan tool output for imperative/injection patterns before it can influence a call.
ASI02 : 2026
Tool Misuse & Exploitation
Attack
Legitimate tools bent into destructive or over-scoped actions.
ASI02
Control · prevent
Runtime endpoint allowlist (least privilege), per-argument validation, and per-tool rate limits. Non-approved calls are rejected in code.
ASI02
Detection · SOC
Alert on exfil-shaped sequences — a read-heavy query immediately followed by an external send — and on any user crossing N× their tool-call baseline.
ASI03 : 2026
Identity & Privilege Abuse
Attack
Over-broad or leaked credentials let the agent act beyond its scope.
ASI03
Control · prevent
OAuth 2.1 + PKCE, JWT verified on every call (iss/aud/exp/sub), least-privilege scopes, and a separate token per downstream — no ambient authority.
ASI03
Detection · SOC
Alert when a token is used for endpoints or scopes outside its grant, or when one identity suddenly reaches resources it never touches.
ASI04 : 2026
Agentic Supply Chain
Attack
A poisoned tool, registry, or dependency subverts the agent.
ASI04
Control · prevent
Pinned, verified dependencies; vetted MCP servers and tool descriptors; secret scanning in CI; no silent tool installation.
ASI04
Detection · SOC
Alert when a tool descriptor's hash changes after approval, when an unrecognized MCP server registers, or on dependency-lockfile drift.
ASI05 : 2026
Unexpected Code Execution
Attack
Untrusted input reaches eval/exec — remote code execution.
ASI05
Control · prevent
No eval/exec on model-influenced input; strict input schemas; sandboxed, capability-scoped execution — arbitrary-code tools are denied.
ASI05
Detection · SOC
Alert when eval/exec paths fire, on unexpected child-process spawns from the MCP process, or when code-shaped input reaches an executor.
ASI06 : 2026
Memory & Context Poisoning
Attack
Adversarial data persisted into memory poisons future decisions.
ASI06
Control · prevent
Memory writes are untrusted input: validated and provenance-tracked on ingest, scoped per tenant/session, and sanitized before reuse.
ASI06
Detection · SOC
Flag memory/RAG writes from low-trust sources, and retrieval of freshly-written context that then steers a sensitive action (provenance gaps).
ASI07 : 2026
Insecure Inter-Agent Comms
Attack
Agent-to-agent / MCP messages tampered, spoofed, or injected.
ASI07
Control · prevent
Authenticated, structured channels (mTLS / scoped tokens); every message validated; peer output treated as data, never commands.
ASI07
Detection · SOC
Alert on failed-auth or unauthenticated peer messages, on messages failing schema/claims validation, and on sudden inter-agent volume spikes.
ASI08 : 2026
Cascading Agent Failures
Attack
One compromised or failing agent cascades across the system.
ASI08
Control · prevent
Blast-radius limits, circuit breakers, per-agent least privilege and rate limits, and a kill-switch backed by full audit.
ASI08
Detection · SOC
Watch for error-rate propagation across agents, retry storms, and circuit-breaker trips correlated within a short window.
ASI09 : 2026
Human-Agent Trust Exploitation
Attack
The agent is used to manipulate the human in the loop.
ASI09
Control · prevent
Provenance and citations on every output, human-approval gates on high-impact actions, and no unattended privileged operations.
ASI09
Detection · SOC
Flag high-impact actions approved with abnormally low latency (rubber-stamping) and outputs lacking provenance that precede an approval.
ASI10 : 2026
Rogue Agents
Attack
An agent operating outside policy, undetected.
ASI10
Control · prevent
Every action audited and traceable to the prompt that caused it, anomaly monitoring and alerts, least privilege, and a kill-switch.
ASI10
Detection · SOC
Alert on any action with no matching originating-prompt hash, activity outside authorized windows, or deviation from the agent's behavioral baseline.
Categories per the OWASP Gen AI Security Project .
More depth in why guardrails belong in the server .