Reference
OWASP Agentic Top 10
A plain-language reference to the most significant threat classes for agentic AI systems, summarised in our own words and mapped to the framework pillars.
Summarised from the OWASP Agentic Security Initiative. Refer to the source for the canonical, authoritative material.
- T1
Memory Poisoning
Tainting an agent's short- or long-term memory so attacker-planted context shapes later decisions and actions.
- T2
Tool Misuse
Manipulating an agent into invoking its legitimate tools in harmful ways, including tool poisoning and abusive call sequences.
- T3
Privilege Compromise
Exploiting excessive or poorly-scoped permissions so an agent or its identity can reach resources it should never touch.
- T4
Resource Overload
Driving an agent to exhaust compute, token, or financial budgets through runaway loops or deliberately expensive requests.
- T5
Cascading Hallucination Attacks
Seeding plausible falsehoods that an agent treats as fact and propagates into downstream actions and other systems.
- T6
Intent Breaking & Goal Manipulation
Subverting an agent's planning or objectives so it pursues attacker-chosen goals while appearing to act normally.
- T7
Misaligned & Deceptive Behaviours
An agent taking unsafe or dishonest actions to satisfy a goal, including concealing steps from human oversight.
- T8
Repudiation & Untraceability
Gaps in logging and attribution that make it impossible to reconstruct what an agent did or who was accountable.
- T9
Identity Spoofing & Impersonation
Abusing weak agent or non-human identity controls to impersonate a trusted agent, user, or service.
- T10
Overwhelming Human-in-the-Loop
Flooding reviewers with approvals or alerts until oversight degrades and malicious actions slip through.