Threat Matrix Coverage

61 techniques

AgentPwn is the live-coverage layer of the OpenA2A security workflow. Every technique in the canonical AI Agent Threat Matrix is mapped here to a honeypot status, so the gap between what is theorized and what is observably tested against real agents is never hidden.

Live coverage

A deployed trap produces evidence for this technique today

Queued

In scope for a content honeypot; trap fixture not built yet

Out of scope

Needs host infra or tooling a web honeypot cannot stage

69%

Live of 61

50 of 61 are in scope (live + queued)

Coverage is declared from AgentPwn's deployed payload inventory, not asserted by hand. A technique can only be marked live if it maps to an attack category the honeypot actually ships — the build fails otherwise. Published at /coverage.json.

The complete workflow

A matured pipeline: the taxonomy defines threats, three tools detect and benchmark them, and AgentPwn closes the loop by observing real agents fall to them in the wild.

Threat MatrixTaxonomy

HackMyAgentStatic scan

DVAAVulnerable target

OASBBenchmark

AgentPwnLive honeypot

ARIA / RegistryThreat intel

Coverage by tactic

Reconnaissance

5 / 1 / 1

Initial Access

9 / 0 / 0

Credential Harvest

4 / 2 / 0

Privilege Escalation

7 / 0 / 0

Lateral Movement

1 / 3 / 2

Persistence

5 / 0 / 2

Collection

4 / 1 / 2

Exfiltration

4 / 0 / 2

Impact

3 / 1 / 2

LiveQueuedOut of scope

Every technique

Reconnaissance

T-1001Endpoint Enumeration

Out of scope

Enumerating the agent's own exposed endpoints is an external scan, not a content trap. HackMyAgent WEBEXPOSE-* covers it.

T-1002Tool Discovery

Live

MCP ExploitationThe Tool Discovery tier asks the agent to enumerate its MCP tools and schemas.

T-1003System Prompt Extraction

Live

Data Exfiltration Prompt InjectionSystem-prompt extraction tiers coax the agent into echoing its instructions verbatim.

T-1004Security Level Probing

Live

JailbreakTiered jailbreak payloads measure at what sophistication the agent's guardrails give way -- security-level probing by construction.

T-1005Capability Mapping

Live

MCP Exploitation Data ExfiltrationTool-discovery and system-info tiers map the agent's full capability surface.

T-1006Agent Card Discovery

Queued

A2A agent-card discovery needs the fake-agent network at /pwnagent, which is queued.

T-1007Context Window Probing

Live

Context WindowContext-window tiers probe attention span and saturation before overflow.

Initial Access

T-2001Direct Prompt Injection

Live

Prompt InjectionDirect override is tier 1 of prompt injection.

T-2002Indirect Prompt Injection

Live

Prompt InjectionEvery AgentPwn page is an indirect-injection surface delivered through consumed web content.

T-2003Role-Play Jailbreak

Live

JailbreakPersona and developer-mode tiers exercise role-play jailbreaks.

T-2004Context Window Exploitation

Live

Context WindowAttention-dilution and displacement tiers saturate the window to push out safety instructions.

T-2005Tool Description Injection

Live

MCP ExploitationTool-injection tiers embed instructions in tool/skill descriptions.

T-2006Unicode/Encoding Bypass

Live

Prompt InjectionHigher tiers carry base64, Unicode homoglyph, and zero-width payloads.

T-2007Multi-Turn Manipulation

Live

Context Manipulation Context WindowTask-hijacking and progressive-desensitization tiers shift behavior across multiple steps.

T-2008System Prompt Boundary Bypass

Live

Prompt InjectionDelimiter-escape tiers exploit weak system/user prompt boundaries.

T-2009Parser Differential Exploitation

Live

Prompt InjectionJSON-LD, markdown, and meta-tag delivery tiers exercise parser-differential injection.

Credential Harvest

T-3001System Prompt Credential Extraction

Live

Data ExfiltrationCredential-probe tiers extract secrets referenced in the system prompt.

T-3002Environment Variable Leakage

Live

Data ExfiltrationThe credential-probe tier asks the agent to dump environment variables and keys.

T-3003Tool Response Credential Capture

Queued

Capturing creds from a fake tool response needs an MCP fixture that returns secrets; not yet wired.

T-3004Memory Credential Mining

Live

Data Exfiltration Memory WeaponizationConversation-history-leak tiers surface credentials from prior context.

T-3005Configuration File Access

Queued

A trap-page filesystem fixture (read a config file for creds) is not yet wired.

T-3006Context Window Credential Leak

Live

Context WindowContext-window tiers leak credentials retained in the active window.

Privilege Escalation

T-4001Capability Override

Live

Capability AbuseConfused-deputy tiers push the agent past its declared capabilities.

T-4002Admin Impersonation

Live

Context ManipulationAuthority-impersonation tiers inject fake admin/system messages.

T-4003Tool Parameter Injection

Live

MCP ExploitationTool-injection tiers smuggle malicious parameters into tool calls.

T-4004Delegation Abuse

Live

Agent-to-Agent AttackDelegation-abuse tier escalates through trusted agent chains.

T-4005Policy Bypass via Encoding

Live

Prompt InjectionBase64/Unicode tiers bypass policy enforcement on actions.

T-4006Safety Instruction Displacement

Live

Context WindowInstruction-displacement tiers evict safety instructions from active context.

T-4007Tool Impersonation and Squatting

Live

MCP Exploitation Tool ShadowTool-injection and ghost-tool tiers exercise tool squatting and shadowing.

Lateral Movement

T-5001SSRF via Tool

Queued

A confused-deputy SSRF fixture (canary internal URL) is adjacent to capability-abuse but not yet wired.

T-5002A2A Agent Pivoting

Live

Agent-to-Agent AttackWorm-propagation and impersonation tiers pivot across A2A connections.

T-5003MCP Server Hopping

Queued

A multi-MCP fixture network for server hopping is not yet built.

T-5004Credential Reuse

Out of scope

Reusing harvested credentials against a second system is not something a content honeypot can stage.

T-5005Database Pivoting

Out of scope

Database pivoting needs live DB tooling; DVAA covers it.

T-5006Internal API Discovery

Queued

A fake internal-API trap fixture is not yet built.

Persistence

T-6001Memory Injection

Live

Memory WeaponizationMemory-injection tier persists instructions across sessions.

T-6002Self-Replicating Memory Entry

Live

Memory WeaponizationSelf-re-injecting memory entries extend the memory-injection tier.

T-6003Configuration Modification

Out of scope

Modifying the agent's own config on its host is not observable via web content.

T-6004Skill/Plugin Backdoor

Live

Supply ChainFake-package and malicious-MCP-server tiers instruct a backdoored skill/plugin install.

T-6005Scheduled Task Injection

Out of scope

Scheduled-task injection needs host cron/scheduler context the honeypot never sees.

T-6006Tool Registration Persistence

Live

Supply Chain Tool ShadowMalicious-MCP-server and ghost-tool tiers register tools that persist in the registry.

T-6007Persistent Agent State Manipulation

Live

Memory WeaponizationContext-cache-poisoning tier persists tampered state across sessions.

Collection

T-7001File System Enumeration

Out of scope

Filesystem enumeration needs real file-tool access; DVAA covers it.

T-7002Database Extraction

Out of scope

Database extraction needs live DB tooling not present on the honeypot.

T-7003API Data Harvesting

Live

Data ExfiltrationData-exfiltration tiers harvest data the agent surfaces from connected sources.

T-7004Memory Dump

Live

Memory WeaponizationMemory-dump payloads extract the agent's stored conversation state.

T-7005Configuration Harvesting

Queued

A dedicated configuration-harvest trap fixture is not yet wired.

T-7006PII Discovery

Live

Data ExfiltrationSector trap pages (/trap/medical-records, /trap/legal-documents, /trap/customer-portal, /trap/sec-filing) bait PII collection.

T-7007Context Assembly Pipeline Attack

Live

Prompt Injection Context WindowMulti-surface delivery tiers inject into the prompt-assembly pipeline.

Exfiltration

T-8001Email Exfiltration

Out of scope

AgentPwn does not simulate email-sending tools.

T-8002HTTP Callback

Live

Data ExfiltrationAgentPwn's primary signal: the payload HTTP callback fires.

T-8003DNS Exfiltration

Out of scope

No DNS path on an HTTP honeypot.

T-8004Tool Chain Exfiltration

Live

Capability AbuseTool-chain tiers stage exfiltration through legitimate-looking operations.

T-8005Conversation Exfiltration

Live

Data ExfiltrationConversation-exfiltration tier encodes data into the agent's visible response.

T-8006Webhook Exfiltration

Live

Data ExfiltrationURL/markdown-image exfiltration shares the callback channel; observable per technique tag.

Impact

T-9001Data Manipulation

Out of scope

Destructive data manipulation needs write tooling; the benevolent honeypot never stages it.

T-9002Service Disruption

Live

Capability Abuse Tool ShadowCost-amplification and recursive-tool-loop tiers drive resource exhaustion.

T-9003Malicious Code Deployment

Out of scope

No code-execution path on the honeypot; instruct-only, not observable.

T-9004Multi-Agent Consensus Manipulation

Live

Agent-to-Agent AttackWorm-propagation and delegation tiers influence multi-agent consensus.

T-9005Reputation Poisoning

Queued

Eliciting reputation-damaging output via jailbreak tiers is adjacent; no dedicated fixture yet.

T-9006Supply Chain Compromise

Live

Supply ChainMalicious-MCP-server and fake-package tiers compromise the downstream supply chain.

Why 11 techniques are out of scope

AgentPwn observes what an agent can be tricked into through web content it reads. It cannot stage the agent's own post-compromise infrastructure — credential reuse against a second system, database pivoting, host config or cron modification, code execution, or DNS/email exfiltration channels. Those techniques are detected statically by HackMyAgent and exercised end-to-end in DVAA. Marking them out of scope keeps the live number honest.

Test your agent against the live layer

Run the scanner that shares this taxonomy.

npx hackmyagent secure