The OWASP Top 10 for Agentic Applications (2026): a practical defense guide

The OWASP Top 10 for Agentic Applications, published in December 2025 by the OWASP GenAI Security Project, names the failure modes specific to systems that plan, use tools, hold memory, and coordinate with other agents. Strathon's threat model is anchored to it. Here is each of the ten risks (ASI01 to ASI10) and a concrete defense, including the cases where a runtime firewall only reduces blast radius rather than removing the risk.

ASI01: Agent Goal Hijack

An attacker steers the agent's objectives through injected instructions in documents, tool output, or external data. Defense: CEL policies that inspect prompt and input content, block or alert on injection patterns, and validate new rules in shadow mode before they enforce.

ASI02: Tool Misuse and Exploitation

The agent calls a legitimate tool in a harmful way. Defense: deny-by-default tool allow-lists and CEL rules that inspect arguments, with human approval required for destructive operations.

attrs["gen_ai.tool.name"] == "send_email" &&
  !attrs["gen_ai.content"].contains("@yourcompany.com")

ASI03: Identity and Privilege Abuse

An agent acquires or uses permissions it should not have. Defense: scoped API keys, role-based access control, MFA, and per-key rate limits, so a compromised agent can only reach the tools its role permits.

ASI04: Agentic Supply Chain Vulnerabilities

A compromised tool, plugin, or MCP server enters the agent's runtime. Honest scope: Strathon is not a software-composition scanner, so it does not vet the supply chain itself. What it does is contain the blast radius: tool allow-lists and egress domain allow-listing mean a compromised component can only invoke approved tools and reach approved destinations.

ASI05: Unexpected Code Execution

An agent generates and runs code or shell commands in unsafe ways. Defense: CEL policies gate code-execution and shell tools (block, throttle, or require approval), and the egress proxy limits what executed code can reach. Sandboxing the runtime itself is still your responsibility; Strathon governs the tool-call boundary.

ASI06: Memory and Context Poisoning

Untrusted content is written into memory or retrieved context and steers later decisions. Defense: scan tool inputs and outputs at ingest and gate writes behind policy. This is partly detective: behavioral drift detection catches the downstream effects of poisoned context even when the write itself slipped through.

ASI07: Insecure Inter-Agent Communication

Messages between agents are spoofed, intercepted, or unvalidated. Defense: the MCP gateway intercepts agent-to-agent and agent-to-tool calls and evaluates each one against your policies, rather than trusting them implicitly.

ASI08: Cascading Failures

One bad step feeds the next and compounds across a chain or a fleet. Defense: cost and iteration budgets with auto-halt, circuit breakers, kill switches, and halt propagation that stop a runaway agent before the failure spreads.

ASI09: Human-Agent Trust Exploitation

Users over-trust an agent, or an agent manipulates a human into approving something. Defense: human approval for sensitive actions, multi-party (N-of-M) approval for high-stakes ones, a tamper-evident audit trail, and EU AI Act Article 50(1) disclosure that the user is dealing with an AI.

ASI10: Rogue Agents

A compromised, misaligned, or drifting agent keeps operating in unintended ways. Defense: behavioral drift detection (EWMA/CUSUM), heartbeat monitoring, an SDK integrity check, and kill switches to pull a rogue agent offline.

Defense in depth, not a single wall

No single control catches everything, and for several of these risks a runtime firewall is one layer among many. The value is having one place to compose allow-lists, content scanners, budgets, approvals, and a signed audit trail, then test each policy safely in shadow mode before it enforces. See the OWASP mapping in the docs for the control behind each risk.