OWASP Agentic Top 10 Coverage
The OWASP Top 10 for Agentic Applications (2026) defines the critical security risks for AI agent systems. Below is how Daylite's modules map to each risk, with specific coverage status and the Rust modules responsible.
| ID | Risk | Status | Daylite Modules |
|---|---|---|---|
| ASI-01 | Agent Goal Hijacking | ⚠️ Partial | Scanner L1 (aho-corasick + regex), Shadow Scanner L2-L4, Inbound Response Scanner, MCP tool name validation |
| ASI-02 | Tool Misuse and Exploitation | ✅ Covered | MCP Enforcement Proxy (5-step pipeline), Per-tool McpToolPolicy (allow/deny/audit), Tool list filtering, Rate Limiter (Redis Lua), Audit log |
| ASI-03 | Identity and Privilege Abuse | ✅ Covered | RBAC + TenantContext, Phantom Token Vault, API Key Store (dyl_ prefix), SCIM 2.0, mTLS, OIDC SSO, Cell-based Tenancy |
| ASI-04 | Agentic Supply Chain Vulnerabilities | ✅ Covered | MCP Server Registration (SSRF protection), Redirect SSRF blocking, Classification ceiling per server, Inbound Response Scanner, cargo-deny + cargo-audit, Docker cosign |
| ASI-05 | Unexpected Code Execution | ✅ Covered | No dynamic evaluation (architectural rule), Pipeline Executor (typed steps), NL Pipeline Generator (human gates), SecureBus, Template Engine (JSON-safe) |
| ASI-06 | Memory and Context Poisoning | ⚠️ Partial | RAG Pipeline Security Scanning, PII Redactor (on ingest), Scanner (blocks secrets in documents), Classification Enforcement, Per-tenant KB isolation, BYOK Encryption |
| ASI-07 | Insecure Inter-Agent Communication | ✅ Covered | SecureBus (compile-time enforcement), MCP Proxy (single gateway), HMAC-signed Audit Chain, mTLS, TLS (rustls + aws-lc-rs) |
| ASI-08 | Cascading Failures | ⚠️ Partial | Rate Limiter (Redis Lua token-bucket), Per-tool rate limits, Request timeouts, Backpressure (mpsc channels), Pipeline retry with backoff, 1MB DoS cap |
| ASI-09 | Human-Agent Trust Exploitation | ✅ Covered | Classification Banners, Immutable Audit Trail, "AI Proposes, Human Gates" pattern, Webhook Alerts (SOC/SIEM), MCP audit-only mode |
| ASI-10 | Rogue Agents | ✅ Covered | Outbound DLP Inspector, Echo-back Detection (Phantom Tokens), Immutable Audit Log (SHA-256 hash chain), SIEM Connector (Splunk HEC, OCSF), MITRE ATT&CK Events, Privacy-aware Routing |
Detailed Coverage
L1 pattern matching is production-ready (<1ms). L2-L4 ML layers (semantic injection detection, LlamaGuard content filter) are stubbed. L1 catches secrets/keys but not sophisticated semantic hijacking.
Full enforcement proxy with per-tool allow/deny/audit, argument inspection, classification enforcement, and rate limiting. Human-in-the-loop gating via require_approval field.
Phantom Token architecture is the key differentiator -- agents never hold real credentials. Per-tenant isolation + RBAC + SCIM instant deprovision addresses the full identity lifecycle.
Full MCP server vetting (SSRF, classification ceiling, per-tool policy). Build-time supply chain hardened with cargo-deny/audit and cosign. Runtime tool responses scanned before reaching agent.
Rust memory safety + no dynamic eval + typed pipeline steps eliminate primary code execution vectors. Declarative connector template engine is JSON-escaped by design. Human approval gate on generated pipelines.
Document-level scanning (PII + secrets + classification) on ingest is implemented. Missing: adversarial embedding detection, document provenance tracking, periodic re-scanning of existing KB content.
SecureBus provides compile-time enforcement unique in the market -- Rust type system makes compliance bypass impossible. Monolith architecture means inter-agent communication is in-process (no network attack surface).
Rate limiting, timeouts, backpressure, and DoS caps are implemented. Missing: automatic circuit breaker (currently manual enabled flag), cascading failure detection across multi-step pipelines, formal chaos testing.
The "AI Proposes, Human Gates" pattern directly addresses trust exploitation by requiring human approval for consequential actions. Classification banners and audit trails provide transparency.
Multi-layer exfiltration defense: outbound DLP + phantom token echo-back detection + classification-enforced routing + immutable audit. MITRE ATT&CK mapping enables SOC correlation.