OWASP LLM Top 10
OWASP Top 10 for LLM Applications
The ten most critical security risks in systems that use large language models — from prompt injection to unbounded consumption.
Used: Each OWASP LLM risk is a first-class entity in the knowledge graph, linked to mitigating controls and Cloudflare primitives. The guardrail enforces them at runtime — LLM01 (injection), LLM05 (output), LLM06 (MCP tools), LLM07 (prompt leak), and LLM10 (denial-of-wallet budgets) — every finding standards-mapped. Cross-mapped to MITRE ATLAS via kb_map.
OWASP Agentic AI
OWASP Agentic AI Threats & Mitigations (T1–T15)
Fifteen specific threat patterns that arise when AI systems operate as autonomous agents — including orchestration hijacking, excessive agency, and resource misuse.
Used: T1–T15 are mapped as threat entities; the agent fleet design (read-only tools, human-on-the-loop, least-privilege governance) directly addresses T2, T5, T9, and T11.
OWASP Agentic 2026
OWASP Top 10 for Agentic Applications (2026)
An emerging standard for the most critical risks specific to agentic AI deployments, covering multi-agent orchestration and tool-use vulnerabilities.
Used: Applied to the roadmap agent fleet design — each top-10 risk is tracked as a knowledge entity with controls and implementation status.
NIST AI RMF
NIST AI Risk Management Framework + CSA Agentic Profile
A structured approach to identifying, assessing, and managing risks across the full AI lifecycle (Govern, Map, Measure, Manage).
Used: Governance practices (provenance tracking, adversarial verification, reproducible compiler) map to GOVERN and MEASURE functions. The CSA Agentic NIST AI RMF Profile guides agent fleet design.
MITRE ATLAS
MITRE ATLAS
Adversarial Threat Landscape for AI Systems — a knowledge base of adversarial ML tactics and techniques, structured similarly to MITRE ATT&CK.
Used: ATLAS tactics and techniques are entities in the graph. kb_map can translate an ATLAS ID (e.g. AML.T0051) to the corresponding OWASP risk, mitigating controls, and Cloudflare implementation.
ISO/IEC 42001
ISO/IEC 42001 — AI Management Systems
An international standard for establishing, implementing, and continually improving an AI management system within an organization.
Used: The knowledge compiler's idempotency, CI validation, and provenance requirements reflect 42001's emphasis on documented, repeatable AI processes and risk controls.
EU AI Act
EU AI Act
The European Union's landmark regulation classifying AI systems by risk level and requiring transparency, human oversight, and conformity assessments for high-risk deployments.
Used: Transparency requirements informed the verification_status field and provenance sources on every entity. Human-on-the-loop in the agent fleet addresses the Act's human oversight requirements.
MITRE ATT&CK
MITRE ATT&CK
The industry-standard knowledge base of real-world adversary tactics and techniques (for enterprise systems). protectwith.ai uses it to map AI-enabled attacks — where attackers use AI to accelerate malware development, reconnaissance, social engineering, and autonomous (agentic) attack orchestration — complementing MITRE ATLAS, which covers attacks against AI systems.
Used: ATT&CK techniques that are meaningfully accelerated or enabled by AI tooling are modelled as threat entities in the knowledge graph. kb_map can traverse from an ATT&CK technique ID to the controls and Cloudflare primitives that defend against it in AI-augmented attack scenarios.
OWASP MCP Security
OWASP MCP Security
OWASP's guidance (Top 10 / Cheat Sheet) for securing the Model Context Protocol — the new attack surface where AI agents execute tools from natural language. protectwith.ai maps the MCP attack vectors (tool poisoning, rug pull, tool shadowing, confused deputy, over-scoped permissions, exfiltration via tools) to controls, and the guardrail's /v1/guard/tools endpoint enforces them at runtime.
Used: MCP attack vectors are first-class threat entities in the knowledge graph. kb_checklist surfaces the applicable MCP controls for any agent or tool-calling component; kb_map links each vector to the Cloudflare primitives and least-privilege patterns that mitigate it.