~ / directory / csa-owasp-agentic-ai-red-teaming-guide
CO
Agentic · Education & Research · reviewed 2026-04

CSA/OWASP Agentic AI Red Teaming Guide

Comprehensive red teaming guide for agentic AI systems covering 12 threat categories with actionable test procedures, example prompts, and deliverables. CSA and OWASP AI Exchange joint publication.

Visit cloudsecurityalliance.org/research/working-groups/ai-organizational-responsibilities
01

What it does

Joint publication from CSA AI Organizational Responsibilities Working Group and OWASP AI Exchange. Provides detailed red teaming procedures for agentic AI across 12 threat categories: Authorization & Control Hijacking, Checker-Out-of-the-Loop, Critical System Interaction, Goal & Instruction Manipulation, Hallucination Exploitation, Impact Chain & Blast Radius, Knowledge Base Poisoning, Memory & Context Manipulation, Multi-Agent Exploitation, Resource Exhaustion, Supply Chain Attacks, and Untraceability. Each category includes test requirements, actionable steps, and example prompts.

02

Security relevance

Goes deeper than the OWASP Agentic Top 10 by providing specific test procedures for each threat. Covers MCP server hijacking, permission escalation, role inheritance exploitation, cross-session data leakage, memory poisoning, confused deputy attacks, feedback loop exploitation, and forensic analysis obfuscation. Also references tools: MAESTRO, AgentDojo, AgentFence, Promptfoo, and Agent Security Bench.

03

When to use it

Use as a hands-on testing playbook when red teaming agentic AI systems. The 12 categories provide a systematic structure for comprehensive agent security assessment.

04

OWASP coverage

Risks addressed — mapped to both OWASP Top 10 standards. 0 in LLM, 10 in Agentic.

LLM Top 10 · 2025 · 0/10 covered
01
02
03
04
05
06
07
08
09
10
Agentic Top 10 · 2026 · 10/10 covered
01
02
03
04
05
06
07
08
09
10
ASI01 · Agent Goal Hijack ASI02 · Tool Misuse & Exploitation ASI03 · Identity & Privilege Abuse ASI04 · Agentic Supply Chain Vulnerabilities ASI05 · Unexpected Code Execution ASI06 · Memory & Context Poisoning ASI07 · Insecure Inter-Agent Communication ASI08 · Cascading Failures ASI09 · Human-Agent Trust Exploit ASI10 · Rogue Agents
05

The raw record

What Yuntona stores. Single source of truth — fork it on GitHub.

name: CSA/OWASP Agentic AI Red Teaming Guide
slug: csa-owasp-agentic-ai-red-teaming-guide
type: Agentic
category: Education & Research
url: https://cloudsecurityalliance.org/research/working-groups/ai-organizational-responsibilities

reviewed:   2026-04
added:      2026-04
updated:    2026-04

risks:
  llm:  []
  asi:  [ASI01, ASI02, ASI03, ASI04, ASI05, ASI06, ASI07, ASI08, ASI09, ASI10]

complexity:    Plug & Play
pricing:       —
audience:      AppSec · Red Team
lifecycle:     [test]

tags: [Agentic, CSA, Free, Guide, OWASP, Red Teaming, Threat Model]