Moai Team

What is AgenticAssurance?

Single-prompt scanners miss the attacks that matter for agents — the ones composed across tools. AgenticAssurance (AAL) is the framework-neutral offensive core of the Agent Assurance Layer: you describe your agent in a capability manifest — its tools and their side-effect classes, data scopes, untrusted-ingress points and declared mitigations — plug in a runner adapter, and it attacks an isolated copy of the agent. It runs an attack library mapped to the OWASP Top 10 for Agentic Applications and MITRE ATLAS, builds a toxic-flow graph over declared tools to find lethal-trifecta and untrusted-content-to-code-execution paths, and catches execution-layer divergences where the agent refuses in text but a side-effecting tool still fires. Findings ship as SARIF 2.1.0 for code scanning plus a human-readable report, and a failing verdict exits non-zero — so red-teaming gates CI like any other test.

Areas of expertise

Offensive security for agents, built for CI — not a runtime guardrail, not a generic code scanner.

  • Agentic attack library

    Attacks mapped to the OWASP Top 10 for Agentic Applications and MITRE ATLAS, run against an isolated copy of the target — never your live agent.

  • Toxic-flow graph

    A graph over the agent's declared tools that surfaces lethal-trifecta and untrusted-content → code-execution composition paths that single-prompt scanners structurally cannot see.

  • Side-effect divergence detection

    Catches the most dangerous failure mode: the agent refuses in text while a side-effecting tool fires anyway — verified at the execution layer, with stability re-runs.

  • Capability manifest

    One JSON document declares the agent's tools and their side-effect classes, data scopes, untrusted-ingress points, identity and mitigations — the contract every attack and graph is derived from.

  • SARIF for CI

    Findings emit as SARIF 2.1.0 for code-scanning dashboards plus a Markdown report, and a failing verdict exits with code 1 — red-teaming becomes a CI gate, not a yearly audit.

  • Evidence without payloads

    Every finding references its attack inputs by sha256 — reproducible evidence with no raw attack payloads written to disk.

Get in touch

Want to know how your agent holds up against the OWASP Agentic Top 10? Tell us about your product and we'll set up a red-team scan.

Message