AgentReadyHomeAgent ListingPricing

← Zep

Zep — agentic threat model

8.7AIVSS 8.7 · High

Zep acts as a persistent memory and vector search layer for AI agents, presenting a high risk of memory poisoning and sensitive data exfiltration if user interaction histories are compromised or manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.15Factor sum 4.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.60
Dynamic Tool Use
0.20
Persistent Memory
1.00
Contextual Awareness
0.90
Dynamic Identity
0.10
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Zep acts as a memory layer and does not host its own foundation models, but it interacts with external LLMs which are susceptible to prompt injection and adversarial inputs that could corrupt the memory.

L2 · Data Operations✓ mapped

Zep manages vector search and user interaction history. Key threats include memory/knowledge-base poisoning, data exfiltration of sensitive user facts, and embedding inversion.

L3 · Agent Frameworks✓ mapped

Zep provides memory orchestration (ChatHistory, customizable memory windows) and integrates with LangChain. Vulnerabilities include memory poisoning where malicious user inputs permanently alter the agent's retrieved context, leading to downstream tool misuse or hijacked planning.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment details (SaaS vs self-hosted) are not fully specified, posing risks of unauthorized access to the memory database or API keys if infrastructure is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no explicit mention of built-in guardrails, evaluation frameworks, or observability tools to detect memory drift or poisoned facts.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — compliance certifications (e.g., SOC2, GDPR) or fine-grained access controls for user memory data are not detailed in the public listing.

L7 · Agent Ecosystem✓ mapped

Zep enables multi-agent personalization by sharing or isolating memory. Threats include cross-agent memory contamination or unauthorized access to user facts across different agent instances.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.