AgentReadyHomeAgent Listing

← BloodHound MCP

BloodHound MCP — agentic threat model

9.3AIVSS 9.3 · Critical

BloodHound MCP exposes highly sensitive Active Directory attack-path data to natural-language querying, creating a high-impact target where model manipulation or prompt injection could leak critical privilege escalation paths to unauthorized actors.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.46Factor sum 3.5/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.40
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on external foundation models via the Model Context Protocol (MCP). The primary threat is prompt injection or jailbreaking, which could bypass intended query boundaries to extract sensitive Active Directory relationship paths.

L2 · Data Operations✓ mapped

The agent directly queries the BloodHound graph database containing highly sensitive Active Directory relationships and privilege escalation paths. Unauthorized data exfiltration or poisoning of the graph database represents a critical risk.

L3 · Agent Frameworks✓ mapped

Uses the Model Context Protocol (MCP) to translate natural language into graph queries. Insecure tool integration or translation errors could lead to unauthorized database access or execution of unintended Cypher-like queries.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment details depend on the host environment running the MCP server. Threats include insecure local hosting, exposed MCP ports, and lack of network isolation from the domain controller or BloodHound database.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, guardrails, or audit trails for queries executed through the MCP interface, creating a blind spot for security administrators.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool is open source and free, with no explicit mention of built-in authentication, authorization, or role-based access control (RBAC) to restrict who can query the highly sensitive BloodHound data.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be integrated into broader agentic ecosystems. A compromised orchestrator agent could abuse this tool to automatically discover and exploit Active Directory attack paths.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).