burp-ai-agent (six2dez) — agentic threat model
The burp-ai-agent introduces significant agentic risk by combining active network scanning capabilities with LLM-driven analysis of sensitive HTTP traffic. While local execution and privacy guardrails mitigate external exposure, prompt injection leading to unauthorized active scanning or credential exfiltration remains a critical concern.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific LLMs utilized are not defined, but they are accessed via MCP. The primary threat is indirect prompt injection, where malicious payloads in analyzed HTTP traffic reprogram the model to exfiltrate data or execute unauthorized scans.
Not certain from the listing — The agent processes HTTP request/response data as its primary context. There is a risk of sensitive data (tokens, PII) being sent to external LLM APIs, though the listing notes 'privacy controls' are in place to mitigate this.
Uses the Model Context Protocol (MCP) to integrate agentic capabilities with Burp Suite. A key threat is tool misuse, where the agent is tricked into executing active scans against unauthorized targets or abusing Burp's internal APIs.
Runs locally as a Burp Suite extension. The primary threat is local privilege escalation or unauthorized local file access if the extension or its local MCP server is compromised, leveraging the permissions of the pentester's machine.
Not certain from the listing — While 'privacy controls' are mentioned, it is unclear if there is robust logging, anomaly detection, or evaluation frameworks to monitor the agent's decision-making process during active scanning.
Features built-in privacy controls and guardrails to restrict what data leaves the local Burp environment. However, as an open-source tool, it lacks formal enterprise compliance certifications (e.g., SOC2).
Utilizes MCP, which theoretically allows interaction with other MCP-compatible tools and agents. The risk of cascading failures or unauthorized agent-to-agent trust abuse exists if connected to untrusted external MCP servers.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).