AgentReadyHomeAgent Listing

← burp-ai-agent (six2dez)

burp-ai-agent (six2dez) — agentic threat model

7.4AIVSS 7.4 · High

The burp-ai-agent introduces significant agentic risk by combining active network scanning capabilities with LLM-driven analysis of sensitive HTTP traffic. While local execution and privacy guardrails mitigate external exposure, prompt injection leading to unauthorized active scanning or credential exfiltration remains a critical concern.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.71Factor sum 4.7/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.30
Multi-Agent Interactions
0.40
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific LLMs utilized are not defined, but they are accessed via MCP. The primary threat is indirect prompt injection, where malicious payloads in analyzed HTTP traffic reprogram the model to exfiltrate data or execute unauthorized scans.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The agent processes HTTP request/response data as its primary context. There is a risk of sensitive data (tokens, PII) being sent to external LLM APIs, though the listing notes 'privacy controls' are in place to mitigate this.

L3 · Agent Frameworks✓ mapped

Uses the Model Context Protocol (MCP) to integrate agentic capabilities with Burp Suite. A key threat is tool misuse, where the agent is tricked into executing active scans against unauthorized targets or abusing Burp's internal APIs.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a Burp Suite extension. The primary threat is local privilege escalation or unauthorized local file access if the extension or its local MCP server is compromised, leveraging the permissions of the pentester's machine.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While 'privacy controls' are mentioned, it is unclear if there is robust logging, anomaly detection, or evaluation frameworks to monitor the agent's decision-making process during active scanning.

L6 · Security & Compliance (cross-cutting)✓ mapped

Features built-in privacy controls and guardrails to restrict what data leaves the local Burp environment. However, as an open-source tool, it lacks formal enterprise compliance certifications (e.g., SOC2).

L7 · Agent Ecosystem✓ mapped

Utilizes MCP, which theoretically allows interaction with other MCP-compatible tools and agents. The risk of cascading failures or unauthorized agent-to-agent trust abuse exists if connected to untrusted external MCP servers.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).