Burr — agentic threat model
Burr is an open-source state-machine framework for AI agents, offering strong observability and structured execution that mitigates non-determinism, but its security posture heavily relies on developer implementation of state persistence and UI access controls.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Burr is model-agnostic and integrates with various frameworks, meaning foundation model threats (adversarial prompts, alignment) depend entirely on the user's chosen LLM.
Burr includes pluggable persisters to save and load application states. This introduces risks of state-injection, state-tampering, or deserialization vulnerabilities if persistent state stores are not secured.
As an orchestration framework modeling applications as state machines, Burr reduces chaotic execution but is vulnerable to state-transition bypasses or logic flaws in the Python-defined state components.
Not certain from the listing — Deployment is managed by the developer. However, hosting the Burr real-time monitoring UI exposes a network service that must be secured against unauthorized access.
Burr excels here, providing a built-in UI for real-time monitoring, tracing, and debugging, which significantly mitigates observability blind spots and aids in drift detection.
Not certain from the listing — The framework does not explicitly detail built-in RBAC, authentication, or compliance controls for its monitoring UI or state persistence layers.
Not certain from the listing — While Burr can model simulations and multi-agent setups, it does not natively govern a marketplace or external agent-to-agent trust boundaries.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).