CAST AI — agentic threat model
CAST AI exhibits a high-risk agentic profile due to its deep integration and write-access privileges within production Kubernetes clusters and cloud provider APIs. While highly effective for FinOps automation, a compromise of its decision-making engine or credentials could lead to catastrophic infrastructure destruction, unauthorized resource provisioning, or massive cloud billing attacks.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — CAST AI primarily operates on algorithmic and machine learning models for resource optimization rather than generative LLMs. If LLMs are used for natural language querying of cost data, they would be vulnerable to prompt injection, but the core risk remains in the predictive models driving automated scaling decisions.
Collects real-time Kubernetes cluster state, resource utilization metrics, and cloud billing data. Threats include telemetry data tampering or poisoning, which could mislead the optimization engine into sub-optimal scaling, resource starvation, or artificial cost inflation.
The framework orchestrates automated actions like node provisioning, draining, and pod rescheduling. Threats include insecure tool integration with cloud APIs and logic flaws in the autoscaling decision engine that could be exploited to trigger infinite scaling loops.
Deployed as an agent/controller within Kubernetes (EKS, GKE, AKS) or via API integrations. Requires high-privilege access (e.g., cluster-admin or cloud IAM roles) to provision and terminate VMs, posing severe risks of privilege escalation or lateral movement if the agent container is compromised.
Provides continuous cost and performance monitoring. Gaps in observability or logging could lead to undetected over-provisioning, 'billing/resource exhaustion' attacks, or silent failures in spot instance fallbacks.
Not certain from the listing — While CAST AI operates in highly regulated enterprise environments, the listing does not explicitly detail its compliance certifications (like SOC 2) or RBAC policies, though these are critical given its high-privilege access to cloud infrastructure.
Interacts directly with cloud provider APIs (EKS, GKE, AKS) and potentially other DevOps tooling. Vulnerabilities or compromised credentials could cause cascading failures across the cloud infrastructure ecosystem, affecting multiple connected clusters.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).