Co-Sales AI Configurator — agentic threat model
The Co-Sales AI Configurator presents a high-risk profile due to its dual-agent architecture, public-facing lead generation interface, and deep write-access integrations with enterprise CRMs and ERPs. While the availability of on-premise deployment mitigates some data privacy concerns, robust input validation and strict API access controls are critical to prevent prompt injection from compromising backend systems.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.90 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models powering the Interviewer and Engineer agents are not disclosed. The primary L1 threat is prompt injection via the public-facing discovery interface, which could lead to model reprogramming or mis-aligned outputs.
Not certain from the listing — While the system connects to real databases and ERPs for deterministic pricing, the exact data pipeline and vector store configurations are unspecified. Threats include database poisoning or unauthorized data exfiltration of sensitive pricing and product catalog data.
The agent utilizes a dual-agent orchestration framework (Interviewer and Engineer) and integrates with external systems via MCP or APIs. Threats include insecure tool integration with CRM/ERP systems, tool misuse (e.g., unauthorized CRM writes), and state manipulation during the handoff between the two agents.
The listing explicitly supports 'On-Premise deployment' to ensure data privacy. While this mitigates cloud-hosting risks, it introduces threats related to local network compromise, container security, and the secure management of API keys/secrets for CRM/ERP integrations.
Not certain from the listing — There is no mention of specific evaluation, guardrail, or logging frameworks. The lack of visible observability tools poses a risk of blind spots in monitoring the dual-agent interactions and detecting prompt injection attempts.
The agent addresses compliance through 'Enterprise Security' and 'On-Premise deployment' for data privacy. However, specific access control mechanisms (RBAC), audit logging, and compliance alignments (e.g., SOC2, GDPR) for the CRM/ERP integrations are not detailed.
The agent features a 'Dual-Agent Architecture' (Interviewer and Engineer) and integrates with external platforms (Salesforce, HubSpot, ERPs). Threats include cascading failures if one agent is compromised, and trust abuse between the public-facing Interviewer and the internal database-facing Engineer.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).