AgentReadyHomeAgent Listing

← Cognexo

Cognexo — agentic threat model

7.0AIVSS 7.0 · High

Cognexo is a low-autonomy HR and L&D platform focusing on employee surveys and personalized learning. Its primary security risk lies in the sensitivity of the employee feedback and PII it processes, rather than autonomous agentic execution threats.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.5Factor sum 1.5/10Threat ×0.95Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.40
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify which foundation models are used for personalizing learning or customizing questions. Potential threats include model bias or misaligned outputs in employee feedback analysis.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — Cognexo collects sensitive employee feedback and learning progress. Threats include data exfiltration of sensitive HR sentiment data or poisoning of the personalization database.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — It is unclear if a formal agentic framework is used to orchestrate the survey delivery or if it relies on traditional deterministic scheduling logic.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — No hosting, sandboxing, or infrastructure details are provided. Standard web application security threats (e.g., unauthorized access to the tenant database) apply.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of guardrails, drift detection, or LLM observability tools to monitor the personalized learning content generation.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — While handling sensitive employee feedback regarding 'toxic cultures' and 'poor management', no specific compliance certifications (like GDPR, SOC2) or access controls are detailed.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The platform operates as a standalone SaaS tool; there is no evidence of multi-agent interactions or integration with external agent marketplaces.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).