AgentReadyHomeAgent Listing

← Databricks

Databricks — agentic threat model

5.6AIVSS 5.6 · Medium

Databricks' managed MCP servers present a high-value target due to direct integration with enterprise data, SQL execution, and job triggering, though this risk is heavily mitigated by Unity Catalog governance and IAM controls.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.83Factor sum 5.5/10Threat ×1.0Mitigation ×0.6
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.40
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.80
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Databricks supports various LLMs via Mosaic AI and external APIs, but the specific foundation models powering the MCP agents are not detailed in this directory entry.

L2 · Data Operations✓ mapped

Highly critical layer as the agent directly connects to enterprise data, SQL databases, and Unity Catalog assets. Primary threats include unauthorized data exfiltration, SQL injection via agent tools, and data lineage gaps.

L3 · Agent Frameworks✓ mapped

The agent framework relies on the Model Context Protocol (MCP) to expose SQL and jobs as tools. Threats include tool misuse (e.g., executing destructive SQL commands or unauthorized job triggers) and insecure tool integration.

L4 · Deployment & Infrastructure✓ mapped

Managed MCP servers are hosted inside the Databricks security and governance boundary. Threats include container escape, lateral movement within the workspace, and unauthorized access to the hosting infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While Databricks provides robust system tables and platform monitoring, the specific evaluation, guardrails, and real-time observability for the MCP agent interactions are not detailed.

L6 · Security & Compliance (cross-cutting)✓ mapped

Strong security posture leveraging Databricks IAM and Unity Catalog governance to enforce fine-grained access control and audit trails across all exposed data assets and jobs.

L7 · Agent Ecosystem✓ mapped

Designed to connect to external AI tools and agents via MCP. This introduces threats of agent-to-agent trust abuse, where a compromised external agent could exploit the Databricks MCP server to access sensitive data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).