Dynatrace MCP Server — agentic threat model
The Dynatrace MCP Server exposes highly sensitive enterprise operational and security telemetry via DQL, presenting a significant data exfiltration risk if the client agent is compromised or if the connected token is over-privileged.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not host a foundation model, but it interacts with Davis AI and client LLMs. The primary threat is prompt injection on the client LLM leading to unauthorized DQL generation.
Exposes sensitive operational and security telemetry including logs, metrics, problems, and vulnerabilities. The primary threat is data exfiltration or knowledge-base harvesting via malicious DQL queries.
Integrates as an MCP tool. Threats include insecure tool execution where a client agent is manipulated into executing overly broad DQL queries or exposing raw telemetry to unauthorized users.
Not certain from the listing — Standard MCP server deployment. Threats include insecure storage of the Dynatrace API token in the host environment or configuration files.
While the tool provides observability into Dynatrace, it requires its own strict query logging and audit trails to detect anomalous or high-volume data retrieval attempts by connected agents.
Crucially dependent on token scope and identity management. The connected token's scope determines the blast radius; over-privileged tokens violate least-privilege access controls.
Designed to be consumed by other agents in an ecosystem. A compromised or rogue client agent can abuse this MCP server to map the entire enterprise infrastructure and identify active vulnerabilities.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).