AgentReadyHomeAgent Listing

← Kolena GTM AI

Kolena GTM AI — agentic threat model

6.4AIVSS 6.4 · Medium

Kolena GTM AI presents a moderate-to-high risk profile primarily driven by its deep integration with sensitive enterprise data sources (CRMs, transcripts, HIPAA-regulated data), offset by robust compliance certifications (SOC2 Type II, HIPAA).

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.0Factor sum 4.0/10Threat ×1.0Mitigation ×0.75
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.50
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.20
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes commercial multimodal foundation models to process audio, video, and text. Primary threats include prompt injection via malicious transcripts that could manipulate MEDDIC scoring or extract sensitive system prompts.

L2 · Data Operations✓ mapped

Processes highly sensitive CRM data, sales calls, and multi-format documents (PDFs, audio, video). Key threats include data exfiltration of proprietary sales strategies, customer PII, and potential knowledge-base poisoning if malicious transcripts are ingested.

L3 · Agent Frameworks✓ mapped

Orchestrates multi-step analysis to generate board decks and persona developments. Threats include insecure tool integration with connected CRMs and workflow tools, where indirect prompt injection could trigger unauthorized CRM updates.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — likely hosted in a secure cloud environment to meet compliance standards. Threats include container compromise, insecure storage of CRM API keys, and unauthorized access to the no-code builder environment.

L5 · Evaluation & Observability✓ mapped

Provides real-time analytics dashboards and reporting. Threats include blind spots in monitoring malicious inputs hidden within unstructured audio/video files, and a lack of specialized guardrails to detect prompt injection in ingested transcripts.

L6 · Security & Compliance (cross-cutting)✓ mapped

Demonstrates strong compliance posture with SOC2 Type II and HIPAA certifications. Threats include authorization bypass within the no-code agent builder, allowing unauthorized users to access sensitive CRM integrations or compliance-restricted data.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — while branded as an 'AI Agents Platform', specific multi-agent orchestration or third-party agent marketplace risks are not detailed. Main ecosystem threats involve cascading failures from broken CRM API integrations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).