← mcp-server-wazuh (gbrigandi)
mcp-server-wazuh (gbrigandi) — agentic threat model
The mcp-server-wazuh agent acts as a high-value read-only data bridge exposing sensitive SIEM security context to LLMs, presenting significant data exfiltration and prompt injection risks if the client LLM is manipulated.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The tool itself does not include a foundation model, but as an MCP server for Claude Desktop, it is vulnerable to indirect prompt injection where malicious data inside Wazuh alerts could manipulate the host LLM's behavior.
Exposes highly sensitive live SIEM data (alerts, agents, rules). The primary threat is data exfiltration of network topology, active vulnerabilities, and security incidents to unauthorized parties via the LLM interface.
Integrates via the Model Context Protocol (MCP). Risks include insecure tool orchestration where the LLM may be tricked into executing overly broad queries or exposing raw SIEM payloads without sanitization.
Runs as a local or server-side process bridging Claude Desktop to Wazuh. Requires secure storage of Wazuh API credentials; compromise of the host environment exposes these high-privilege SIEM credentials.
Not certain from the listing — There is no mention of built-in guardrails, logging of LLM queries, or anomaly detection to identify when the LLM is being used to harvest SIEM data maliciously.
Inherits the compliance and data-egress considerations of SIEM integrations. Strict access controls and audit logging must be enforced to ensure LLM users do not bypass standard Wazuh RBAC policies.
Not certain from the listing — While designed for the MCP ecosystem, there is no explicit multi-agent coordination, though cascading risks exist if other connected MCP tools can read Claude's context containing Wazuh data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).