AgentReadyHomeAgent Listing

← mcp-server-wazuh (gbrigandi)

mcp-server-wazuh (gbrigandi) — agentic threat model

8.0AIVSS 8.0 · High

The mcp-server-wazuh agent acts as a high-value read-only data bridge exposing sensitive SIEM security context to LLMs, presenting significant data exfiltration and prompt injection risks if the client LLM is manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.45Factor sum 1.8/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.00
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The tool itself does not include a foundation model, but as an MCP server for Claude Desktop, it is vulnerable to indirect prompt injection where malicious data inside Wazuh alerts could manipulate the host LLM's behavior.

L2 · Data Operations✓ mapped

Exposes highly sensitive live SIEM data (alerts, agents, rules). The primary threat is data exfiltration of network topology, active vulnerabilities, and security incidents to unauthorized parties via the LLM interface.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP). Risks include insecure tool orchestration where the LLM may be tricked into executing overly broad queries or exposing raw SIEM payloads without sanitization.

L4 · Deployment & Infrastructure✓ mapped

Runs as a local or server-side process bridging Claude Desktop to Wazuh. Requires secure storage of Wazuh API credentials; compromise of the host environment exposes these high-privilege SIEM credentials.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging of LLM queries, or anomaly detection to identify when the LLM is being used to harvest SIEM data maliciously.

L6 · Security & Compliance (cross-cutting)✓ mapped

Inherits the compliance and data-egress considerations of SIEM integrations. Strict access controls and audit logging must be enforced to ensure LLM users do not bypass standard Wazuh RBAC policies.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While designed for the MCP ecosystem, there is no explicit multi-agent coordination, though cascading risks exist if other connected MCP tools can read Claude's context containing Wazuh data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).