PagerDuty MCP Server — agentic threat model
The PagerDuty MCP Server introduces high operational risk by enabling LLMs to directly modify real-world incident states, services, and schedules, making it highly vulnerable to prompt injection attacks that could disrupt critical IT operations.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external LLMs hosting the MCP client. The primary threat is prompt injection or adversarial reprogramming of the host LLM, leading it to execute unauthorized PagerDuty actions.
The server reads sensitive operational data including incident logs, service configurations, schedules, and on-call personnel details. Exposure or exfiltration of this metadata via RAG or context windows is a key risk.
High risk of tool misuse. The MCP server exposes tools to trigger, escalate, or resolve incidents. A compromised framework or poisoned prompt can abuse these tools to cause widespread operational denial of service.
Not certain from the listing — depends on where the MCP server is hosted. Security relies heavily on the secure storage and isolation of the PagerDuty API tokens used by the server instance.
Not certain from the listing — requires external logging of MCP tool invocations. Without strict audit trails, unauthorized incident modifications or state changes will lack accountability.
Token scope is the primary control. The server's security posture depends entirely on enforcing least-privilege API keys and implementing robust user-level authorization (OAuth) rather than shared administrative tokens.
In a multi-agent MCP environment, a secondary agent could query this server to gain operational context or maliciously resolve active alerts, leading to cascading, undetected infrastructure failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).