Agentic Security Needs Its Own Framework: The Straiker STAR Framework
In agentic AI, the model behaves and the user is legitimate. The weapon is the context the agent reads. Here is why we built the Straiker STAR Framework to map the agentic attack surface, and how it supplements the NIST AI RMF and OWASP.

I joined Straiker in July 2024, a few months after the company was incorporated. We were a handful of people with a conviction that agents, not chatbots, were about to become the enterprise’s fastest-growing workforce, and that nobody was securing them. When we launched publicly in March 2025, I wrote that traditional security measures were not built for a multi-agent world. Two years in, roughly two-thirds of the company is researchers, and the data has more than caught up with the conviction.
That conviction is now a body of evidence. Today we are publishing the first STAR Labs AI Agent Threat Research Report, built on the learnings of more than 1,700 successful exploits run against real coding, productivity, and first-party agents. This post is the thinking behind the framework at the center of it. If it lands, the report is where the full data lives.
Here is what that data keeps showing. Most conversations about AI agent security start in the wrong place: they ask whether the model can be trusted. That was the right question for a chatbot. It is the wrong question for an agent. In nearly every attack our team documented, the model did exactly what it was built to do. It read its context, reasoned over it, and acted. The context was poisoned, and the agent carried out the instruction like the good employee it was designed to be.
Defenders built for a hostile user or a hostile model
A generation of security controls assumes the threat is a malicious human at the keyboard or a jailbroken model. Agentic security breaks that assumption. The user is legitimate. The model is aligned. The weapon is a line of text sitting in an email, a web page, a code comment, or a tool response the agent was told to read. The technique that triggers it most often is indirect prompt injection. There is no exploit payload for any legacy security defenses to match, because the payload is language, and language is the interface.
A new attacker moves at agent speed
The adversaries exploiting this are not running last decade’s playbook. STAR Labs tracks a class we call AiPT, AI-powered persistent threats: attackers whose reconnaissance, exploit generation, and persistence are themselves agentic. They probe your agent faster than a human red team can schedule a sprint. When the attack tooling is an agent, quarterly testing and static scanners are already a generation behind.
The blast radius depends on what the agent can touch
Same attack, very different outcomes. Against coding agents, 36% of successful attacks in our testing reached remote code execution on the developer’s machine. Against productivity agents, 91% ended in silent data exfiltration. The Model Context Protocol, an unmanaged supply chain where we found 4,242 servers carrying at least one vulnerability. The agent is only as contained as the tools and context you let it read.
The more useful an AI agent becomes, the larger the enterprise attack surface grows
Complexity is the tradeoff nobody prices in. The more an agent can do, the more attack surface it opens for the enterprise running it.
Securing an agent means watching what it watches. You can't catch this by reading packets, and you can't catch it by reading code. You have to read context, at agent speed, across all four layers it lives in: application, model, tools and MCP, data.
That takes AI to secure AI: agent-on-agent defense, running at runtime. It's the same conclusion our researchers reached across every agent type we tested. It's why we published the data, not the talking points.
Why we built the Straiker STAR Framework
We did not set out to invent another framework. Good ones already exist. The OWASP Top 10 for LLM and Agentic Applications, the NIST AI Risk Management Framework, Google’s Secure AI Framework, and MITRE ATLAS each cover real parts of this problem, and we map to all of them. But when we lined our attack data up against those frameworks, a gap kept showing through. They tell you what can go wrong. None of them maps an agent’s architecture to the context it is deployed in, and that intersection is exactly where our researchers watched attacks succeed.
So the STAR Framework (Straiker AI Security Research) supplements rather than replaces them. It organizes the agentic attack surface on two axes at once. The first is agent architecture: every agent, whatever the vendor, runs on the same four layers, which are application, model, tools and MCP, and data. The second is deployment context: every enterprise agent lands in one of three roles, coding, productivity, or first-party, each with its own trust posture and blast radius. Where a layer meets a role is where an attack lands, and where a NIST or OWASP control needs to actually attach to something concrete.
That is the practical value. A CISO can take a NIST AI RMF requirement or an OWASP category and see precisely which layer and which agent role it protects, and where the coverage runs out. The framework turns a checklist of risks into a map of your own environment. Here is the whole map on one grid.
One malicious MCP server compromises all three agent types at once. 4,242 cataloged servers carry at least one vulnerability.
The full report walks all twelve cells with the data behind each one.
What’s inside the STAR Labs AI Agent Threat Research Report
This post is one idea from the report. The report itself is the map, the data, and the playbook:
- 1,700+ documented successful exploits run against production coding, productivity, and first-party agents
- How indirect prompt injection turns everyday content, from an email to a code comment, into attacker instructions the agent obeys
- The 36% RCE and 91% silent exfiltration findings, with the full attack chains behind them
- 4,242 vulnerable MCP servers and what an unmanaged agent supply chain looks like up close
- Named case studies, including the Claude Code source leak
- The defender playbook: five controls that break the chain, mapped to NIST AI RMF and OWASP
Get the report: Read all eight sections free, or download the full PDF at https://straiker.ai/report/threat-research-vol-1.
I joined Straiker in July 2024, a few months after the company was incorporated. We were a handful of people with a conviction that agents, not chatbots, were about to become the enterprise’s fastest-growing workforce, and that nobody was securing them. When we launched publicly in March 2025, I wrote that traditional security measures were not built for a multi-agent world. Two years in, roughly two-thirds of the company is researchers, and the data has more than caught up with the conviction.
That conviction is now a body of evidence. Today we are publishing the first STAR Labs AI Agent Threat Research Report, built on the learnings of more than 1,700 successful exploits run against real coding, productivity, and first-party agents. This post is the thinking behind the framework at the center of it. If it lands, the report is where the full data lives.
Here is what that data keeps showing. Most conversations about AI agent security start in the wrong place: they ask whether the model can be trusted. That was the right question for a chatbot. It is the wrong question for an agent. In nearly every attack our team documented, the model did exactly what it was built to do. It read its context, reasoned over it, and acted. The context was poisoned, and the agent carried out the instruction like the good employee it was designed to be.
Defenders built for a hostile user or a hostile model
A generation of security controls assumes the threat is a malicious human at the keyboard or a jailbroken model. Agentic security breaks that assumption. The user is legitimate. The model is aligned. The weapon is a line of text sitting in an email, a web page, a code comment, or a tool response the agent was told to read. The technique that triggers it most often is indirect prompt injection. There is no exploit payload for any legacy security defenses to match, because the payload is language, and language is the interface.
A new attacker moves at agent speed
The adversaries exploiting this are not running last decade’s playbook. STAR Labs tracks a class we call AiPT, AI-powered persistent threats: attackers whose reconnaissance, exploit generation, and persistence are themselves agentic. They probe your agent faster than a human red team can schedule a sprint. When the attack tooling is an agent, quarterly testing and static scanners are already a generation behind.
The blast radius depends on what the agent can touch
Same attack, very different outcomes. Against coding agents, 36% of successful attacks in our testing reached remote code execution on the developer’s machine. Against productivity agents, 91% ended in silent data exfiltration. The Model Context Protocol, an unmanaged supply chain where we found 4,242 servers carrying at least one vulnerability. The agent is only as contained as the tools and context you let it read.
The more useful an AI agent becomes, the larger the enterprise attack surface grows
Complexity is the tradeoff nobody prices in. The more an agent can do, the more attack surface it opens for the enterprise running it.
Securing an agent means watching what it watches. You can't catch this by reading packets, and you can't catch it by reading code. You have to read context, at agent speed, across all four layers it lives in: application, model, tools and MCP, data.
That takes AI to secure AI: agent-on-agent defense, running at runtime. It's the same conclusion our researchers reached across every agent type we tested. It's why we published the data, not the talking points.
Why we built the Straiker STAR Framework
We did not set out to invent another framework. Good ones already exist. The OWASP Top 10 for LLM and Agentic Applications, the NIST AI Risk Management Framework, Google’s Secure AI Framework, and MITRE ATLAS each cover real parts of this problem, and we map to all of them. But when we lined our attack data up against those frameworks, a gap kept showing through. They tell you what can go wrong. None of them maps an agent’s architecture to the context it is deployed in, and that intersection is exactly where our researchers watched attacks succeed.
So the STAR Framework (Straiker AI Security Research) supplements rather than replaces them. It organizes the agentic attack surface on two axes at once. The first is agent architecture: every agent, whatever the vendor, runs on the same four layers, which are application, model, tools and MCP, and data. The second is deployment context: every enterprise agent lands in one of three roles, coding, productivity, or first-party, each with its own trust posture and blast radius. Where a layer meets a role is where an attack lands, and where a NIST or OWASP control needs to actually attach to something concrete.
That is the practical value. A CISO can take a NIST AI RMF requirement or an OWASP category and see precisely which layer and which agent role it protects, and where the coverage runs out. The framework turns a checklist of risks into a map of your own environment. Here is the whole map on one grid.
One malicious MCP server compromises all three agent types at once. 4,242 cataloged servers carry at least one vulnerability.
The full report walks all twelve cells with the data behind each one.
What’s inside the STAR Labs AI Agent Threat Research Report
This post is one idea from the report. The report itself is the map, the data, and the playbook:
- 1,700+ documented successful exploits run against production coding, productivity, and first-party agents
- How indirect prompt injection turns everyday content, from an email to a code comment, into attacker instructions the agent obeys
- The 36% RCE and 91% silent exfiltration findings, with the full attack chains behind them
- 4,242 vulnerable MCP servers and what an unmanaged agent supply chain looks like up close
- Named case studies, including the Claude Code source leak
- The defender playbook: five controls that break the chain, mapped to NIST AI RMF and OWASP
Get the report: Read all eight sections free, or download the full PDF at https://straiker.ai/report/threat-research-vol-1.









