◀︎ // Home
Section 01 // the STAR Framework
A Map of Where Attacks Happen
Several frameworks already cover pieces of this problem: OWASP's Top 10 for LLM and Agentic Applications, Google's Secure AI Framework, MITRE ATLAS, and the NIST AI Risk Management Framework. Each is valuable. None maps an agent's architecture to its deployment context, which is where attacks actually happen.
The Straiker STAR Framework answers that on two axes at once. The first is agent architecture: every agent, regardless of vendor, runs on the same four layers. The second is deployment context: every enterprise agent lands in one of three roles, each with its own trust posture and blast radius. Their intersection is where attacks happen, and where this report's data lives.
AiPT and LAVA: naming what's new
Two named categories describe the agentic threat landscape. AiPTs are the new adversary; LAVA is the vulnerability class they exploit.
AiPT
AI-Powered Persistent Threats: adversaries operating with agentic offensive toolkits. They automate reconnaissance, generate exploits for the specific target, persist in the semantic layer traditional defenses cannot read, and operate as agents themselves. Cyberspike Villager is a documented example.
LAVA
Language-Augmented Vulnerabilities in Applications: the exploit lives in the language an agent reasons over. The payload is content the agent reads and then follows, like a poisoned README driving an SSRF, or attacker input passed straight into a SQL-injectable MCP tool. No scanner sees the agent decide to deliver it.
The four architectural layers
Every agent runs on the same four layers: application, model, tools and MCP, and data. Attacks rarely stay in one. A poisoned document in the data layer is a form of indirect prompt injection: the instruction hides in content the agent reads, not in what the user types. It is read as instruction by the model, executed by the tools and MCP layer, and surfaced as real-world action by the application layer when no approval gate stops it. The same mechanism now rides Skills, the packaged instruction files agents load as trusted context. Knowing which layer is exercised tells defenders which control breaks the chain. STAR Labs found that 75% of tested agentic applications are vulnerable to injection at the model layer.

Common Questions
What is the Straiker STAR Framework for AI agent security?
The Straiker STAR Framework is a model for securing AI agents across four architectural layers (application, model, tools & MCP, and data) and three deployment types (coding, productivity, and first-party agents). Built by Straiker's STAR Labs (STAR = Straiker AI Security Research), it maps where agentic attacks actually happen so defenders know which control breaks each step of the chain. It is distinct from the STAR interview method.
What is indirect prompt injection, and how is it different from a jailbreak?
Indirect prompt injection is when an attacker hides instructions inside content an agent reads — a document, email, README, web page, or Skill — rather than typing them into the chat. The agent treats that buried text as a command. Unlike a jailbreak, the user is not adversarial and the model is not misbehaving; the context has been weaponized. It is the most common entry point for agentic attacks.
Are AI agent Skills, like Claude Skills or Vercel Skills, a security risk?
Yes. A Skill is a packaged instruction file an agent loads as trusted context, so a poisoned or malicious Skill is indirect prompt injection with a distribution channel — the same risk as an untrusted README or rules file, shared at scale. Independent audits of public Skill directories have found prompt-injection payloads and credential-stealing code in a meaningful share of packages. Treat every Skill like third-party code: review its instructions, pin versions, and install only from sources you trust.
Get the Full Report
Read everything here, free. Enter your email and we'll send the full PDF, including the complete defender playbook.






