Reference

References and Bibliography

All sources cited across the Agentic AI Security Guide, organized by publishing organization. Published by Casaba Security.

OWASP

  1. OWASP Top 10 for Agentic Applications 2026. OWASP GenAI Security Project. Covers ten risk categories (ASI01-ASI10) specific to agentic AI systems including agent goal hijack, tool misuse, identity abuse, supply chain vulnerabilities, and cascading failures. owasp.org
  2. OWASP Top 10 for LLM Applications 2025. OWASP GenAI Security Project. Defines ten vulnerability categories for large language model applications including prompt injection, insecure output handling, and supply chain risks. owasp.org

NIST

  1. AI Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, January 2023. Provides a framework for managing risks throughout the AI lifecycle across governance, mapping, measurement, and management functions. nist.gov
  2. NIST SP 800-218A: Secure Software Development Practices for Generative AI and Dual-Use Foundation Models. Extends the NIST Secure Software Development Framework (SSDF) with practices specific to generative AI model development and integration. csrc.nist.gov

MITRE

  1. MITRE ATLAS (Adversarial Threat Landscape for AI Systems). A knowledge base of adversarial tactics, techniques, and case studies targeting machine learning systems. Modeled after ATT&CK for traditional cybersecurity. atlas.mitre.org

CoSAI / OASIS Open

  1. Securing Agentic AI: A Threat Model and Call to Action for the Model Context Protocol. Coalition for Secure AI (CoSAI), OASIS Open, January 2026. Analyzes MCP-specific threat vectors including tool poisoning, schema manipulation, and cross-component context poisoning. cosai.oasis-open.org

ISO/IEC

  1. ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system. Specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system within organizations. iso.org

Microsoft

  1. CVE-2025-32711 (EchoLeak). Microsoft Security Response Center. A prompt injection vulnerability in an MCP server implementation that allowed data exfiltration through crafted tool responses. Cited in sections on prompt injection and MCP security.

Casaba Security

  1. MCP & Tool Integration Security Capability Brief. Casaba Security, 2026. Covers five attack surfaces in MCP deployments: authentication, schema validation, trust boundaries, data exposure, and abuse resistance. casaba.com
  2. AI Application & Agent Security Capability Brief. Casaba Security, 2026. Documents seven attack surfaces and typical finding patterns from agentic AI security assessments. casaba.com

Need help securing your agentic AI systems?

We have been testing AI systems for the world's top technology companies. Let's talk about what your system needs.

Get in touch

Agentic AI Security Guide V1.1 · Changelog