Extending the OWASP Multi-Agentic System Threat Modeling Guide: Insights from Multi-Agent Security Research

TL;DR

This paper extends the OWASP MAS Threat Modeling Guide by incorporating recent multi-agent security research, addressing gaps in modeling failures, and proposing new threat classes and evaluation strategies for complex LLM-driven multi-agent systems.

Contribution

It introduces new threat classes, scenarios, and evaluation methods to enhance OWASP's framework for securing large language model-driven multi-agent architectures.

Findings

Identified gaps in existing threat taxonomy for MAS

Proposed new threat classes like reasoning collapse and hallucination propagation

Outlined evaluation strategies for robustness and safety

Abstract

We propose an extension to the OWASP Multi-Agentic System (MAS) Threat Modeling Guide, translating recent anticipatory research in multi-agent security (MASEC) into practical guidance for addressing challenges unique to large language model (LLM)-driven multi-agent architectures. Although OWASP's existing taxonomy covers many attack vectors, our analysis identifies gaps in modeling failures, including, but not limited to: reasoning collapse across planner-executor chains, metric overfitting, unsafe delegation escalation, emergent covert coordination, and heterogeneous multi-agent exploits. We introduce additional threat classes and scenarios grounded in practical MAS deployments, highlighting risks from benign goal drift, cross-agent hallucination propagation, affective prompt framing, and multi-agent backdoors. We also outline evaluation strategies, including robustness testing, coordination assessment, safety enforcement, and emergent behavior monitoring, to ensure complete coverage. This work complements the framework of OWASP by expanding its applicability to increasingly complex, autonomous, and adaptive multi-agent systems, with the goal of improving security posture and resilience in real world deployments.