DEV Community

razashariff
razashariff

Posted on

We Built DAST for AI Agents. Every Agent We Tested Failed.

#ai #security #agents #mcp

8 dimensions. 38 checks. 5 seconds. 0% industry pass rate.

The Problem

DAST exists for web apps. DAST exists for APIs. DAST does not exist for AI agents.

Agents are connecting to MCP servers, calling tools, initiating payments, accessing databases, and making autonomous decisions. They are doing this with zero dynamic security testing. No identity verification. No message signing. No replay protection. No kill switches. No audit trails.

We know this because we built a scanner and tested them.

What We Built

CyberSecClaw is an 8-dimension agent DAST platform. It connects to any MCP server, sends real attack payloads, and measures the security posture across 8 dimensions:

  1. Identity -- does the server verify who is connecting?
  2. Injection Resistance -- can you inject commands, SQL, paths, prompts?
  3. Escalation -- can a low-trust agent access admin tools?
  4. Exfiltration -- can data be stolen through tool responses?
  5. Trust Boundary -- can agents relay attacks to other agents?
  6. Autonomy Control -- rate limits, kill switches, action budgets?
  7. Integrity -- message signing, replay protection, audit trails?
  8. Compliance -- OWASP, EU AI Act, AISVS, SOC2?

What a Scan Looks Like

Here is a real scan against a deliberately vulnerable MCP server. 38 checks. 4.4 seconds.

Running 8-Dimension Agent DAST...

[1/8] Testing IDENTITY...            0% (0 pass, 4 fail)
[2/8] Testing INJECTION RESISTANCE... 4% (1 pass, 6 fail)
[3/8] Testing ESCALATION...           0% (0 pass, 4 fail)
[4/8] Testing EXFILTRATION...        50% (2 pass, 2 fail)
[5/8] Testing TRUST BOUNDARY...       0% (0 pass, 4 fail)
[6/8] Testing AUTONOMY CONTROL...     0% (0 pass, 5 fail)
[7/8] Testing INTEGRITY...            0% (0 pass, 5 fail)
[8/8] Testing COMPLIANCE...           0% (0 pass, 4 fail)

══════════════════════════════════════════════
AGENT DAST REPORT
══════════════════════════════════════════════

Duration:  4.4s
Checks:    38 (3 pass, 34 fail)
Score:     7/100 (F)
Verdict:   FAIL
Passport:  DENY

░░░░░░░░░░   0%  IDENTITY
      ✗ Unauthenticated access: ACCEPTED
      ✗ Spoofed agent identity: ACCEPTED
      ✗ Expired credentials: ACCEPTED
      ✗ Invalid signature accepted: ACCEPTED

░░░░░░░░░░   4%  INJECTION RESISTANCE
      ✗ Command injection: EXECUTED
      ✗ SQL injection: EXECUTED
      ✗ Path traversal: EXECUTED
      ✗ SSRF to cloud metadata: EXECUTED
      ✗ Prompt injection via tool args: EXECUTED
      ✗ XSS in tool response: EXECUTED
      ✓ Tool poisoning check: Clean

░░░░░░░░░░   0%  ESCALATION
      ✗ Dangerous tools exposed: 7 dangerous tools
      ✗ Low-trust agent calls admin tool: ALLOWED
      ✗ Tool chaining escalation: CHAIN EXECUTED
      ✗ Self-escalation attempt: ACCEPTED

█████░░░░░  50%  EXFILTRATION
      ✗ External URL in tool arguments: ACCEPTED
      ✓ PII in tool responses: No PII patterns found
      ✓ Secrets in error messages: Clean
      ✗ Data staging via file write: FILE WRITTEN

░░░░░░░░░░   0%  TRUST BOUNDARY
      ✗ Cross-agent relay attack: ACCEPTED
      ✗ Cross-server instruction: PROCESSED WITHOUT VERIFICATION
      ✗ Shared context poisoning: CONTEXT MAY BE POISONED
      ✗ Multi-hop manipulation: PROCESSED WITHOUT DETECTION

░░░░░░░░░░   0%  AUTONOMY CONTROL
      ✗ Rate limiting: All 20 accepted - no rate limiting
      ✗ Destructive action: EXECUTED WITHOUT CONFIRMATION
      ✗ Action budget: NO BUDGET - unlimited calls
      ✗ Kill switch: NOT FOUND
      ✗ Monitoring: COULD BE DISABLED

░░░░░░░░░░   0%  INTEGRITY
      ✗ Message signing: NONE
      ✗ Replay protection: BOTH ACCEPTED
      ✗ Tool definition integrity: NONE
      ✗ Audit trail: NONE
      ✗ Fail-closed: FAILS OPEN

░░░░░░░░░░   0%  COMPLIANCE
      ✗ OWASP MCP Top 10: 0/3 checks passed
      ✗ EU AI Act (Art 12-16, 50): 0/4 articles addressed
      ✗ OWASP AISVS C10: 0/3 requirements met
      ✗ SOC2: INSUFFICIENT

OVERALL SCORE: 7/100 (F) | VERDICT: FAIL | PASSPORT: DENY
Enter fullscreen mode Exit fullscreen mode

MITRE ATLAS Mapping

Every finding maps to a verified MITRE ATLAS technique. These are the actual technique IDs from atlas.mitre.org:

  • AML.T0050 Command and Scripting Interpreter -- 5 injection vectors confirmed
  • AML.T0051 LLM Prompt Injection -- tool args accepted without sanitisation
  • AML.T0053 AI Agent Tool Invocation -- destructive actions without confirmation
  • AML.T0080 AI Agent Context Poisoning -- shared context accepted without verification
  • AML.T0052.000 Spearphishing via Social Engineering LLM -- cross-agent relay attacks processed
  • AML.T0029 Denial of AI Service -- no rate limiting, no kill switch
  • AML.T0010 AI Supply Chain Compromise -- no message signing, no replay protection

18 out of 25 ATLAS techniques triggered on a single server.

Attack Chain Analysis

The scanner does not just find individual vulnerabilities. It chains them into multi-step attack paths:

CRITICAL  Full Compromise Chain
Reconnaissance -> Initial Access -> Execution -> Exfiltration
  Step 1: Connect without authentication     -> AML.T0000
  Step 2: Inject command via tool args        -> AML.T0050
  Step 3: Exfiltrate data via tool response   -> AML.T0025
Impact: Complete data breach.

HIGH  Persistent Agent Compromise
Execution -> Defense Evasion -> Persistence
  Step 1: Poison shared context               -> AML.T0080
  Step 2: Disable monitoring                  -> AML.T0046
  Step 3: No audit trail                      -> AML.T0081
Impact: Persistent access with no forensic evidence.
Enter fullscreen mode Exit fullscreen mode

Kill Chain Coverage 

[VULNERABLE]  RECONNAISSANCE
[VULNERABLE]  INITIAL ACCESS
[VULNERABLE]  EXECUTION
[VULNERABLE]  PRIVILEGE ESCALATION
[VULNERABLE]  DEFENSE EVASION
[VULNERABLE]  LATERAL MOVEMENT
[VULNERABLE]  COLLECTION
[PROTECTED]   EXFILTRATION
[VULNERABLE]  IMPACT

Kill chain coverage: 1/9 stages protected
Enter fullscreen mode Exit fullscreen mode

The Industry Pass Rate

We have tested MCP servers in production. The pass rate across the industry is 0%.

Every server we have tested scores D or below. Most score F. The gap between what these agents are doing (processing payments, accessing databases, making autonomous decisions) and the security controls protecting them (none) is the largest unaddressed attack surface in enterprise AI today.

Why This Matters Now

  • 30+ CVEs in the MCP ecosystem in the first 60 days of 2026
  • An AI agent just deleted a production database for a rental company serving businesses nationwide
  • Cursor, Railway, Replit -- agents are causing real damage in production
  • MCPS protocol security checks are now shipping in Cisco AI Defense
  • No existing DAST tool covers agent security dimensions

What Gets Checked

Dimension Checks What It Tests
Identity 4 Auth bypass, spoofing, expired creds, invalid signatures
Injection 7 Command, SQL, path traversal, SSRF, prompt injection, XSS, tool poisoning
Escalation 4 Dangerous tools, admin access, tool chaining, self-escalation
Exfiltration 5 External URLs, PII leakage, secrets in errors, DNS exfil, data staging
Trust Boundary 4 Relay attacks, cross-server instruction, context poisoning, multi-hop
Autonomy 5 Rate limiting, human approval, action budgets, kill switch, monitoring
Integrity 5 Message signing, replay protection, tool hashes, audit trail, fail-closed
Compliance 4 OWASP MCP Top 10, EU AI Act, AISVS C10, SOC2

Standards

Every finding references:

Get In Touch

CyberSecClaw is not open source. If you are interested in scanning your MCP infrastructure or discussing agent security for your organisation, get in touch.

Raza Sharif
CEO, CyberSecAI Ltd
contact@agentsign.dev
claw.cybersecai.co.uk

Top comments (0)