About OATF Scenarios
A curated catalog of executable threat scenarios for AI agent protocols.
What is this site?
This is the OATF Scenario Registry - an interactive companion to the Open Agent Threat Format (OATF) specification. It provides a browsable, searchable collection of security threat scenarios targeting the emerging ecosystem of AI agent communication protocols.
What is OATF?
The Open Agent Threat Format is a structured YAML-based format for describing attack scenarios against AI agents. Each scenario defines the protocol surface being targeted, the execution steps an attacker would follow, detection indicators, and mappings to established frameworks like MITRE ATT&CK, MITRE ATLAS, and OWASP Top 10 for LLMs.
The full specification is maintained at oatf.io.
Supported protocols
Scenarios in this registry cover three major AI agent protocols:
Anthropic's protocol for connecting AI agents to external tools and data sources. Scenarios cover tool description injection, rug-pull attacks, tool shadowing, response injection, confused deputy, data exfiltration, and supply chain compromises.
Google's protocol for inter-agent communication via Agent Cards and task delegation. Scenarios cover cross-agent prompt injection and agent card spoofing.
CopilotKit's protocol for streaming agent-to-frontend communication. Scenarios cover event stream injection and message list injection.
Site features
- Registry - Browse all scenarios with filtering by protocol, severity, and attack category. Full-text search across names, descriptions, and tags.
- Editor - Create and validate new OATF scenarios with a live YAML editor and instant preview.
- Coverage Matrix - View how scenarios map to MITRE ATT&CK techniques, ATLAS ML threats, and OWASP LLM risks.
- Scenario Detail - Each scenario page includes a structured attack timeline, protocol-level message flow diagrams, detection indicators with regex patterns, and framework mappings.
Confidence scoring
Each scenario carries a confidence score (0-100) representing how confident the author is in the assigned severity level, following the STIX confidence scale. A high-severity attack with confidence 30 means the author believes it could be high severity but has limited evidence. A high-severity attack with confidence 90 means the assessment is well-supported. Defaults to 50 (neutral) when omitted.
| Factor | Range | Tiers |
|---|---|---|
| Impact evidence | 0-25 | Impact at this severity confirmed by CVE or peer-reviewed publication (+25), Conference demo (+20), Technical writeup with working PoC (+15), Vendor analysis or analogous attack class (+10), Theoretical extrapolation (+5) |
| Reproducibility | 0-25 | Impact at this severity independently confirmed by 2+ groups (+25), Documented PoC with public code (+15), Claimed reproduction without public artefacts (+10), No reproduction (+5) |
| Real-world observation | 0-20 | Confirmed exploitation producing the claimed impact (+20), Red team or controlled engagement (+12), Lab-only (+5), No observation (+0) |
| Quantitative support | 0-15 | Published success rates or measured impact data (+15), Qualitative assessment only (+5), None (+0) |
| Temporal applicability | 0-15 | Affects current versions, no mitigations deployed (+15), Recent but patched or partial mitigations (+8), Historical only (+3) |
Note: The 0 floor on real-world observation means a scenario can score up to 80/100 with zero real-world exploitation. This is by design -- novel protocol-level attacks that haven't been weaponised yet can still carry high confidence if the impact evidence and reproducibility are strong. A high confidence score should not be interpreted as implying confirmed malicious use in the wild.
For the full contributor-facing rubric with worked examples, see CONTRIBUTING.md.
Who is this for?
- Security engineers building or auditing AI agent integrations
- Protocol implementors designing defenses for MCP, A2A, or AG-UI
- Red teams evaluating the attack surface of agentic AI systems
- Researchers studying prompt injection, tool poisoning, and agent-to-agent threats
Contributing
Scenarios are maintained in the oatf-spec/scenarios GitHub repository. Contributions of new scenarios, improvements to existing ones, and framework mapping additions are welcome via pull requests.
OATF is an open specification. The scenario registry and all scenario definitions are open source.