Methodology

One repeatable method,run against every engagement

Contributor, OWASP Top 10 for Agentic Applications 2026 · CISSP · PhD · 15+ years enterprise security

Every Molntek review follows the same four-phase method, mapped to the OWASP Top 10 for Agentic Applications 2026 and cross-referenced to NIST AI RMF, MITRE ATLAS, and EU AI Act Article 15. The method is fixed, which is why the price is too — and why the deliverable reads the same whether it lands in front of your engineers or your auditors.

The four phases

Scope narrows the work, the threat model finds where it breaks, testing proves it, and the walkthrough makes sure your team can act on it.

01Scope02Threat model03Test & verify04Report & walkthrough

01 · Scope

We agree the one system in focus — an agent, an MCP integration, or a RAG pipeline — its trust boundaries, tools, and data paths. No production data is accessed; everything runs against staging.

02 · Threat model

A structured walkthrough of where untrusted text meets privileged tools. Each entry point is mapped to the OWASP Top 10 for Agentic Applications 2026 (ASI01–ASI10) and ranked by exploitability.

03 · Test & verify

Findings are reproduced against staging — prompt injection, confused-deputy, tool hijacking, exfiltration. Every issue ships with a concrete reproduction, not a theoretical risk.

04 · Report & walkthrough

A written deliverable with severity-ranked findings, OWASP/NIST/MITRE/EU AI Act mapping, and a sequenced remediation roadmap — followed by a live session with your engineering and security teams.

What the threat model covers

Every finding is mapped to a category in the OWASP Top 10 for Agentic Applications 2026, so the report speaks the same language as the standard your customers and auditors already reference.

ASI01 Agent Privilege Escalation
ASI02 Confused Deputy Attacks
ASI03 Prompt Injection in Agentic Systems
ASI04 Tool Hijacking
ASI05 Agentic Data Exfiltration
ASI06 Multi-Agent Coordination Attacks
ASI07 Agent Workflow Manipulation
ASI08 Supply Chain Attacks on Agent Components
ASI09 Agentic Hallucination-Driven Risks
ASI10 Agent-Specific Data Poisoning

How severity is scored

Each finding is rated on exploitability and impact, then mapped to a single severity. The model is deliberately simple so engineering and leadership read it the same way.

Critical Remotely triggerable; unauthorized privileged action or data loss with no special access. Fix before next release; mitigate now.
High Exploitable with modest effort or a plausible precondition; significant impact. Fix this cycle.
Medium Requires chaining or limited access; bounded impact. Scheduled remediation.
Low Hardening or hygiene; low standalone impact. Backlog.

Cross-referenced to the frameworks you report against

OWASP Top 10 for Agentic Applications 2026 — the primary taxonomy. Every finding carries an ASI mapping.

NIST AI RMF — findings reference the relevant Measure/Manage functions so the work slots into an existing AI risk program.

MITRE ATLAS — adversary techniques are named with their ATLAS IDs where they apply.

EU AI Act Article 15 — accuracy, robustness, and cybersecurity obligations are noted where the system falls in scope.

See the deliverable before you buy

A sanitized sample report shows the full structure, severity model, and remediation roadmap you receive at the end of a real engagement.

Read the sample report →

Want this run against your system?

30 minutes to scope which system to start with and how the method applies to your stack.