Loading...
Loading...
OmegaEngine · Compliance · OWASP Agentic
How OmegaEngine's runtime controls and 5,023-vector red-team corpus line up against the OWASP Top 10 for Agentic Applications (2026). Coverage is stated honestly — partial, detection-only, or host-responsibility where that is the truth.
Hidden or injected instructions redirect an agent's objective (e.g. EchoLeak-style silent exfiltration).
OmegaEngine mapping
/api/decision runs prompt-injection + jailbreak detection (promptInjectionTerms → GLOBAL_HARD_BLOCK). Corpus classes: PROMPT_INJECTION (250), JAILBREAK (300), INSTRUCTION_HIERARCHY (150), NESTED_INSTRUCTION, DELIMITER_BYPASS.
Honest gap
Strong input-side detection. Long-horizon goal drift across many turns needs runtime intent-tracking — partial today.
An agent bends legitimate tools into destructive or out-of-scope actions.
OmegaEngine mapping
Policy engine + detectHighRiskAction gate destructive ops and funds movement to opaque destinations to human review; circuit-breaker hard-stop on critical risk. Corpus class: TOOL_ABUSE (45).
Honest gap
Detects tool-abuse prompts and gates high-risk actions, but does not sandbox tool execution itself — that stays the host runtime's responsibility.
Leaked or over-scoped credentials let an agent operate beyond its intended authority.
OmegaEngine mapping
detectHighRiskAction flags privilege-escalation-to-outsider and security-control disablement to review; org-bound API keys + scopes (requireOrgBoundApiKeyOrDeny) enforce tenant isolation; tamper-evident audit records who did what. Corpus class: PRIVILEGE_ESCALATION (150).
Honest gap
Omega scopes and records agent identity; issuing, rotating, and least-privileging the underlying credentials is an IAM concern outside Omega.
Dynamic MCP / A2A components, tools, or retrieved context are poisoned at runtime (e.g. GitHub MCP exploit).
OmegaEngine mapping
RAG_POISON corpus (120) red-teams poisoned-context handling; AI-SBOM (lib/redteam/aiSbom.ts) and agent config-digest attestation record the components and configuration a decision ran under.
Honest gap
We test RAG poisoning and emit an AI-SBOM + signed config digest, but do not scan MCP servers or dependency trees for compromise at runtime. Treat as evidence + testing, not prevention.
Natural-language paths unlock unintended remote code or command execution (e.g. AutoGPT RCE).
OmegaEngine mapping
runSafetyChecks flags command-injection / SQL / path-traversal / SSRF / XSS payloads and decodes base64/hex/binary/morse/leetspeak to defeat obfuscation. Corpus classes: ENCODING (350), TOKEN_SMUGGLING, SYSTEM_LEAK.
Honest gap
These injection detectors are currently risk-signals routed to review, NOT hard-blocks (their term lists still over-match benign prose — see the SEVERE_TAGS note in lib/safety.ts). Omega never executes code; runtime RCE prevention is the host sandbox's job.
Injected content reshapes agent behaviour long after the initial interaction (e.g. Gemini memory attack).
OmegaEngine mapping
memoryPoisonTerms detector hard-blocks durable-instruction / memory-write attempts (validated 0 false-positives against the benign probe). Corpus class: MEMORY_POISON (100).
Honest gap
Strong input-side detection of poisoning attempts. Integrity of the agent's own long-term memory store across sessions is app-side.
Spoofed inter-agent messages misdirect a cluster of agents.
OmegaEngine mapping
MULTI_AGENT (100), CROSS_AGENT, and CONSENSUS_POISON corpus classes red-team multi-agent trust. Signed decision receipts + the omega-audit ledger let a receiving agent verify a message's provenance offline.
Honest gap
Omega provides verifiable, signed receipts to authenticate messages and tests the failure modes, but does not itself provide the A2A transport-security layer.
A false signal cascades through automated pipelines with escalating impact.
OmegaEngine mapping
Fail-closed OmegaConstitution invariant (if the engine fails, the action is blocked, never silently approved); circuit-breaker hard-stop at critical risk; velocity / anomaly and TEMPORAL scoring flag abnormal request patterns.
Honest gap
Per-decision circuit-breaking and anomaly signals help contain blast radius; system-wide cascade modelling across many agents is not in scope.
Confident, polished output misleads a human operator into approving a harmful action.
OmegaEngine mapping
socialEngineeringTerms detector hard-blocks manipulation phrasing (validated 0 false-positives); HITL escalation routes ambiguous decisions to a human; findings carry a verification status so an unverified flag is never shown as confirmed. Corpus class: SOCIAL_ENGINEERING (200).
Honest gap
We detect manipulation patterns and gate approvals, but a determined social-engineering payload against a human reviewer is a training / process control as much as a technical one.
An agent shows misalignment, concealment, or self-directed action outside its mandate.
OmegaEngine mapping
Behaviour contracts (lib/redteam/behaviorContracts.ts) and drift detection (lib/redteam/driftDetector.ts) flag deviation from expected behaviour; a structured self-verification (devil's-advocate) pass runs per decision; the tamper-evident omega-audit ledger makes concealment detectable after the fact.
Honest gap
Omega surfaces drift and preserves an immutable record, but continuous behavioural attestation of a fully autonomous agent is an active area, not a solved control.
Taxonomy: the OWASP Top 10 for Agentic Applications (2026), published by the OWASP Gen AI Security Project on 9 December 2025 (ASI01–ASI10). See genai.owasp.org. OmegaEngine also maps to the OWASP LLM Top 10 and MITRE ATLAS in its pen-test reports (lib/redteam/penTestReport.ts).