← Blog

Attack surface mapping for agent configurations

John Kearney
toolscomplianceagent-safety

An agent with read access to a database and write access to the filesystem has a different risk profile than an agent with only read access to both. The combination of capabilities creates attack surfaces that neither capability creates alone. We built the attack surface mapper to identify these combinatorial risks automatically.

The tool takes an agent configuration as input: the model, the tools it has access to, the system prompt, any constraints. It outputs a risk assessment that identifies dangerous capability combinations, maps them to specific attack patterns, and estimates severity.

The analysis works by maintaining a knowledge base of capability interaction patterns. Read + write is one pattern. Network access + code execution is another. Each pattern has a set of attack scenarios that the combination enables and a severity rating based on potential impact. The mapper walks the agent's capability set, identifies all pairwise and higher-order combinations, and looks up each combination in the knowledge base.

We built this because manual configuration review does not scale and does not catch combinatorial risks reliably. A security reviewer looking at a tool list might notice that the agent has shell access. They might not notice that shell access combined with a web browsing tool and a credential store creates a lateral movement path that no single tool creates alone.

The EU AI Act angle is direct. Article 9 requires risk management systems for high-risk AI applications. The attack surface mapper produces documentation that maps directly to Article 9 requirements: identified risks, assessed severity, and recommended mitigations. For teams that need to demonstrate compliance before the August 2026 deadline, this is a concrete tool rather than a consulting engagement.

The mapper currently covers 47 tool categories and 312 interaction patterns. Categories include file system access, network access, code execution, database operations, credential management, external API calls, and more. Each interaction pattern is documented with the attack scenario it enables, the prerequisites, and the defensive controls that mitigate it.

One thing we learned building this: most agents are over-provisioned. The median agent configuration in our test set had access to 3 tools it never used. Removing unused tools does not reduce capability but does reduce attack surface. The mapper flags unused tools as low-effort mitigations.

The output format is structured JSON so that it can feed into compliance reporting pipelines, CI/CD gates, or monitoring systems. We also generate a human-readable summary for security review meetings. The summary highlights the top 5 risks by severity and the easiest mitigations by effort.

The attack surface mapper is open source under MIT license. It runs locally with no network dependencies. Your agent configurations never leave your machine.