DARR
Reverse crosswalk

Cisco AI Security Framework

112 entries, 112 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.

Framework entryDescriptionDispositionRegister mappingConfidenceNote
AISubtech-1.1.1
Instruction Manipulation (Direct Prompt Injection)
Direct Prompt Injection
MappedClearDirect prompt injection = our prompt-injection/jailbreak risk.
AISubtech-1.1.2
Obfuscation (Direct Prompt Injection)
Direct Prompt Injection
MappedClearDirect prompt injection = our prompt-injection/jailbreak risk.
AISubtech-1.1.3
Multi-Agent Prompt Injection
Direct Prompt Injection
MappedClearDirect prompt injection = our prompt-injection/jailbreak risk.
AISubtech-1.2.1
Instruction Manipulation (Indirect Prompt Injection)
Indirect Prompt Injection
MappedClearIndirect prompt injection via ingested content.
AISubtech-1.2.2
Obfuscation (Indirect Prompt Injection)
Indirect Prompt Injection
MappedClearIndirect prompt injection via ingested content.
AISubtech-1.2.3
Multi-Agent (Indirect Prompt Injection)
Indirect Prompt Injection
MappedClearIndirect prompt injection via ingested content.
AISubtech-1.3.1
Goal Manipulation (Models, Agents)
Goal Manipulation
MappedPartialAdversarial goal manipulation of models/agents = agent goal hijack; non-agent case relates to MR-010.
AISubtech-1.3.2
Goal Manipulation (Tools, Prompts, Resources)
Goal Manipulation
MappedPartialAdversarial goal manipulation of models/agents = agent goal hijack; non-agent case relates to MR-010.
AISubtech-1.4.1
Image-Text Injection
Multi-Modal Injection and Manipulation
MappedClearMulti-modal injection (image/audio/video) is a prompt-injection variant.
AISubtech-1.4.2
Image Manipulation
Multi-Modal Injection and Manipulation
MappedClearMulti-modal injection (image/audio/video) is a prompt-injection variant.
AISubtech-1.4.3
Audio Command Injection
Multi-Modal Injection and Manipulation
MappedClearMulti-modal injection (image/audio/video) is a prompt-injection variant.
AISubtech-1.4.4
Video Overlay Manipulation
Multi-Modal Injection and Manipulation
MappedClearMulti-modal injection (image/audio/video) is a prompt-injection variant.
AISubtech-2.1.1
Context Manipulation (Jailbreak)
Jailbreak
MappedClearJailbreak / safety-guardrail bypass.
AISubtech-2.1.2
Obfuscation (Jailbreak)
Jailbreak
MappedClearJailbreak / safety-guardrail bypass.
AISubtech-2.1.3
Semantic Manipulation (Jailbreak)
Jailbreak
MappedClearJailbreak / safety-guardrail bypass.
AISubtech-2.1.4
Token Exploitation (Jailbreak)
Jailbreak
MappedClearJailbreak / safety-guardrail bypass.
AISubtech-2.1.5
Multi-Agent Jailbreak Collaboration
Jailbreak
MappedClearJailbreak / safety-guardrail bypass.
AISubtech-3.1.1
Identity Obfuscation
Masquerading / Obfuscation / Impersonation
MappedPartialImpersonation / identity spoofing; agent-service spoofing relates to MR-071 and MITRE ATLAS masquerading.
AISubtech-3.1.2
Trusted Agent Spoofing
Masquerading / Obfuscation / Impersonation
MappedClearTrusted agent / MCP-service spoofing = agentic masquerading; relates to MITRE ATLAS masquerading MR-018.4.
AISubtech-4.1.1
Rogue Agent Introduction
Agent Injection
MappedClearRogue agent introduction = autonomous-agent hijacking.
AISubtech-4.2.1
Context Window Exploitation
Context Boundary Attacks
MappedPartialAgent context-window/session boundary exploitation; also MR-010.
AISubtech-4.2.2
Session Boundary Violation
Context Boundary Attacks
MappedPartialAgent context-window/session boundary exploitation; also MR-010.
AISubtech-4.3.1
Schema Inconsistencies
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-4.3.2
Namespace Collision
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-4.3.3
Server Rebinding Attack
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-4.3.4
Replay Exploitation
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-4.3.5
Capability Inflation
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-4.3.6
Cross-Origin Exploitation
Protocol Manipulation
MappedClearMCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020.
AISubtech-5.1.1
Long-term / Short-term Memory Injection
Memory System Persistence
MappedPartialPersistent memory injection in agents.
AISubtech-5.2.1
Agent Profile Tampering
Configuration Persistence
MappedClearAgent configuration/profile tampering for persistence.
AISubtech-6.1.1
Knowledge Base Poisoning
Training Data Poisoning
MappedClearTraining / knowledge-base / reinforcement poisoning = data and model poisoning.
AISubtech-6.1.2
Reinforcement Biasing
Training Data Poisoning
MappedClearTraining / knowledge-base / reinforcement poisoning = data and model poisoning.
AISubtech-6.1.3
Reinforcement Signal Corruption
Training Data Poisoning
MappedClearTraining / knowledge-base / reinforcement poisoning = data and model poisoning.
AISubtech-7.2.1
Memory Anchor Attacks
Memory System Corruption
MappedPartialAgent memory corruption (anchor/index) = agent context poisoning.
AISubtech-7.2.2
Memory Index Manipulation
Memory System Corruption
MappedPartialAgent memory corruption (anchor/index) = agent context poisoning.
AISubtech-7.3.1
Corrupted Third-Party Data
Data Source Abuse and Manipulation
MappedClearCorrupted third-party / RAG data = poisoning.
AISubtech-7.4.1
Token Theft
Token Manipulation
MappedPartialToken theft = credential/secret exfiltration; agent case MR-071.5.
AISubtech-8.1.1
Presence Detection
Membership Inference
MappedClearMembership/presence inference = privacy-invasive inference.
AISubtech-8.2.1
Training Data Exposure
Data Exfiltration / Exposure
MappedClearData leakage/exfiltration; via agent tooling MR-071.6.
AISubtech-8.2.2
LLM Data Leakage
Data Exfiltration / Exposure
MappedClearData leakage/exfiltration; via agent tooling MR-071.6.
AISubtech-8.2.3
Data Exfiltration via Agent Tooling
Data Exfiltration / Exposure
MappedClearData exfiltration via agent tooling.
AISubtech-8.3.1
Tool Metadata Exposure
Information Disclosure
MappedClearSystem/tool information disclosure = confidential disclosure.
AISubtech-8.3.2
System Information Leakage
Information Disclosure
MappedClearSystem/tool information disclosure = confidential disclosure.
AISubtech-8.4.1
System LLM Prompt Leakage
Prompt/Meta Extraction
MappedClearSystem-prompt / instruction extraction.
AISubtech-9.1.1
Code Execution
Model or Agentic System Manipulation
MappedPartialAutonomous code execution via a compromised model/agent (machine compromise).
AISubtech-9.1.2
Unauthorized or Unsolicited System Access
Model or Agentic System Manipulation
MappedPartialRuntime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018.
AISubtech-9.1.3
Unauthorized or Unsolicited Network Access
Model or Agentic System Manipulation
MappedPartialRuntime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018.
AISubtech-9.1.4
Injection Attacks (SQL, Command Execution, XSS)
Model or Agentic System Manipulation
MappedPartialRuntime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018.
AISubtech-9.1.5
Template Injection (SSTI)
Model or Agentic System Manipulation
MappedPartialRuntime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018.
AISubtech-9.2.1
Obfuscation Vulnerabilities
Detection Evasion
MappedClearBackdoors/trojans + obfuscation in models = poisoning/backdoor; corrupted model evading scanning.
AISubtech-9.2.2
Backdoors and Trojans
Detection Evasion
MappedClearBackdoors/trojans + obfuscation in models = poisoning/backdoor; corrupted model evading scanning.
AISubtech-9.3.1
Malicious Package / Tool Injection
Dependency / Plugin Compromise
MappedClearMalicious package/tool injection into the supply chain.
AISubtech-9.3.2
Dependency Name Squatting (Tools / Servers)
Dependency / Plugin Compromise
MappedClearDependency/plugin compromise (malicious package, name squatting, rug pull) = AI supply-chain vulnerabilities.
AISubtech-9.3.3
Dependency Replacement / Rug Pull
Dependency / Plugin Compromise
MappedClearDependency replacement / rug pull.
AISubtech-10.1.1
API Query Stealing
Model Extraction
MappedClearModel extraction/theft (API stealing, weight reconstruction).
AISubtech-10.1.2
Weight Reconstruction
Model Extraction
MappedClearModel extraction/theft (API stealing, weight reconstruction).
AISubtech-10.1.3
Sensitive Data Reconstruction
Model Extraction
MappedClearModel extraction/theft (API stealing, weight reconstruction).
AISubtech-10.2.1
Model Inversion
Model Inversion
MappedClearModel inversion = privacy reconstruction/inference.
AISubtech-11.1.1
Agent-Specific Evasion
Environment-Aware Evasion
MappedClearEnvironment-aware adversarial evasion.
AISubtech-11.1.2
Tool-Scoped Evasion
Environment-Aware Evasion
MappedClearEnvironment-aware adversarial evasion.
AISubtech-11.1.3
Environment-Scoped Payloads
Environment-Aware Evasion
MappedClearEnvironment-aware adversarial evasion.
AISubtech-11.1.4
Defense-Aware Payloads
Environment-Aware Evasion
MappedClearEnvironment-aware adversarial evasion.
AISubtech-11.2.1
Targeted Model Fingerprinting
Model-Selective Evasion
MappedClearModel-selective evasion (fingerprinting, conditional execution).
AISubtech-11.2.2
Conditional Attack Execution
Model-Selective Evasion
MappedClearModel-selective evasion (fingerprinting, conditional execution).
AISubtech-12.1.1
Parameter Manipulation
Tool Exploitation
MappedClearInsecure tool/plugin integration abuse; agentic tool invocation MR-071.1.
AISubtech-12.1.2
Tool Poisoning
Tool Exploitation
MappedClearInsecure tool/plugin integration abuse; agentic tool invocation MR-071.1.
AISubtech-12.1.3
Unsafe System / Browser / File Execution
Tool Exploitation
MappedClearInsecure tool/plugin integration abuse; agentic tool invocation MR-071.1.
AISubtech-12.1.4
Tool Shadowing
Tool Exploitation
MappedClearInsecure tool/plugin integration abuse; agentic tool invocation MR-071.1.
AISubtech-12.2.1
Code Detection / Malicious Code Output
Insecure Output Handling
MappedClearInsecure output handling / malicious code output.
AISubtech-13.1.1
Compute Exhaustion
Disruption of Availability
MappedClearDenial of AI service / availability attacks.
AISubtech-13.1.2
Memory Flooding
Disruption of Availability
MappedClearDenial of AI service / availability attacks.
AISubtech-13.1.3
Model Denial of Service
Disruption of Availability
MappedClearDenial of AI service / availability attacks.
AISubtech-13.1.4
Application Denial of Service
Disruption of Availability
MappedClearDenial of AI service / availability attacks.
AISubtech-13.1.5
Decision Paralysis Attacks
Disruption of Availability
MappedClearDenial of AI service / availability attacks.
AISubtech-13.2.1
Service Misuse for Cost Inflation
Cost Harvesting / Repurposing
MappedClearService misuse for cost inflation = denial of wallet.
AISubtech-14.1.1
Credential Theft
Unauthorized Access
MappedPartialCredential theft = secret disclosure; agent-config case MR-071.5.
AISubtech-14.1.2
Insufficient Access Controls
Unauthorized Access
MappedPartialAccount/credential abuse + weak access controls; valid-account abuse MR-015.1.
AISubtech-14.2.1
Permission Escalation via Delegation
Abuse of Delegated Authority
MappedClearAgent privilege/delegation abuse = excessive-agency abuse.
AISubtech-15.1.1
Cybersecurity and Hacking: Malware / Exploits
Harmful Content
MappedClearAI-generated malware / exploits = AI-enabled cyberattack.
AISubtech-15.1.2
Cybersecurity and Hacking: Cyber Abuse
Harmful Content
MappedClearCyber abuse (unauthorized access, network penetration guidance).
AISubtech-15.1.3
Safety Harms and Toxicity: Animal Abuse
Harmful Content
MappedWeakAnimal-abuse content; nearest is harmful/toxic content. No dedicated register risk (thin).
AISubtech-15.1.4
Safety Harms and Toxicity: Child Abuse / Exploitation
Harmful Content
MappedClearChild abuse / exploitation = CSAM and child-safety.
AISubtech-15.1.5
Safety Harms and Toxicity: Disinformation
Harmful Content
MappedClearDisinformation.
AISubtech-15.1.6
Safety Harms and Toxicity: Environmental Harm
Harmful Content
MappedWeakEnvironmental-harm content; nearest harmful content. Distinct from the AI footprint risk MR-037 (thin).
AISubtech-15.1.7
Safety Harms and Toxicity: Financial Harm
Harmful Content
MappedPartialFinancial-harm content; nearest fraud/scams, with unsafe-advice angle MR-022.
AISubtech-15.1.8
Safety Harms and Toxicity: Harassment
Harmful Content
MappedClearHarassment content.
AISubtech-15.1.9
Safety Harms and Toxicity: Hate Speech
Harmful Content
MappedClearHate speech.
AISubtech-15.1.10
Safety Harms and Toxicity: Non-Violent Crime
Harmful Content
MappedPartialFacilitating non-violent crime = misuse; also toxic/illegal content MR-003.
AISubtech-15.1.11
Safety Harms and Toxicity: Profanity
Harmful Content
MappedClearProfanity / toxic content.
AISubtech-15.1.12
Safety Harms and Toxicity: Scams and Deception
Harmful Content
MappedClearScams and deception = fraud and social engineering.
AISubtech-15.1.13
Safety Harms and Toxicity: Self Harm
Harmful Content
MappedClearSelf-harm content.
AISubtech-15.1.14
Safety Harms and Toxicity: Sexual Content and Exploitation
Harmful Content
MappedClearSexual content and exploitation (incl. non-consensual imagery).
AISubtech-15.1.15
Safety Harms and Toxicity: Social Division and Polarization
Harmful Content
MappedPartialSocial division and polarization = influence/disinformation-adjacent; ecosystem angle MR-023.
AISubtech-15.1.16
Safety Harms and Toxicity: Terrorism / Extremism
Harmful Content
MappedClearTerrorism / extremism content.
AISubtech-15.1.17
Safety Harms and Toxicity: Violence and Public Safety Threat
Harmful Content
MappedClearViolence and public-safety-threat content.
AISubtech-15.1.18
Safety Harms and Toxicity: Weapons / CBRN Risks
Harmful Content
MappedClearWeapons / CBRN capability uplift.
AISubtech-15.1.19
Integrity: Hallucinations / Misinformation
Harmful Content
MappedClearHallucinations / misinformation in outputs.
AISubtech-15.1.20
Integrity: Unauthorized Financial Advice
Harmful Content
MappedClearUnauthorized financial advice = unsafe high-stakes advice.
AISubtech-15.1.21
Integrity: Unauthorized Legal Advice
Harmful Content
MappedClearUnauthorized legal advice = unsafe high-stakes advice.
AISubtech-15.1.22
Integrity: Unauthorized Medical Advice
Harmful Content
MappedClearUnauthorized medical advice = unsafe high-stakes advice.
AISubtech-15.1.23
Intellectual Property Compromise: Intellectual Property Infringement
Harmful Content
MappedClearIntellectual-property infringement.
AISubtech-15.1.24
Intellectual Property Compromise: Confidential Data
Harmful Content
MappedClearConfidential-data disclosure in generated content.
AISubtech-15.1.25
Privacy Attacks: PII / PHI / PCI
Harmful Content
MappedClearPrivacy attacks: PII / PHI / PCI exposure.
AISubtech-16.1.1
Logging Sensitive Conversations
Eavesdropping
MappedPartialEavesdropping / logging sensitive conversations = surveillance enablement; data-leakage angle MR-009.
AISubtech-17.1.1
Sensor Spoofing: Action Signals (audio, visual)
Sensor Spoofing
MappedPartialSensor spoofing of cyber-physical systems = physical-world adversarial input; physical-safety impact MR-049.
AISubtech-18.1.1
Spam / Scam / Social Engineering Generation
Fraudulent Use
MappedClearFraud / spam / social-engineering generation.
AISubtech-18.2.1
Abuse of APIs for Mass Automation
Malicious Workflows
MappedPartialMalicious workflows (mass automation, dedicated malicious infrastructure) = misuse/repurposing.
AISubtech-18.2.2
Dedicated Malicious Server or Infrastructure
Malicious Workflows
MappedPartialMalicious workflows (mass automation, dedicated malicious infrastructure) = misuse/repurposing.
AISubtech-19.1.1
Contradictory Inputs Attack
Cross-Modal Inconsistency Exploits
MappedPartialCross-modal inconsistency exploits = multi-modal injection / adversarial.
AISubtech-19.1.2
Modality Skewing
Cross-Modal Inconsistency Exploits
MappedPartialCross-modal inconsistency exploits = multi-modal injection / adversarial.
AISubtech-19.2.1
Convergence Payload Injection
Fusion Payload Split
MappedPartialFusion payload split = obfuscated multi-modal injection.
AISubtech-19.2.2
Chained Payload Execution
Fusion Payload Split
MappedPartialFusion payload split = obfuscated multi-modal injection.

Descriptions are each source framework's own text, where it provides one; long entries are clipped here.