Reverse crosswalk
Cisco AI Security Framework
112 entries, 112 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.
| Framework entry | Description | Disposition | Register mapping | Confidence | Note |
|---|---|---|---|---|---|
AISubtech-1.1.1 Instruction Manipulation (Direct Prompt Injection) | Direct Prompt Injection | Mapped | Clear | Direct prompt injection = our prompt-injection/jailbreak risk. | |
AISubtech-1.1.2 Obfuscation (Direct Prompt Injection) | Direct Prompt Injection | Mapped | Clear | Direct prompt injection = our prompt-injection/jailbreak risk. | |
AISubtech-1.1.3 Multi-Agent Prompt Injection | Direct Prompt Injection | Mapped | Clear | Direct prompt injection = our prompt-injection/jailbreak risk. | |
AISubtech-1.2.1 Instruction Manipulation (Indirect Prompt Injection) | Indirect Prompt Injection | Mapped | Clear | Indirect prompt injection via ingested content. | |
AISubtech-1.2.2 Obfuscation (Indirect Prompt Injection) | Indirect Prompt Injection | Mapped | Clear | Indirect prompt injection via ingested content. | |
AISubtech-1.2.3 Multi-Agent (Indirect Prompt Injection) | Indirect Prompt Injection | Mapped | Clear | Indirect prompt injection via ingested content. | |
AISubtech-1.3.1 Goal Manipulation (Models, Agents) | Goal Manipulation | Mapped | Partial | Adversarial goal manipulation of models/agents = agent goal hijack; non-agent case relates to MR-010. | |
AISubtech-1.3.2 Goal Manipulation (Tools, Prompts, Resources) | Goal Manipulation | Mapped | Partial | Adversarial goal manipulation of models/agents = agent goal hijack; non-agent case relates to MR-010. | |
AISubtech-1.4.1 Image-Text Injection | Multi-Modal Injection and Manipulation | Mapped | Clear | Multi-modal injection (image/audio/video) is a prompt-injection variant. | |
AISubtech-1.4.2 Image Manipulation | Multi-Modal Injection and Manipulation | Mapped | Clear | Multi-modal injection (image/audio/video) is a prompt-injection variant. | |
AISubtech-1.4.3 Audio Command Injection | Multi-Modal Injection and Manipulation | Mapped | Clear | Multi-modal injection (image/audio/video) is a prompt-injection variant. | |
AISubtech-1.4.4 Video Overlay Manipulation | Multi-Modal Injection and Manipulation | Mapped | Clear | Multi-modal injection (image/audio/video) is a prompt-injection variant. | |
AISubtech-2.1.1 Context Manipulation (Jailbreak) | Jailbreak | Mapped | Clear | Jailbreak / safety-guardrail bypass. | |
AISubtech-2.1.2 Obfuscation (Jailbreak) | Jailbreak | Mapped | Clear | Jailbreak / safety-guardrail bypass. | |
AISubtech-2.1.3 Semantic Manipulation (Jailbreak) | Jailbreak | Mapped | Clear | Jailbreak / safety-guardrail bypass. | |
AISubtech-2.1.4 Token Exploitation (Jailbreak) | Jailbreak | Mapped | Clear | Jailbreak / safety-guardrail bypass. | |
AISubtech-2.1.5 Multi-Agent Jailbreak Collaboration | Jailbreak | Mapped | Clear | Jailbreak / safety-guardrail bypass. | |
AISubtech-3.1.1 Identity Obfuscation | Masquerading / Obfuscation / Impersonation | Mapped | Partial | Impersonation / identity spoofing; agent-service spoofing relates to MR-071 and MITRE ATLAS masquerading. | |
AISubtech-3.1.2 Trusted Agent Spoofing | Masquerading / Obfuscation / Impersonation | Mapped | Clear | Trusted agent / MCP-service spoofing = agentic masquerading; relates to MITRE ATLAS masquerading MR-018.4. | |
AISubtech-4.1.1 Rogue Agent Introduction | Agent Injection | Mapped | Clear | Rogue agent introduction = autonomous-agent hijacking. | |
AISubtech-4.2.1 Context Window Exploitation | Context Boundary Attacks | Mapped | Partial | Agent context-window/session boundary exploitation; also MR-010. | |
AISubtech-4.2.2 Session Boundary Violation | Context Boundary Attacks | Mapped | Partial | Agent context-window/session boundary exploitation; also MR-010. | |
AISubtech-4.3.1 Schema Inconsistencies | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-4.3.2 Namespace Collision | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-4.3.3 Server Rebinding Attack | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-4.3.4 Replay Exploitation | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-4.3.5 Capability Inflation | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-4.3.6 Cross-Origin Exploitation | Protocol Manipulation | Mapped | Clear | MCP/agent protocol manipulation (schema, namespace, rebinding, replay, capability inflation, cross-origin) = agentic integration abuse; also MR-020. | |
AISubtech-5.1.1 Long-term / Short-term Memory Injection | Memory System Persistence | Mapped | Partial | Persistent memory injection in agents. | |
AISubtech-5.2.1 Agent Profile Tampering | Configuration Persistence | Mapped | Clear | Agent configuration/profile tampering for persistence. | |
AISubtech-6.1.1 Knowledge Base Poisoning | Training Data Poisoning | Mapped | Clear | Training / knowledge-base / reinforcement poisoning = data and model poisoning. | |
AISubtech-6.1.2 Reinforcement Biasing | Training Data Poisoning | Mapped | Clear | Training / knowledge-base / reinforcement poisoning = data and model poisoning. | |
AISubtech-6.1.3 Reinforcement Signal Corruption | Training Data Poisoning | Mapped | Clear | Training / knowledge-base / reinforcement poisoning = data and model poisoning. | |
AISubtech-7.2.1 Memory Anchor Attacks | Memory System Corruption | Mapped | Partial | Agent memory corruption (anchor/index) = agent context poisoning. | |
AISubtech-7.2.2 Memory Index Manipulation | Memory System Corruption | Mapped | Partial | Agent memory corruption (anchor/index) = agent context poisoning. | |
AISubtech-7.3.1 Corrupted Third-Party Data | Data Source Abuse and Manipulation | Mapped | Clear | Corrupted third-party / RAG data = poisoning. | |
AISubtech-7.4.1 Token Theft | Token Manipulation | Mapped | Partial | Token theft = credential/secret exfiltration; agent case MR-071.5. | |
AISubtech-8.1.1 Presence Detection | Membership Inference | Mapped | Clear | Membership/presence inference = privacy-invasive inference. | |
AISubtech-8.2.1 Training Data Exposure | Data Exfiltration / Exposure | Mapped | Clear | Data leakage/exfiltration; via agent tooling MR-071.6. | |
AISubtech-8.2.2 LLM Data Leakage | Data Exfiltration / Exposure | Mapped | Clear | Data leakage/exfiltration; via agent tooling MR-071.6. | |
AISubtech-8.2.3 Data Exfiltration via Agent Tooling | Data Exfiltration / Exposure | Mapped | Clear | Data exfiltration via agent tooling. | |
AISubtech-8.3.1 Tool Metadata Exposure | Information Disclosure | Mapped | Clear | System/tool information disclosure = confidential disclosure. | |
AISubtech-8.3.2 System Information Leakage | Information Disclosure | Mapped | Clear | System/tool information disclosure = confidential disclosure. | |
AISubtech-8.4.1 System LLM Prompt Leakage | Prompt/Meta Extraction | Mapped | Clear | System-prompt / instruction extraction. | |
AISubtech-9.1.1 Code Execution | Model or Agentic System Manipulation | Mapped | Partial | Autonomous code execution via a compromised model/agent (machine compromise). | |
AISubtech-9.1.2 Unauthorized or Unsolicited System Access | Model or Agentic System Manipulation | Mapped | Partial | Runtime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018. | |
AISubtech-9.1.3 Unauthorized or Unsolicited Network Access | Model or Agentic System Manipulation | Mapped | Partial | Runtime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018. | |
AISubtech-9.1.4 Injection Attacks (SQL, Command Execution, XSS) | Model or Agentic System Manipulation | Mapped | Partial | Runtime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018. | |
AISubtech-9.1.5 Template Injection (SSTI) | Model or Agentic System Manipulation | Mapped | Partial | Runtime exploitation (code exec, unauthorized system/network access, SQL/cmd/XSS/SSTI) = system security; supply-chain runtime impact MR-018. | |
AISubtech-9.2.1 Obfuscation Vulnerabilities | Detection Evasion | Mapped | Clear | Backdoors/trojans + obfuscation in models = poisoning/backdoor; corrupted model evading scanning. | |
AISubtech-9.2.2 Backdoors and Trojans | Detection Evasion | Mapped | Clear | Backdoors/trojans + obfuscation in models = poisoning/backdoor; corrupted model evading scanning. | |
AISubtech-9.3.1 Malicious Package / Tool Injection | Dependency / Plugin Compromise | Mapped | Clear | Malicious package/tool injection into the supply chain. | |
AISubtech-9.3.2 Dependency Name Squatting (Tools / Servers) | Dependency / Plugin Compromise | Mapped | Clear | Dependency/plugin compromise (malicious package, name squatting, rug pull) = AI supply-chain vulnerabilities. | |
AISubtech-9.3.3 Dependency Replacement / Rug Pull | Dependency / Plugin Compromise | Mapped | Clear | Dependency replacement / rug pull. | |
AISubtech-10.1.1 API Query Stealing | Model Extraction | Mapped | Clear | Model extraction/theft (API stealing, weight reconstruction). | |
AISubtech-10.1.2 Weight Reconstruction | Model Extraction | Mapped | Clear | Model extraction/theft (API stealing, weight reconstruction). | |
AISubtech-10.1.3 Sensitive Data Reconstruction | Model Extraction | Mapped | Clear | Model extraction/theft (API stealing, weight reconstruction). | |
AISubtech-10.2.1 Model Inversion | Model Inversion | Mapped | Clear | Model inversion = privacy reconstruction/inference. | |
AISubtech-11.1.1 Agent-Specific Evasion | Environment-Aware Evasion | Mapped | Clear | Environment-aware adversarial evasion. | |
AISubtech-11.1.2 Tool-Scoped Evasion | Environment-Aware Evasion | Mapped | Clear | Environment-aware adversarial evasion. | |
AISubtech-11.1.3 Environment-Scoped Payloads | Environment-Aware Evasion | Mapped | Clear | Environment-aware adversarial evasion. | |
AISubtech-11.1.4 Defense-Aware Payloads | Environment-Aware Evasion | Mapped | Clear | Environment-aware adversarial evasion. | |
AISubtech-11.2.1 Targeted Model Fingerprinting | Model-Selective Evasion | Mapped | Clear | Model-selective evasion (fingerprinting, conditional execution). | |
AISubtech-11.2.2 Conditional Attack Execution | Model-Selective Evasion | Mapped | Clear | Model-selective evasion (fingerprinting, conditional execution). | |
AISubtech-12.1.1 Parameter Manipulation | Tool Exploitation | Mapped | Clear | Insecure tool/plugin integration abuse; agentic tool invocation MR-071.1. | |
AISubtech-12.1.2 Tool Poisoning | Tool Exploitation | Mapped | Clear | Insecure tool/plugin integration abuse; agentic tool invocation MR-071.1. | |
AISubtech-12.1.3 Unsafe System / Browser / File Execution | Tool Exploitation | Mapped | Clear | Insecure tool/plugin integration abuse; agentic tool invocation MR-071.1. | |
AISubtech-12.1.4 Tool Shadowing | Tool Exploitation | Mapped | Clear | Insecure tool/plugin integration abuse; agentic tool invocation MR-071.1. | |
AISubtech-12.2.1 Code Detection / Malicious Code Output | Insecure Output Handling | Mapped | Clear | Insecure output handling / malicious code output. | |
AISubtech-13.1.1 Compute Exhaustion | Disruption of Availability | Mapped | Clear | Denial of AI service / availability attacks. | |
AISubtech-13.1.2 Memory Flooding | Disruption of Availability | Mapped | Clear | Denial of AI service / availability attacks. | |
AISubtech-13.1.3 Model Denial of Service | Disruption of Availability | Mapped | Clear | Denial of AI service / availability attacks. | |
AISubtech-13.1.4 Application Denial of Service | Disruption of Availability | Mapped | Clear | Denial of AI service / availability attacks. | |
AISubtech-13.1.5 Decision Paralysis Attacks | Disruption of Availability | Mapped | Clear | Denial of AI service / availability attacks. | |
AISubtech-13.2.1 Service Misuse for Cost Inflation | Cost Harvesting / Repurposing | Mapped | Clear | Service misuse for cost inflation = denial of wallet. | |
AISubtech-14.1.1 Credential Theft | Unauthorized Access | Mapped | Partial | Credential theft = secret disclosure; agent-config case MR-071.5. | |
AISubtech-14.1.2 Insufficient Access Controls | Unauthorized Access | Mapped | Partial | Account/credential abuse + weak access controls; valid-account abuse MR-015.1. | |
AISubtech-14.2.1 Permission Escalation via Delegation | Abuse of Delegated Authority | Mapped | Clear | Agent privilege/delegation abuse = excessive-agency abuse. | |
AISubtech-15.1.1 Cybersecurity and Hacking: Malware / Exploits | Harmful Content | Mapped | Clear | AI-generated malware / exploits = AI-enabled cyberattack. | |
AISubtech-15.1.2 Cybersecurity and Hacking: Cyber Abuse | Harmful Content | Mapped | Clear | Cyber abuse (unauthorized access, network penetration guidance). | |
AISubtech-15.1.3 Safety Harms and Toxicity: Animal Abuse | Harmful Content | Mapped | Weak | Animal-abuse content; nearest is harmful/toxic content. No dedicated register risk (thin). | |
AISubtech-15.1.4 Safety Harms and Toxicity: Child Abuse / Exploitation | Harmful Content | Mapped | Clear | Child abuse / exploitation = CSAM and child-safety. | |
AISubtech-15.1.5 Safety Harms and Toxicity: Disinformation | Harmful Content | Mapped | Clear | Disinformation. | |
AISubtech-15.1.6 Safety Harms and Toxicity: Environmental Harm | Harmful Content | Mapped | Weak | Environmental-harm content; nearest harmful content. Distinct from the AI footprint risk MR-037 (thin). | |
AISubtech-15.1.7 Safety Harms and Toxicity: Financial Harm | Harmful Content | Mapped | Partial | Financial-harm content; nearest fraud/scams, with unsafe-advice angle MR-022. | |
AISubtech-15.1.8 Safety Harms and Toxicity: Harassment | Harmful Content | Mapped | Clear | Harassment content. | |
AISubtech-15.1.9 Safety Harms and Toxicity: Hate Speech | Harmful Content | Mapped | Clear | Hate speech. | |
AISubtech-15.1.10 Safety Harms and Toxicity: Non-Violent Crime | Harmful Content | Mapped | Partial | Facilitating non-violent crime = misuse; also toxic/illegal content MR-003. | |
AISubtech-15.1.11 Safety Harms and Toxicity: Profanity | Harmful Content | Mapped | Clear | Profanity / toxic content. | |
AISubtech-15.1.12 Safety Harms and Toxicity: Scams and Deception | Harmful Content | Mapped | Clear | Scams and deception = fraud and social engineering. | |
AISubtech-15.1.13 Safety Harms and Toxicity: Self Harm | Harmful Content | Mapped | Clear | Self-harm content. | |
AISubtech-15.1.14 Safety Harms and Toxicity: Sexual Content and Exploitation | Harmful Content | Mapped | Clear | Sexual content and exploitation (incl. non-consensual imagery). | |
AISubtech-15.1.15 Safety Harms and Toxicity: Social Division and Polarization | Harmful Content | Mapped | Partial | Social division and polarization = influence/disinformation-adjacent; ecosystem angle MR-023. | |
AISubtech-15.1.16 Safety Harms and Toxicity: Terrorism / Extremism | Harmful Content | Mapped | Clear | Terrorism / extremism content. | |
AISubtech-15.1.17 Safety Harms and Toxicity: Violence and Public Safety Threat | Harmful Content | Mapped | Clear | Violence and public-safety-threat content. | |
AISubtech-15.1.18 Safety Harms and Toxicity: Weapons / CBRN Risks | Harmful Content | Mapped | Clear | Weapons / CBRN capability uplift. | |
AISubtech-15.1.19 Integrity: Hallucinations / Misinformation | Harmful Content | Mapped | Clear | Hallucinations / misinformation in outputs. | |
AISubtech-15.1.20 Integrity: Unauthorized Financial Advice | Harmful Content | Mapped | Clear | Unauthorized financial advice = unsafe high-stakes advice. | |
AISubtech-15.1.21 Integrity: Unauthorized Legal Advice | Harmful Content | Mapped | Clear | Unauthorized legal advice = unsafe high-stakes advice. | |
AISubtech-15.1.22 Integrity: Unauthorized Medical Advice | Harmful Content | Mapped | Clear | Unauthorized medical advice = unsafe high-stakes advice. | |
AISubtech-15.1.23 Intellectual Property Compromise: Intellectual Property Infringement | Harmful Content | Mapped | Clear | Intellectual-property infringement. | |
AISubtech-15.1.24 Intellectual Property Compromise: Confidential Data | Harmful Content | Mapped | Clear | Confidential-data disclosure in generated content. | |
AISubtech-15.1.25 Privacy Attacks: PII / PHI / PCI | Harmful Content | Mapped | Clear | Privacy attacks: PII / PHI / PCI exposure. | |
AISubtech-16.1.1 Logging Sensitive Conversations | Eavesdropping | Mapped | Partial | Eavesdropping / logging sensitive conversations = surveillance enablement; data-leakage angle MR-009. | |
AISubtech-17.1.1 Sensor Spoofing: Action Signals (audio, visual) | Sensor Spoofing | Mapped | Partial | Sensor spoofing of cyber-physical systems = physical-world adversarial input; physical-safety impact MR-049. | |
AISubtech-18.1.1 Spam / Scam / Social Engineering Generation | Fraudulent Use | Mapped | Clear | Fraud / spam / social-engineering generation. | |
AISubtech-18.2.1 Abuse of APIs for Mass Automation | Malicious Workflows | Mapped | Partial | Malicious workflows (mass automation, dedicated malicious infrastructure) = misuse/repurposing. | |
AISubtech-18.2.2 Dedicated Malicious Server or Infrastructure | Malicious Workflows | Mapped | Partial | Malicious workflows (mass automation, dedicated malicious infrastructure) = misuse/repurposing. | |
AISubtech-19.1.1 Contradictory Inputs Attack | Cross-Modal Inconsistency Exploits | Mapped | Partial | Cross-modal inconsistency exploits = multi-modal injection / adversarial. | |
AISubtech-19.1.2 Modality Skewing | Cross-Modal Inconsistency Exploits | Mapped | Partial | Cross-modal inconsistency exploits = multi-modal injection / adversarial. | |
AISubtech-19.2.1 Convergence Payload Injection | Fusion Payload Split | Mapped | Partial | Fusion payload split = obfuscated multi-modal injection. | |
AISubtech-19.2.2 Chained Payload Execution | Fusion Payload Split | Mapped | Partial | Fusion payload split = obfuscated multi-modal injection. |
Descriptions are each source framework's own text, where it provides one; long entries are clipped here.