Agent risk analyzer

Why quantify agent risk

There is no credible way to assume an agent will never be exploited. The useful question is whether the exposure, blast radius, and control spend are sustainable for a specific application.

Anthropic described an internal Claude Code red-team exercise where a user-delivered prompt asked the agent to read AWS credentials, encode them, and POST them externally; Claude completed the exfiltration in 24 of 25 retries. Anthropic concluded that model-layer defenses could not catch the case because the instruction looked like user intent, so filesystem boundaries and egress controls had to carry the defense. Source: Anthropic containment engineering.

Primary workflow

1. Pick a representative agent scenario such as support, coding, MCP automation, or long-memory research.
2. Adjust agent count, sessions, untrusted context, malicious context, unsafe-task completion benchmark, workflow depth, and blast radius.
3. Choose a loss preset or decompose response, downtime, recovery, direct business loss, and secondary loss.
4. Select controls such as runtime authorization, sandboxing, human approval, and tool-result inspection.
5. Review residual annualized loss exposure and OWASP Agentic AI coverage gaps.

Mitigating controls

Choose the controls the deployment actually enforces. Mapped controls reduce residual risk and show source-backed OWASP mitigation paths, but they do not prove an ASI risk is fully closed.

Calculation model

Expected loss equals agents x sessions per agent x actions per session x untrusted-action rate x malicious-context rate x effective unsafe-action rate x blast-radius rate x loss magnitude per event. The effective unsafe-action rate combines the selected benchmark with an intuitive workflow-depth profile.

Loss magnitude is modeled per material event. Annualized loss exposure can be lower than the per-event loss when expected material events per year are below one: expected events per year x loss per event = ALE. The headline range is a 0.5x-2x planning band around the midpoint until internal distributions are available. Control reductions compound through residual risk.

Assumption labels

Citations support evidence anchors and plausible ranges. Final constants such as malicious prevalence, blast radius, event-loss amounts, and control reductions are Kontext modeling assumptions unless replaced with customer telemetry, evals, or incident data.

Control methodology

The controls are the smallest runtime set that covers the main loss points: untrusted content enters context, a tool call runs, local data becomes reachable, data leaves the environment, or an irreversible action needs review. Anthropic is cited for the containment principle and concrete environment controls such as sandboxes, virtual machines, filesystem boundaries, and egress controls; it does not define this calculator's exact four-control taxonomy. See Anthropic containment engineering and the OWASP AI Agent Security Cheat Sheet.

OWASP coverage

Select the OWASP Agentic AI risks that matter for the application, then check whether the enabled control setup has a source-backed mitigation path for those selected risks. Selected categories with no mapped enabled control become coverage gaps.

The analyzer maps controls to categories including goal hijack, tool misuse, privilege abuse, supply-chain vulnerability, code execution, context manipulation, inter-agent communication, cascading failure, human-agent trust exploitation, and rogue agents.

Use with care

The output is directional. Replace default benchmark assumptions with internal telemetry, red-team evals, incident-cost records, legal input, insurance data, and FAIR-style ranges before audit or insurance submission.