AgentReadyHomeAgent ListingPricing

← Subatomic

Subatomic — agentic threat model

8.7AIVSS 8.7 · High

Subatomic enables the deployment of customizable AI co-workers within business environments, presenting elevated risk due to potential access to internal systems and data without visible security, sandboxing, or observability controls in its public listing.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.18Factor sum 4.7/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.20
Multi-Agent Interactions
0.40
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify which foundation models are used (e.g., OpenAI, Anthropic, or local models), leaving them vulnerable to standard model-level threats like adversarial prompt injection or alignment bypasses.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While designed to 'operate inside your business,' the exact data ingestion, vector database, or RAG architecture is unspecified, posing risks of internal data leakage or unauthorized knowledge access.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — The orchestration framework for these 'Co-Worker Agents' is not detailed, meaning threats like insecure tool execution or prompt injection leading to unauthorized business actions cannot be fully evaluated.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment (SaaS vs. on-premise) and sandboxing capabilities for executing agent tasks are not disclosed, presenting potential risks of container escape or lateral network movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, real-time monitoring, or logging of agent decisions, which could lead to undetected drift or malicious agent behavior.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The listing lacks details on enterprise security controls, role-based access control (RBAC), or compliance certifications (like SOC2 or GDPR) for business deployment.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While it allows deploying multiple 'Co-Worker Agents,' it is unclear if they interact with each other or external marketplaces, raising potential risks of cascading failures or unauthorized agent-to-agent communication.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.