devlo AI — agentic threat model
devlo AI exhibits a high-risk agentic profile due to its deep integration into software development lifecycles (GitHub, Jira) and its ability to modify and execute code. While SOC-2 compliance and zero-retention policies mitigate data exposure, the potential for prompt-injection-led repository compromise or malicious code injection remains a critical concern.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.90 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.90 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely utilizes state-of-the-art foundation models optimized for coding tasks. Risks include adversarial prompt injection to bypass code generation safety filters or generate malicious code.
Integrates directly with code repositories (GitHub) and project management tools (Jira). While 'zero code retention' is claimed, the agent processes proprietary codebases, presenting risks of data exfiltration or context poisoning if malicious code is introduced into the repository.
High risk of tool misuse and insecure tool integration. The agent can write, modify, and execute code (test generation & fixes), which could lead to arbitrary code execution if the planning or tool-calling mechanism is hijacked via prompt injection.
Not certain from the listing — the infrastructure hosting the agent and executing code/tests must be strictly sandboxed to prevent container escape, privilege escalation, or lateral movement into the customer's internal networks.
Not certain from the listing — lacks explicit details on real-time guardrails, LLM firewalls, or prompt injection monitoring, though it tracks team analytics and code reviews.
Demonstrates strong compliance posture with SOC-2 certification and a zero code retention policy, mitigating some data privacy and compliance risks.
Interacts with external ecosystems (Slack, Jira, GitHub). Compromise of the agent could lead to cascading failures, such as unauthorized Slack notifications, malicious PR approvals, or automated Jira ticket manipulation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).