AgentReadyHomeAgent Listing

← devlo AI

devlo AI — agentic threat model

7.2AIVSS 7.2 · High

devlo AI exhibits a high-risk agentic profile due to its deep integration into software development lifecycles (GitHub, Jira) and its ability to modify and execute code. While SOC-2 compliance and zero-retention policies mitigate data exposure, the potential for prompt-injection-led repository compromise or malicious code injection remains a critical concern.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.9AARS uplift 0.75Factor sum 6.5/10Threat ×1.05Mitigation ×0.75
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.60
Contextual Awareness
0.90
Dynamic Identity
0.70
Multi-Agent Interactions
0.30
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes state-of-the-art foundation models optimized for coding tasks. Risks include adversarial prompt injection to bypass code generation safety filters or generate malicious code.

L2 · Data Operations✓ mapped

Integrates directly with code repositories (GitHub) and project management tools (Jira). While 'zero code retention' is claimed, the agent processes proprietary codebases, presenting risks of data exfiltration or context poisoning if malicious code is introduced into the repository.

L3 · Agent Frameworks✓ mapped

High risk of tool misuse and insecure tool integration. The agent can write, modify, and execute code (test generation & fixes), which could lead to arbitrary code execution if the planning or tool-calling mechanism is hijacked via prompt injection.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the infrastructure hosting the agent and executing code/tests must be strictly sandboxed to prevent container escape, privilege escalation, or lateral movement into the customer's internal networks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — lacks explicit details on real-time guardrails, LLM firewalls, or prompt injection monitoring, though it tracks team analytics and code reviews.

L6 · Security & Compliance (cross-cutting)✓ mapped

Demonstrates strong compliance posture with SOC-2 certification and a zero code retention policy, mitigating some data privacy and compliance risks.

L7 · Agent Ecosystem✓ mapped

Interacts with external ecosystems (Slack, Jira, GitHub). Compromise of the agent could lead to cascading failures, such as unauthorized Slack notifications, malicious PR approvals, or automated Jira ticket manipulation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).