GoNoGo — agentic threat model

Not certain from the listing — likely utilizes commercial or open-source LLMs for RFP text extraction and reasoning. Primary threats include indirect prompt injection via malicious text embedded in uploaded RFPs designed to force a 'Go' decision, and potential data leakage to model providers.

The tool heavily relies on ingestion of highly sensitive corporate data, including past proposals, deal history, and business rules. Key threats include data exfiltration of proprietary IP and knowledge-base poisoning, where malicious historical data could skew future bid/no-bid decisions.

Not certain from the listing — likely uses a lightweight RAG orchestration framework. Threats include insecure document parsing (e.g., XML external entity attacks or buffer overflows via malicious PDF/DOCX uploads) and logic bypass of defined business rules via prompt manipulation.

Not certain from the listing — as an open-source or hosted standalone tool, infrastructure security depends on deployment. Threats include insecure file upload directories, lack of container sandboxing for document processing, and unauthorized access to the underlying vector database.

Not certain from the listing — no observability or evaluation mechanisms are detailed. Gaps here could lead to undetected drift in decision-making quality or silent failures in parsing complex RFP tables and requirements.

Not certain from the listing — there is no mention of role-based access control (RBAC), encryption standards, or compliance certifications (e.g., SOC2). This is a significant concern given the confidentiality requirements of RFPs and corporate deal histories.

The tool is positioned as a standalone utility with 'no integrations required,' meaning ecosystem and multi-agent risks are currently negligible. However, future integrations with CRMs (like Salesforce) could introduce cascading trust and data-leakage risks.