AgentReadyHomeAgent ListingPricing
Transparency

Scoring methodology

How AgentReady scores the 4,511 agents in the listing — what the numbers mean, how they’re derived, and how to correct them.

In one line: every listing carries an OWASP AIVSS risk score and a MAESTRO 7-layer threat model, auto-generated from public information and offered as an estimate for guidance — not a penetration test, audit, or certification. The methodology is identical for every agent, and payment never changes a score.

What we assess, and from what

Each agent is scored from publicly available information only — its own listing, product documentation, and public repository. We do not test, probe, or access any agent or its infrastructure. The assessment describes the risk surface implied by the agent’s described capabilities (autonomy, tool use, memory, data access), not a confirmed vulnerability.

OWASP AIVSS score

The risk score uses the canonical OWASP Agentic AI Vulnerability Scoring System (AIVSS) formula:

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

A CVSS base is combined with an Agentic AI Risk Score built from 10 amplification factors (autonomy, dynamic tool use, memory persistence, inter-agent communication, and so on), each estimated on a 0–1 scale from the agent’s described capabilities, then tempered by a mitigation factor. The result is banded into Critical / High / Medium / Low using the standard CVSS bands. Each agent’s threat-model page shows its full factor breakdown.

MAESTRO 7-layer threat model

MAESTRO is the Cloud Security Alliance / Ken Huang agentic threat-modeling framework. We map threats across its seven layers (foundation model → agent ecosystem). Where the public description doesn’t pin a layer, that layer is explicitly tagged “not certain from listing” and treated as general, caveated commentary rather than a specific finding — we flag uncertainty instead of inventing precision.

Independence

Corrections & disputes

If you’re the vendor and something is factually wrong — an outdated capability, a mis-stated data flow, a control we couldn’t see from your public listing — we’ll correct it, free. Provide the evidence (docs, a security page, a disclosure policy) and we re-run the same methodology against it. A self-serve claim & dispute flow is rolling out; in the meantime, contact us via distributedapps.ai.

This directory provides AI-agent security readiness information for guidance only. It is not a certification, audit, or penetration test, and is not affiliated with the listed vendors. ← Back to the Agent Listing