AgentReadyHomeAgent Listing

← Zscaler MCP

Zscaler MCP — agentic threat model

9.4AIVSS 9.4 · Critical

The Zscaler MCP agent possesses an exceptionally high risk profile due to its ability to administer core enterprise security infrastructure (ZPA, ZIA, ZCC). Compromise or unauthorized tool execution via this MCP server could lead to complete network compromise, disabling of security controls, and sensitive data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 5.0/10Threat ×1.1Mitigation ×0.95
Autonomy of Action
0.70
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.70
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the description does not specify the underlying foundation LLMs used to drive the MCP server or process user queries.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — while the agent accesses Z-Insights analytics and EASM attack-surface data, details about vector databases, RAG pipelines, or data lineage are not specified.

L3 · Agent Frameworks✓ mapped

The agent acts as an MCP server exposing Zscaler administration and query tools. Threats include tool misuse (unauthorized configuration changes to ZPA/ZIA/ZCC) and insecure tool integration where malicious prompts could trigger destructive administrative actions.

L4 · Deployment & Infrastructure✓ mapped

The agent is deployed as an MCP server, requiring hosting and integration with Zscaler APIs. Threats include exposure of highly sensitive Zscaler API keys/secrets, container compromise, and unauthorized network access to the MCP server.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — the description does not mention specific evaluation frameworks, guardrails, or monitoring tools for the MCP server itself, though it accesses ZDX/Z-Insights.

L6 · Security & Compliance (cross-cutting)✓ mapped

Managing Zscaler (ZPA/ZIA/ZCC) involves critical enterprise security policies. Threats include lack of fine-grained authorization (AuthZ) for the agent, leading to unauthorized policy modifications, privilege escalation, or compliance violations.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be consumed by other LLM clients/agents. Threats include A2A trust abuse, where a compromised client agent triggers destructive administrative actions on Zscaler via this MCP server.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).