AgentReadyHomeAgent Listing

← Zscaler

Zscaler — agentic threat model

9.9AIVSS 9.9 · Critical

The Zscaler plugin possesses an exceptionally high risk profile due to its direct integration with enterprise network security controls (ZPA/ZIA), allowing it to create and manage policies. A compromise or prompt injection attack could lead to unauthorized network access, disabled security boundaries, and complete exposure of the enterprise attack surface.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.12Factor sum 5.3/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.10
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used by the Zscaler plugin. Standard LLM risks like prompt injection could lead to unauthorized policy generation or incorrect troubleshooting advice.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The plugin accesses Zscaler analytics and configuration data via the MCP server, but details on vector stores or RAG implementation are not provided. Risks include exposure of sensitive network topology data.

L3 · Agent Frameworks✓ mapped

The agent orchestrates calls to the Zscaler MCP server to manage ZPA, ZIA, ZDX, and ZCC. A major threat is tool misuse or insecure tool integration, where a malicious prompt could trick the agent into executing unauthorized policy changes or disabling security rules.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the agent and how it securely stores credentials for the Zscaler MCP server are not detailed. Threats include credential theft or lateral movement if the hosting container is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of guardrails, evaluation frameworks, or logging mechanisms to monitor the agent's policy-generation actions. Gaps here could lead to undetected malicious policy modifications.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent manages critical network security policies (ZPA/ZIA) and audits configurations. Without strict access controls, identity verification, and human-in-the-loop authorization, it poses severe compliance and authorization risks.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — It is unclear if this plugin interacts with other agents in a marketplace or multi-agent setup, but any cascading failure or unauthorized agent-to-agent interaction could compromise the entire network security posture.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).