OWASP MCP Top 10 — coverage matrix.
Which engines detect which OWASP MCP Top 10 risks, what counts as partial coverage, and what no scanner can catch. Reproducible on your own machine — every cell links back to a public rule pack.
01 The Top 10
The OWASP MCP / LLM Top 10 enumerates the most consequential failure modes when shipping LLM-backed services. We map each risk to the engines that exercise it. Risk codes follow the upstream OWASP convention.
LLM01
Prompt Injection
Untrusted input rewriting the system prompt or smuggling instructions through tool output.
LLM02
Insecure Output Handling
Treating model output as trusted — passing it to shells, eval, browsers, or SQL without validation.
LLM03
Training Data Poisoning
Adversarial fine-tunes or embeddings that bias the model toward unsafe behavior.
LLM04
Model Denial of Service
Token-flooding, recursive tool calls, or context bombs that exhaust quota or wedge the agent.
LLM05
Supply Chain Vulnerabilities
Compromised dependencies, typosquats, or unsigned releases in the MCP server's package graph.
LLM06
Sensitive Information Disclosure
API keys, tokens, customer data, or internal URLs leaked through tool responses or logs.
LLM07
Insecure Plugin Design
Tools with unconstrained scope, missing auth, or shadowing trusted names in the agent's catalog.
LLM08
Excessive Agency
Tools that mutate state, spend money, or exfiltrate data with no human-in-the-loop guard.
LLM09
Overreliance
Operators trusting model output as ground truth — a process risk, not a code risk. Scanner-adjacent.
LLM10
Model Theft
Weights, prompts, or proprietary fine-tunes exfiltrated via the inference endpoint or repo.
02 Coverage matrix
Engines are grouped by family — vulnerability, MCP-specific, secrets, and supply chain. A green check means the engine has at least one rule directly aimed at the risk. Amber means partial — the engine catches a subset, or only the most obvious cases. Dash means out of scope for that engine.
✓ Direct rule coverage
~ Partial — subset of cases
– Out of scope for this family
Click into the engine catalog for the per-engine rule pack and the test corpus each row was validated against.
03 Caveats
No scanner is exhaustive. The matrix above is what we test for; the list below is what we deliberately don't claim to catch.
LLM03 Training Data Poisoning is mostly out of scope. We can flag suspicious model-card entries and unverified fine-tune sources in the supply chain, but we don't run the model and we don't audit weights. If poisoning was injected during training, the artifact looks clean to us.
LLM09 Overreliance is a process failure, not a code one. No scanner can tell you whether your operators trust the agent too much. We surface findings; humans decide whether to ship. Treat green lights as permission to read the report, never as a substitute for review.
Zero-day rules. Coverage tracks public CVEs and known-bad patterns. Novel attack classes appear in the matrix only after a rule pack ships — typically within seven days of public disclosure. Subscribe to the
changelog for rule-pack releases.
The point of publishing this matrix is the inverse of marketing: we'd rather you know exactly where the scanner stops than ship something that pretends to cover everything.