Threat Model
Attack surface
Section titled “Attack surface”TapPass sits between AI agents and LLMs/tools. The primary threats:
| Threat | Vector | Mitigation |
|---|---|---|
| Prompt injection | Direct and indirect (via tool results) | detect_injection (5-category), scan_tool_results (10 patterns) |
| Data exfiltration | Paste services, DNS tunneling, webhooks | detect_exfiltration, taint_check, exfil blocklist (60+ domains) |
| Memory poisoning | MEMORY.md writes, identity override | detect_memory_poison (6 categories) |
| Insider threat | Self-preservation, deception, unauthorized sharing | detect_insider_threat (7 categories, session-aware) |
| Tool poisoning | Malicious tool descriptions | detect_tool_poison, tool integrity (SHA-256 hashing) |
| Credential theft | Reading SSH keys, cloud creds | Forbidden zones (74 paths), trust tiers, credential monitor |
| Privilege escalation | sudo, admin override | detect_escalation (4-stage), dangerous command database |
| PII leakage | SSNs, credit cards in responses | 4-layer PII detection (Presidio + regex + normalizer + output scan) |
Defense in depth
Section titled “Defense in depth”| Layer | Mechanism |
|---|---|
| Identity | SPIFFE mTLS: no API keys, certificate-based |
| Policy | OPA/Rego: externalized, auditable, fail-closed |
| Input scan | 49-step pipeline with single-pass scanner |
| Execution | Capability tokens, tool constraints, approval gate |
| Output scan | DLP, taint tracking, shell bleed detection |
| Sandbox | Kernel-level isolation (nono), forbidden zones, trust tiers |
| Audit | SHA-256 hash-chained trail, SIEM export |
Red team results
Section titled “Red team results”119 adversarial attacks, 0 bypasses. See the Red Team Report.
OWASP coverage
Section titled “OWASP coverage”Full ASI01–ASI10 coverage. See the OWASP mapping.
MCPSecBench
Section titled “MCPSecBench”14 of 17 MCP attack categories blocked (vs 1-2/17 for Claude Desktop). See the MCPSecBench matrix.