🦞 CyberSecClaw
DAST (Dynamic Application Security Testing) has existed for web apps for 20 years. Scanners send HTTP requests to your web app and look
for SQL injection, XSS, broken auth.
But AI agents don't have web UIs. They communicate via MCP (Model Context Protocol), make tool calls, and operate autonomously.
Traditional DAST can't scan them.
Part of our stack now.
## What is Agent DAST?
Same concept as web DAST, but for AI agents. Point it at any MCP server, it sends real attack payloads, and reports what's broken.
The difference: instead of testing 3-4 vulnerability categories, Agent DAST tests 8 security dimensions with 38 real checks.
## Multiple Security Dimensions - below examples :
Every agent gets assessed across:
- Identity -- Can we connect with no credentials? Can we spoof another agent?
- Injection -- Command, SQL, path traversal, SSRF, prompt injection, XSS, tool poisoning
- Escalation -- Can a low-trust agent call admin tools? Can it chain tools to gain access?
- Exfiltration -- Can it send data to external endpoints? Does it leak PII in responses?
- Trust Boundary -- Can a malicious agent relay instructions through this one?
- Autonomy Control -- Rate limits? Action budgets? Kill switch? Can monitoring be disabled?
- Integrity -- Are messages signed? Replay protection? Tool definition hash pinning?
- Compliance -- OWASP MCP Top 10, OWASP Agentic AI Top 10, EU AI Act, OWASP AISVS C10
## We Scanned Public MCP Servers
Here's what happened:
| MCP Server | Company | Score | Passport |
|---|---|---|---|
| DeepWiki | Cognition (Devin) | 30/100 | DENY |
| Blockscout | Blockscout | 34/100 | DENY |
| Exa Search | Exa AI | 30/100 | DENY |
| Korean Law MCP | Community (1,567 stars) | 30/100 | DENY |
| DVMCP | CyberSecAI (test target) | 7/100 | DENY |
Every single one fails. Zero production MCP servers pass an all-dimension security assessment.
The most common failures:
- No authentication -- anyone can call tools
- No message signing -- requests can be tampered with in transit
- No replay protection -- captured requests can be replayed
- No trust boundary enforcement -- agents blindly trust other agents
- No rate limiting -- unlimited tool calls accepted
- No audit trail -- no record of what happened
## What a Scan Looks Like
$ cybersecclaw agent-dast https://target-server.com
Running 8-Dimension Agent DAST...
[1/8] IDENTITY........... 0% (0 pass, 4 fail)
[2/8] INJECTION.......... 4% (1 pass, 6 fail)
[3/8] ESCALATION......... 0% (0 pass, 4 fail)
[4/8] EXFILTRATION...... 50% (2 pass, 2 fail)
[5/8] TRUST BOUNDARY..... 0% (0 pass, 4 fail)
[6/8] AUTONOMY........... 0% (0 pass, 5 fail)
[7/8] INTEGRITY.......... 0% (0 pass, 5 fail)
[8/8] COMPLIANCE......... 0% (0 pass, 4 fail)
MITRE ATLAS: 14/14 techniques triggered
ATTACK CHAINS: 5 multi-step exploits identified
KILL CHAIN: 8/9 stages VULNERABLE
SCORE: 7/100 (F) | VERDICT: FAIL | PASSPORT: DENY
It also includes:
- MITRE ATLAS mapping -- every finding mapped to AI-specific attack techniques
- Attack chain analysis -- shows how individual vulns combine into full compromise paths
- CVE cross-reference -- checks your SDK version against 13+ known MCP CVEs
- Kill chain visualisation -- 9 stages from reconnaissance to impact
- AutoFix recommendations -- code patches for every finding with OWASP references
## Passport DENY = Agent Blocked
The scan produces a score across all 8 dimensions. Pass (70+) and the agent gets a cryptographic passport -- proof it's been assessed and meets minimum security posture. Fail and it's denied from production.
Think of it as a credit check for AI agents. No score, no access.
## Why Traditional DAST Can't Do This
Traditional DAST scanners send HTTP requests to web forms and check responses. That finds SQL injection in a login page. But agents don't
have login pages.
Agent attacks are different:
- Tool poisoning -- hidden instructions in tool descriptions that manipulate agent behaviour
- Trust boundary violation -- one agent relaying malicious instructions through another
- Context poisoning -- injecting fake security policies into shared agent memory
- Oversight disabling -- agents that turn off their own monitoring
- Multi-hop chains -- Agent A tells Agent B to tell Agent C to exfiltrate data
These aren't code bugs. They're agent behaviours. You can't find them by scanning source code. You have to test the running agent with
real attack payloads.
That's Agent DAST.
## The Standards Behind It
Every finding maps to real standards:
- OWASP MCP Security Cheat Sheet -- we contributed the message integrity section (Section 7)
- OWASP AISVS C10 -- 3 requirements we authored (10.2.13, 10.4.11, 10.6.4)
- OWASP MCP Top 10 -- 10/10 coverage
- OWASP Agentic AI Top 10 -- 8/10 coverage
- EU AI Act -- Articles 12-16, 50
- MITRE ATLAS -- 14 AI-specific attack techniques
We don't just test against the standards. We wrote them.
## What's Next
Agent DAST is one part of the stack. The full lifecycle:
- Build secure agents with the CyberSecClaw SDK
- Scan agents with Agent DAST (8 dimensions, 38 checks)
- Protect agents at runtime with inline security inspection
- Certify agents with a cryptographic passport
If you're deploying AI agents in production and don't have an answer for "how do you know this agent is safe?" -- that's the gap we
close.
claw.cybersecai.co.uk
Raza Sharif -- Founder, CyberSecAI Ltd
raza@cybersecai.co.uk
This article was originally published by DEV Community and written by razashariff.
Read original article on DEV Community