The MAESTRO Threat Analyzer is an AI-powered tool designed to help developers and security professionals identify and mitigate potential threats in multi-agent systems. It uses large language models via Genkit—including Google Gemini, OpenAI, and locally hosted Ollama models—together with the MAESTRO threat modeling framework to analyze system architectures and generate detailed security insights.
This tool is built for educational and demonstrative purposes to showcase how threat modeling can be applied to complex, agentic AI systems.
This tool is based on the MAESTRO (Malicious Agent Evasion, Strategy, and Threat Response Operations) framework for agentic AI threat modeling, as detailed in the Cloud Security Alliance (CSA) publication:
We highly recommend reading the paper to understand the seven-layer architecture and the principles behind this tool.
- Detailed Architecture Input: Provides a textarea for users to describe their system architecture, which is used by the AI for analysis.
- Use-Case Presets: Comes with pre-populated use-case descriptions that detail interactions between agents using protocols like A2A (Agent-to-Agent) and MCP (Model Context Protocol).
- AI-Powered Threat Identification: For each of the seven MAESTRO layers, the tool uses a Genkit flow to call the configured LLM provider. The AI identifies two categories of threats:
- Traditional Threats: Inherent security risks for the layer's technology, independent of agentic factors.
- Agentic Threats: Novel threats or exacerbations of existing ones arising from factors like Non-Determinism, Autonomy, and No Trust Boundary.
- AI-Driven Mitigation Generation: For each identified threat, the AI recommends specific mitigation strategies, including the reasoning behind them and any potential caveats.
- Real-Time Analysis & Logging: The UI streams the analysis progress in real-time, providing detailed logs as the AI works through each of the seven MAESTRO layers.
Follow these instructions to set up and run the project locally.
- Node.js (v18 or later)
- npm or yarn
-
Clone the repository:
git clone <repository-url> cd <repository-directory>
-
Install dependencies:
npm install
-
Set up environment variables:
-
Create a
.envfile in the root of the project. -
Choose which provider to use by setting
LLM_PROVIDERtogoogle,openai, orollama(defaults togoogle). -
Provide the appropriate credentials for the selected provider:
# For Google Gemini GEMINI_API_KEY=your_api_key_here # For OpenAI OPENAI_API_KEY=your_api_key_here # For Ollama OLLAMA_SERVER_ADDRESS=http://localhost:11434 # Optional: override the default model LLM_MODEL=model-name
-
This project requires two processes to run concurrently: the Next.js frontend and the Genkit AI flows.
-
Run the Next.js development server: Open a terminal and run:
npm run dev
This will start the web application, typically available at
http://localhost:9002. -
Run the Genkit flows: Open a second terminal and run:
npm run genkit:watch
This command starts the Genkit development server and automatically reloads it when you make changes to your AI flows.
You can now open your browser and start using the MAESTRO Threat Analyzer.
We welcome contributions! If you'd like to help improve the tool, please follow these steps:
- Fork the repository.
- Create a new branch for your feature or bug fix.
- Make your changes and commit them with clear, descriptive messages.
- Push your branch and open a pull request.
Please ensure your code follows the existing style and that you've tested your changes.
This tool is intended for educational and demonstration purposes only. The threat analysis and mitigation strategies are generated by an AI model based on the MAESTRO methodology.
AI can make mistakes. The information provided by this tool should not be considered a complete or authoritative security audit. Always perform a thorough, manual review and consult with security professionals before implementing any recommended mitigations. The creators of this tool are not responsible for any security vulnerabilities or issues that may arise from its use.
This project is licensed under the MIT License.
MIT License
Copyright (c) 2024 Distributed Apps
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.For questions, feedback, or inquiries, please contact us at [email protected].