Security Framework Mappings
ThoughtJack scenarios map to established security frameworks to help security teams prioritize testing and communicate findings using shared taxonomy.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques. ThoughtJack scenarios map to ATT&CK techniques where MCP-specific attacks parallel traditional attack patterns.
Why ATT&CK mapping matters
- Shared language: security teams already understand ATT&CK; mapping MCP attacks to it reduces the learning curve
- Coverage analysis: identify which ATT&CK techniques your MCP client is vulnerable to
- Risk prioritization: ATT&CK techniques have associated severity and prevalence data
Mapping approach
MCP attacks don't always have direct ATT&CK equivalents. ThoughtJack maps to the closest applicable technique:
| MCP Attack | ATT&CK Technique | Rationale |
|---|---|---|
| Prompt injection in tool responses | T1059 (Command and Scripting Interpreter) | Injected instructions cause the agent to execute actions |
| Tool description injection | T1036 (Masquerading) | Malicious tool disguised as legitimate |
| Credential harvesting via descriptions | T1556 (Modify Authentication Process) | Social engineering through tool interfaces |
| Rug pull (tool swap) | T1574 (Hijack Execution Flow) | Legitimate tool replaced with malicious version |
| Resource exfiltration | T1552 (Unsecured Credentials) | Data extracted via resource content |
| Unicode obfuscation | T1027 (Obfuscated Files or Information) | Content disguised using Unicode tricks |
| Notification flood | T1498 (Network Denial of Service) | Resource exhaustion via message volume |
| Nested JSON DoS | T1499 (Endpoint Denial of Service) | Parser resource exhaustion |
Limitations
ATT&CK was designed for traditional computing environments. Some MCP-specific attacks have no direct parallel:
- Escalation ladders - gradual trust manipulation over multiple calls
list_changedabuse - exploiting MCP's dynamic capability protocol- Bidirectional protocol attacks - exploiting the server's ability to send unsolicited messages
ThoughtJack maps these to the closest technique but notes where the mapping is approximate.
OWASP MCP Top 10
The OWASP MCP Top 10 is a categorization of risks specific to Model Context Protocol implementations.
Mapping
| OWASP MCP ID | Risk | ThoughtJack scenarios |
|---|---|---|
| MCP-01 | Tool Injection | rug-pull, prompt-injection |
| MCP-02 | Resource Poisoning | resource-exfiltration, resource-rug-pull |
| MCP-03 | Capability Mutation | rug-pull, resource-rug-pull |
| MCP-04 | Prompt Injection via Tools | prompt-injection, credential-harvester |
| MCP-05 | Data Exfiltration | resource-exfiltration |
| MCP-06 | Denial of Service | slow-loris, nested-json-dos, notification-flood |
| MCP-07 | Protocol Abuse | notification-flood (batch amplify, pipe deadlock) |
| MCP-08 | Unicode/Encoding Attacks | unicode-obfuscation |
| MCP-09 | Trust Boundary Violation | rug-pull, escalation-ladder |
| MCP-10 | Credential Theft | credential-harvester |
Using mappings in reports
When reporting test results, reference both frameworks:
Finding: MCP client follows injected instructions in tool responses
Scenario: prompt-injection
MITRE ATT&CK: T1059.004 (Command and Scripting Interpreter: Unix Shell)
OWASP MCP: MCP-04 (Prompt Injection via Tools)
Severity: High
This provides context that security teams can act on regardless of which framework they prefer.
Adding mappings to custom scenarios
When creating custom scenarios, include framework mappings in the OATF attack block:
attack:
id: "my-scenario"
name: "My Custom Attack"
severity: high
classification:
mappings:
- framework: mitre_attack
id: "T1059.004"
- framework: owasp_mcp
id: "MCP-04"
See OATF Document Schema for the complete field reference.