research // threat landscape← Threat landscape
Threat Landscape — Version History
The threat landscape is a living document. As new adversarial vector classes emerge and our exposure heuristics sharpen, we publish a new version rather than editing the last one in place. This page records what changed in each release, latest first.
CHANGELOG · Current version V0.2 · Last updated May 2026
V0.2May 2026
Expanded vector coverage and a revised availability model.
- —Added a markdown-exfiltration vector class covering rendered output that smuggles prior-turn content to an attacker host via image and link references.
- —Expanded tool-shadowing coverage to include agent-to-agent channels where a low-trust tool impersonates or overrides a higher-trust one.
- —Revised the denial-of-wallet (DoW) exposure model to separate token amplification from recursive tool loops and to express exposure as attacker effort versus operator cost.
V0.1Feb 2026
Initial public release.
- —Initial public release of the threat landscape: 9 vector classes spanning direct and indirect injection, retrieval poisoning, output-handling, and excessive agency.
- —Introduced severity bands aligned with the LogicLeak severity model.
- —Published exposure heuristics for estimating which vector classes apply to a given deployment surface.