04 · PRIMERS
Primers vocabulary first
Short orientations for readers who need vocabulary before threat content makes sense. Each primer is intentionally narrow: enough to read the rest of Helmwart, not a full reference. Click through for the long version.
Agentic systems add concepts that are easy to misread in a threat model: agentic factors, non-determinism, the lethal trifecta, and confused-deputy patterns across agent boundaries. These primers make the threat catalogue easier to navigate.
Read them in any order, but if you're starting from scratch: Agents first, then Agentic Factors (the four properties used in this catalogue), then the topical primers for technologies in your architecture (RAG, MCP, A2A). The Lethal Trifecta primer explains one high-priority topology check used in the product.
Three foundational security principles highlighted in Helmwart: defence-in-depth, zero-trust, and least-privilege. Read this primer to see how relevant mitigations compose rather than treating the catalogue as a flat list.
What we mean by "agent" in this context, and how it differs from a chatbot or workflow engine. The five capabilities, single vs multi-agent, autonomy spectrum, frameworks.
Retrieval-augmented generation, why agentic systems lean on it, and why the retrieval surface is a primary attack target. Indexing, chunking, retrieval, generation.
Model Context Protocol: how tools and resources get exposed to agents, the three-party trust relationship, and why server-provided content is an agent input boundary.
Agent-to-agent communication patterns, what changes when you go from single-agent to multi-agent, and the seams where authorization most often fails.
Four properties that distinguish agentic systems from conventional software: autonomy, non-determinism, agent identity, and agent-to-agent communication. Read these to understand why familiar threat models miss key risks.
Simon Willison's three-leg pattern (Jun 2025): an agent with access to your private data, exposure to untrusted content, and the ability to externally communicate. Documented in EchoLeak (M365 Copilot), GitHub MCP, and GitLab Duo. Helmwart fires the △ P U O badge when all three legs reach a single agent on your graph.
What regulatory frame agentic-AI threat-modelling fits into. The ACM Europe TPC's May 2025 policy brief on systemic risks of agentic AI, the three autonomy tiers it proposes, and where it argues the EU AI Act needs amendment. Useful when you need to defend a Helmwart canvas to GRC, legal, or compliance.