Unified offensive-security toolkit for Multi-Agent Systems: MQTT/AMQP IoT swarms and MCP/A2A LLM agents. Aligned with OWASP Agentic Top 10 (2026).

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for evkir from gravatar.com evkir

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: Evgeny Kiriyak
  • Tags a2a , abfp , agentic-ai , amqp , llm-security , mcp , mqtt , multi-agent-systems , owasp , pentesting , security
  • Requires: Python >=3.11
  • Provides-Extra: dev , docs , lab , pdf
Classifiers
Report project as malware

Project description

🛡️ MAS-Sentry-Toolkit

Version Python License OWASP CI

Unified offensive-security toolkit for Multi-Agent Systems — from MQTT-based IoT swarms to MCP-driven LLM agents. Aligned with OWASP Top 10 for Agentic Applications (2026) and powered by ABFP behavioral fingerprinting.

Why MAS-Sentry

The MAS security landscape changed twice in 2024–2026:

  1. Anthropic's Model Context Protocol (MCP) became the de-facto standard for LLM agent tooling — and brought a fresh class of architectural vulnerabilities (STDIO RCE affecting 200K+ servers, tool poisoning, indirect prompt injection).
  2. OWASP released the Top 10 for Agentic Applications (Dec 2025) — formalising ASI01–ASI10 risks.

Existing tools cover either classical IoT messaging (MQTT/AMQP) or LLM-agent risks. MAS-Sentry covers both under one threat model.

What's inside

Module Targets Maps to
protocols/mqtt Mosquitto, EMQX, HiveMQ, VerneMQ IoT/Robotic MAS
protocols/amqp RabbitMQ, ActiveMQ Enterprise MAS
protocols/mcp Anthropic MCP servers (STDIO / HTTP+SSE / streamable HTTP) LLM agent tooling
protocols/a2a Google A2A inter-agent protocol Agent-to-agent comms
agents/abfp Any pub/sub agent Behavioral fingerprinting
agentic/asi01-10 LangChain / CrewAI / AutoGen / MCP hosts OWASP Agentic Top 10
threat_modeling All findings STRIDE + ASI + CWE + CVE refs
reporting All scans HTML / PDF / SARIF / JUnit / HackerOne preset

🔬 ABFP — Agent Behavioral Fingerprinting Protocol

The core research contribution. Builds a unique fingerprint per agent across five dimensions:

Dimension Measured
📡 Topic Graph Pub/sub topology and pattern
⏱️ Timing Cadence Inter-publish interval, latency, burst signature
📦 Payload Signature Size distribution, encoding, schema entropy
🔗 Interaction Graph Agent-to-agent communication direction and frequency
🧠 State Inference FSM state inferred from message sequence

Phases: passive learning → fingerprint build → active probing → anomaly scoring → STRIDE-mapped threat report.

Enables: rogue agent detection, impersonation attacks, privilege escalation detection, zero-day interaction-vuln discovery, forensic attribution without credentials.

OWASP Agentic Top 10 (2026) coverage

ID Risk Module
ASI01 Agent Goal Hijack agentic/goal_hijack
ASI02 Tool Misuse & Exploitation agentic/tool_misuse
ASI03 Identity & Privilege Abuse agentic/identity_abuse
ASI04 Memory Poisoning agentic/memory_poisoning
ASI05 Cascading Failure agentic/cascade
ASI06 Untraceable Actions agentic/action_audit
ASI07 Resource Exhaustion agentic/resource_exhaustion
ASI08 Supply Chain agentic/supply_chain
ASI09 Human-Agent Trust Exploit agentic/trust_exploit
ASI10 Rogue Agent agentic/rogue_agent (ties to ABFP)

Full mapping in THREAT_MODEL.md.

Quick start

pipx install mas-sentry-toolkit
mas-sentry doctor
mas-sentry mqtt scan --target 192.168.1.10
mas-sentry mcp scan --target stdio://./vuln-server --checks all
mas-sentry abfp scan --target mqtt://broker.lab --duration 60
mas-sentry agentic scan --target http://langchain-app.lab --asi all

Run the included vulnerable lab:

docker compose -f lab/docker-compose.yml up -d
mas-sentry mqtt scan --target localhost:1883
mas-sentry mcp scan --target stdio://lab/vuln-mcp/server.py

⚖️ Legal & Scope

Active modules require explicit scope confirmation. Use only on assets you own or have written authorization to test. Designed for legal contexts: HackerOne / Bugcrowd / Intigriti / Immunefi programs and internal red-team engagements. See SECURITY.md.

License

GNU Affero General Public License v3.0 or later. The author retains copyright and may grant commercial licenses separately.

ABFP — Quick demo

# 1. Start the lab broker (Mosquitto + 3 sample agents)
docker compose -f lab/docker-compose.yml up -d

# 2. Run a 60-second ABFP passive scan
mas-sentry abfp scan --target mqtt://localhost:1883 --duration 60

# 3. Open the generated HTML report
xdg-open reports/abfp.html

Output snapshot:

+-----------------------+-------+----------+
| Agent                 | Score | Severity |
+-----------------------+-------+----------+
| inferred_sensors      |   12  |  INFO    |
| factory_robot_r17     |   78  |  HIGH    |
+-----------------------+-------+----------+

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for evkir from gravatar.com evkir

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: AGPL-3.0-or-later
    SPDX License Expression
  • Author: Evgeny Kiriyak
  • Tags a2a , abfp , agentic-ai , amqp , llm-security , mcp , mqtt , multi-agent-systems , owasp , pentesting , security
  • Requires: Python >=3.11
  • Provides-Extra: dev , docs , lab , pdf
Classifiers

Release history Release notifications | RSS feed

This version

0.2.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mas_sentry_toolkit-0.2.1.tar.gz (183.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mas_sentry_toolkit-0.2.1-py3-none-any.whl (138.0 kB view details)

Uploaded Python 3

File details

Details for the file mas_sentry_toolkit-0.2.1.tar.gz.

File metadata

  • Download URL: mas_sentry_toolkit-0.2.1.tar.gz
  • Upload date:
  • Size: 183.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mas_sentry_toolkit-0.2.1.tar.gz
Algorithm Hash digest
SHA256 82ecd197ba3cd342b8ea3f512898ddf4b1cd7bdd6b8c273e6a31b97d278ab13f
MD5 d93f6445ab1aa65903eab6455f8fac6e
BLAKE2b-256 ffc9ac90eef65fffc5aac242ac2f2e60cd8042ce7488b49e5f45e87abafc65db

See more details on using hashes here.

Provenance

The following attestation bundles were made for mas_sentry_toolkit-0.2.1.tar.gz:

Publisher: release.yml on evkir/mas-sentry-toolkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mas_sentry_toolkit-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for mas_sentry_toolkit-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 37ffd9eb6e809690bbbea4393aa1d805047ff8cf6becd7c5e4a7d5bcf27e2963
MD5 10ffd8fe814cde1482b8dcbff8d56d5d
BLAKE2b-256 831114817e435c0ea6b3634d6494ee63951b4cddcf07e1ea38c03fbc676dc65c

See more details on using hashes here.

Provenance

The following attestation bundles were made for mas_sentry_toolkit-0.2.1-py3-none-any.whl:

Publisher: release.yml on evkir/mas-sentry-toolkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page