ASTRIDE: A Security Threat Modeling Platform for Agentic-AI Applications Article Swipe
Ross Gore
,
Sachin Shetty
,
Ravi Mukkamala
,
Xueping Liang
,
Wee Keong Ng
,
Kasun De Zoysa
,
Nilaan Loganathan
·
YOU?
·
· 2025
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2512.04785
YOU?
·
· 2025
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2512.04785
AI agent-based systems are becoming increasingly integral to modern software architectures, enabling autonomous decision-making, dynamic task execution, and multimodal interactions through large language models (LLMs). However, these systems introduce novel and evolving security challenges, including prompt injection attacks, context poisoning, model manipulation, and opaque agent-to-agent communication, that are not effectively captured by traditional threat modeling frameworks. In this paper, we introduce ASTRIDE, an automated threat modeling platform purpose-built for AI agent-based systems. ASTRIDE extends the classical STRIDE framework by introducing a new threat category, A for AI Agent-Specific Attacks, which encompasses emerging vulnerabilities such as prompt injection, unsafe tool invocation, and reasoning subversion, unique to agent-based applications. To automate threat modeling, ASTRIDE combines a consortium of fine-tuned vision-language models (VLMs) with the OpenAI-gpt-oss reasoning LLM to perform end-to-end analysis directly from visual agent architecture diagrams, such as data flow diagrams(DFDs). LLM agents orchestrate the end-to-end threat modeling automation process by coordinating interactions between the VLM consortium and the reasoning LLM. Our evaluations demonstrate that ASTRIDE provides accurate, scalable, and explainable threat modeling for next-generation intelligent systems. To the best of our knowledge, ASTRIDE is the first framework to both extend STRIDE with AI-specific threats and integrate fine-tuned VLMs with a reasoning LLM to fully automate diagram-driven threat modeling in AI agent-based applications.
Related Topics
Concepts
No concepts available.
Metadata
- Type
- preprint
- Landing Page
- http://arxiv.org/abs/2512.04785
- https://arxiv.org/pdf/2512.04785
- OA Status
- green
- OpenAlex ID
- https://openalex.org/W4417087056
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4417087056Canonical identifier for this work in OpenAlex
- DOI
-
https://doi.org/10.48550/arxiv.2512.04785Digital Object Identifier
- Title
-
ASTRIDE: A Security Threat Modeling Platform for Agentic-AI ApplicationsWork title
- Type
-
preprintOpenAlex work type
- Publication year
-
2025Year of publication
- Publication date
-
2025-12-04Full publication date if available
- Authors
-
Ross Gore, Sachin Shetty, Ravi Mukkamala, Xueping Liang, Wee Keong Ng, Kasun De Zoysa, Nilaan LoganathanList of authors in order
- Landing page
-
https://arxiv.org/abs/2512.04785Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2512.04785Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2512.04785Direct OA link when available
- Cited by
-
0Total citation count in OpenAlex
Full payload
| id | https://openalex.org/W4417087056 |
|---|---|
| doi | https://doi.org/10.48550/arxiv.2512.04785 |
| ids.doi | https://doi.org/10.48550/arxiv.2512.04785 |
| ids.openalex | https://openalex.org/W4417087056 |
| fwci | |
| type | preprint |
| title | ASTRIDE: A Security Threat Modeling Platform for Agentic-AI Applications |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| language | |
| locations[0].id | pmh:oai:arXiv.org:2512.04785 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | cc-by |
| locations[0].pdf_url | https://arxiv.org/pdf/2512.04785 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | https://openalex.org/licenses/cc-by |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2512.04785 |
| locations[1].id | doi:10.48550/arxiv.2512.04785 |
| locations[1].is_oa | True |
| locations[1].source.id | https://openalex.org/S4306400194 |
| locations[1].source.issn | |
| locations[1].source.type | repository |
| locations[1].source.is_oa | True |
| locations[1].source.issn_l | |
| locations[1].source.is_core | False |
| locations[1].source.is_in_doaj | False |
| locations[1].source.display_name | arXiv (Cornell University) |
| locations[1].source.host_organization | https://openalex.org/I205783295 |
| locations[1].source.host_organization_name | Cornell University |
| locations[1].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[1].license | cc-by |
| locations[1].pdf_url | |
| locations[1].version | |
| locations[1].raw_type | article |
| locations[1].license_id | https://openalex.org/licenses/cc-by |
| locations[1].is_accepted | False |
| locations[1].is_published | |
| locations[1].raw_source_name | |
| locations[1].landing_page_url | https://doi.org/10.48550/arxiv.2512.04785 |
| indexed_in | arxiv, datacite |
| authorships[0].author.id | https://openalex.org/A5026324363 |
| authorships[0].author.orcid | https://orcid.org/0000-0003-4065-6146 |
| authorships[0].author.display_name | Ross Gore |
| authorships[0].author_position | middle |
| authorships[0].raw_author_name | Gore, Ross |
| authorships[0].is_corresponding | False |
| authorships[1].author.id | https://openalex.org/A5052787847 |
| authorships[1].author.orcid | https://orcid.org/0000-0002-8789-0610 |
| authorships[1].author.display_name | Sachin Shetty |
| authorships[1].author_position | middle |
| authorships[1].raw_author_name | Shetty, Sachin |
| authorships[1].is_corresponding | False |
| authorships[2].author.id | https://openalex.org/A5035065105 |
| authorships[2].author.orcid | https://orcid.org/0000-0001-6323-9789 |
| authorships[2].author.display_name | Ravi Mukkamala |
| authorships[2].author_position | middle |
| authorships[2].raw_author_name | Mukkamala, Ravi |
| authorships[2].is_corresponding | False |
| authorships[3].author.id | https://openalex.org/A5062377042 |
| authorships[3].author.orcid | https://orcid.org/0000-0002-8764-9966 |
| authorships[3].author.display_name | Xueping Liang |
| authorships[3].author_position | last |
| authorships[3].raw_author_name | Liang, Xueping |
| authorships[3].is_corresponding | False |
| authorships[4].author.id | https://openalex.org/A5008926869 |
| authorships[4].author.orcid | https://orcid.org/0000-0001-7106-2768 |
| authorships[4].author.display_name | Wee Keong Ng |
| authorships[4].author_position | middle |
| authorships[4].raw_author_name | Keong, Ng Wee |
| authorships[4].is_corresponding | False |
| authorships[5].author.id | https://openalex.org/A5055400093 |
| authorships[5].author.orcid | https://orcid.org/0000-0001-7199-6034 |
| authorships[5].author.display_name | Kasun De Zoysa |
| authorships[5].author_position | middle |
| authorships[5].raw_author_name | De Zoysa, Kasun |
| authorships[5].is_corresponding | False |
| authorships[6].author.id | https://openalex.org/A5027201765 |
| authorships[6].author.orcid | |
| authorships[6].author.display_name | Nilaan Loganathan |
| authorships[6].author_position | middle |
| authorships[6].raw_author_name | Loganathan, Nilaan |
| authorships[6].is_corresponding | False |
| has_content.pdf | True |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2512.04785 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-12-06T00:00:00 |
| display_name | ASTRIDE: A Security Threat Modeling Platform for Agentic-AI Applications |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-12-07T09:55:27.418327 |
| primary_topic | |
| cited_by_count | 0 |
| locations_count | 2 |
| best_oa_location.id | pmh:oai:arXiv.org:2512.04785 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | cc-by |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2512.04785 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | https://openalex.org/licenses/cc-by |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2512.04785 |
| primary_location.id | pmh:oai:arXiv.org:2512.04785 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | cc-by |
| primary_location.pdf_url | https://arxiv.org/pdf/2512.04785 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | https://openalex.org/licenses/cc-by |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2512.04785 |
| publication_date | 2025-12-04 |
| publication_year | 2025 |
| referenced_works_count | 0 |
| abstract_inverted_index.A | 84 |
| abstract_inverted_index.a | 80, 113, 199 |
| abstract_inverted_index.AI | 0, 69, 86, 209 |
| abstract_inverted_index.In | 56 |
| abstract_inverted_index.To | 107, 176 |
| abstract_inverted_index.an | 62 |
| abstract_inverted_index.as | 94, 136 |
| abstract_inverted_index.by | 51, 78, 149 |
| abstract_inverted_index.in | 208 |
| abstract_inverted_index.is | 183 |
| abstract_inverted_index.of | 115, 179 |
| abstract_inverted_index.to | 7, 104, 125, 187, 202 |
| abstract_inverted_index.we | 59 |
| abstract_inverted_index.LLM | 124, 140, 201 |
| abstract_inverted_index.Our | 160 |
| abstract_inverted_index.VLM | 154 |
| abstract_inverted_index.and | 17, 30, 42, 100, 156, 168, 194 |
| abstract_inverted_index.are | 3, 47 |
| abstract_inverted_index.for | 68, 85, 172 |
| abstract_inverted_index.new | 81 |
| abstract_inverted_index.not | 48 |
| abstract_inverted_index.our | 180 |
| abstract_inverted_index.the | 74, 121, 143, 153, 157, 177, 184 |
| abstract_inverted_index.LLM. | 159 |
| abstract_inverted_index.VLMs | 197 |
| abstract_inverted_index.best | 178 |
| abstract_inverted_index.both | 188 |
| abstract_inverted_index.data | 137 |
| abstract_inverted_index.flow | 138 |
| abstract_inverted_index.from | 130 |
| abstract_inverted_index.such | 93, 135 |
| abstract_inverted_index.task | 15 |
| abstract_inverted_index.that | 46, 163 |
| abstract_inverted_index.this | 57 |
| abstract_inverted_index.tool | 98 |
| abstract_inverted_index.with | 120, 191, 198 |
| abstract_inverted_index.agent | 132 |
| abstract_inverted_index.first | 185 |
| abstract_inverted_index.fully | 203 |
| abstract_inverted_index.large | 21 |
| abstract_inverted_index.model | 40 |
| abstract_inverted_index.novel | 29 |
| abstract_inverted_index.these | 26 |
| abstract_inverted_index.which | 89 |
| abstract_inverted_index.(VLMs) | 119 |
| abstract_inverted_index.STRIDE | 76, 190 |
| abstract_inverted_index.agents | 141 |
| abstract_inverted_index.extend | 189 |
| abstract_inverted_index.models | 23, 118 |
| abstract_inverted_index.modern | 8 |
| abstract_inverted_index.opaque | 43 |
| abstract_inverted_index.paper, | 58 |
| abstract_inverted_index.prompt | 35, 95 |
| abstract_inverted_index.threat | 53, 64, 82, 109, 145, 170, 206 |
| abstract_inverted_index.unique | 103 |
| abstract_inverted_index.unsafe | 97 |
| abstract_inverted_index.visual | 131 |
| abstract_inverted_index.(LLMs). | 24 |
| abstract_inverted_index.ASTRIDE | 72, 111, 164, 182 |
| abstract_inverted_index.between | 152 |
| abstract_inverted_index.context | 38 |
| abstract_inverted_index.dynamic | 14 |
| abstract_inverted_index.extends | 73 |
| abstract_inverted_index.perform | 126 |
| abstract_inverted_index.process | 148 |
| abstract_inverted_index.systems | 2, 27 |
| abstract_inverted_index.threats | 193 |
| abstract_inverted_index.through | 20 |
| abstract_inverted_index.ASTRIDE, | 61 |
| abstract_inverted_index.Attacks, | 88 |
| abstract_inverted_index.However, | 25 |
| abstract_inverted_index.analysis | 128 |
| abstract_inverted_index.attacks, | 37 |
| abstract_inverted_index.automate | 108, 204 |
| abstract_inverted_index.becoming | 4 |
| abstract_inverted_index.captured | 50 |
| abstract_inverted_index.combines | 112 |
| abstract_inverted_index.directly | 129 |
| abstract_inverted_index.emerging | 91 |
| abstract_inverted_index.enabling | 11 |
| abstract_inverted_index.evolving | 31 |
| abstract_inverted_index.integral | 6 |
| abstract_inverted_index.language | 22 |
| abstract_inverted_index.modeling | 54, 65, 146, 171, 207 |
| abstract_inverted_index.platform | 66 |
| abstract_inverted_index.provides | 165 |
| abstract_inverted_index.security | 32 |
| abstract_inverted_index.software | 9 |
| abstract_inverted_index.systems. | 71, 175 |
| abstract_inverted_index.accurate, | 166 |
| abstract_inverted_index.automated | 63 |
| abstract_inverted_index.category, | 83 |
| abstract_inverted_index.classical | 75 |
| abstract_inverted_index.diagrams, | 134 |
| abstract_inverted_index.framework | 77, 186 |
| abstract_inverted_index.including | 34 |
| abstract_inverted_index.injection | 36 |
| abstract_inverted_index.integrate | 195 |
| abstract_inverted_index.introduce | 28, 60 |
| abstract_inverted_index.modeling, | 110 |
| abstract_inverted_index.reasoning | 101, 123, 158, 200 |
| abstract_inverted_index.scalable, | 167 |
| abstract_inverted_index.automation | 147 |
| abstract_inverted_index.autonomous | 12 |
| abstract_inverted_index.consortium | 114, 155 |
| abstract_inverted_index.end-to-end | 127, 144 |
| abstract_inverted_index.execution, | 16 |
| abstract_inverted_index.fine-tuned | 116, 196 |
| abstract_inverted_index.injection, | 96 |
| abstract_inverted_index.knowledge, | 181 |
| abstract_inverted_index.multimodal | 18 |
| abstract_inverted_index.poisoning, | 39 |
| abstract_inverted_index.AI-specific | 192 |
| abstract_inverted_index.agent-based | 1, 70, 105, 210 |
| abstract_inverted_index.challenges, | 33 |
| abstract_inverted_index.demonstrate | 162 |
| abstract_inverted_index.effectively | 49 |
| abstract_inverted_index.encompasses | 90 |
| abstract_inverted_index.evaluations | 161 |
| abstract_inverted_index.explainable | 169 |
| abstract_inverted_index.frameworks. | 55 |
| abstract_inverted_index.intelligent | 174 |
| abstract_inverted_index.introducing | 79 |
| abstract_inverted_index.invocation, | 99 |
| abstract_inverted_index.orchestrate | 142 |
| abstract_inverted_index.subversion, | 102 |
| abstract_inverted_index.traditional | 52 |
| abstract_inverted_index.architecture | 133 |
| abstract_inverted_index.coordinating | 150 |
| abstract_inverted_index.increasingly | 5 |
| abstract_inverted_index.interactions | 19, 151 |
| abstract_inverted_index.applications. | 106, 211 |
| abstract_inverted_index.manipulation, | 41 |
| abstract_inverted_index.purpose-built | 67 |
| abstract_inverted_index.Agent-Specific | 87 |
| abstract_inverted_index.OpenAI-gpt-oss | 122 |
| abstract_inverted_index.agent-to-agent | 44 |
| abstract_inverted_index.architectures, | 10 |
| abstract_inverted_index.communication, | 45 |
| abstract_inverted_index.diagram-driven | 205 |
| abstract_inverted_index.diagrams(DFDs). | 139 |
| abstract_inverted_index.next-generation | 173 |
| abstract_inverted_index.vision-language | 117 |
| abstract_inverted_index.vulnerabilities | 92 |
| abstract_inverted_index.decision-making, | 13 |
| cited_by_percentile_year | |
| countries_distinct_count | 0 |
| institutions_distinct_count | 7 |
| citation_normalized_percentile |