Idea
Implement cross-layer attack chain analysis — the defining MAESTRO capability that traces vertical attack propagation across the seven-layer taxonomy (e.g., L2 data poisoning enabling L3 workflow hijack enabling L7 unauthorized action) — so tachi surfaces cascading agentic risks that STRIDE-per-element cannot express.
Detail
Vision
Tachi threat reports and PDF security assessments surface explicit cross-layer attack chains for every Critical and High finding, walking adopters through vertical attack propagation across the MAESTRO seven-layer architecture. Where STRIDE produces a flat list of findings per element, tachi produces correlated chains that show how an exploit at one layer enables an exploit at the next, ending in a concrete business impact. This is the defining MAESTRO capability and the single biggest differentiator for tachi versus generic STRIDE threat modeling tools.
Motivation
Canonical CSA MAESTRO uses a multi-agent financial trading system as its worked example. The example walks an attack path through all seven layers: L1 adversarial examples poisoning price predictions, L2 corrupting historical market data in the vector database, L3 workflow hijacking via prompt injection, L4 container escape accessing inter-agent messaging, L5 log injection hiding malicious trades, L6 policy manipulation disabling compliance checks, and L7 agent impersonation establishing false trust. The result is "unauthorized trades executed under the guise of normal operations." This is the canonical MAESTRO deliverable, and tachi today implements none of it.
Tachi treats MAESTRO as a static post-hoc label on each finding. There is no correlation logic, no narrative walkthrough, and no visualization of how findings relate across layers. Adopters reading our threat report see individual findings with layer tags but have no way to understand cascading risk.
User Stories
As a security engineer running tachi on an agentic system, I want the threat report to show cross-layer attack chains for Critical and High findings, so that I can reason about cascading vertical risk propagation without manually correlating findings across STRIDE categories.
As a CISO reading the PDF security report, I want a visual attack chain diagram showing how an exploit at one layer enables exploits at adjacent layers, so that I can brief executives on end-to-end business impact using a single image instead of reading seventy individual findings.
As a threat modeler, I want the orchestrator to surface which findings share a causal relationship, so that I can prioritize remediation based on chain-breaking controls rather than treating each finding as independent.
As a MAESTRO practitioner, I want tachi to produce the canonical MAESTRO deliverable (cross-layer attack propagation narratives) not just STRIDE findings with a MAESTRO tag, so that tachi is recognized as a full MAESTRO implementation rather than a STRIDE tool with MAESTRO metadata.
As a tachi adopter evaluating the tool, I want at least one example architecture to demonstrate a multi-layer chain end-to-end, so that I can see what the capability looks like before adopting.
Scope Outline
This is a multi-component feature touching orchestration, narrative generation, and PDF assembly. Detailed DoD will come from /aod.define and /aod.spec, but the headline deliverables are:
- Orchestrator correlation logic: Post-finding-generation phase that groups findings into vertical attack paths based on shared component lineage, data flow dependencies, and semantic relationships. Design decision: rule-based correlation (explicit patterns) versus LLM-assisted correlation (semantic similarity).
- Threat report narrative section: New "Attack Chains" section in
threat-report.md that walks Critical and High findings through cascading layer propagation with explicit L1 through L7 references. Each chain includes initial exploit, intermediate cascades, and final business impact.
- PDF security report page: New Typst page rendering attack chains as Mermaid diagrams, placed after the Executive Summary and before the MAESTRO Findings page. Reuses the existing Mermaid-to-PNG pipeline from Feature 112.
- Example architecture update: Regenerate at least one existing example (probably agentic-app) to demonstrate a multi-layer chain, or add a new purpose-built example (see MAESTRO worked example discovery item).
- ADR-020 update: The current ADR describes MAESTRO as "taxonomy overlay, not a pipeline change." Phase 2 breaks that assumption and requires a new ADR documenting the cross-layer correlation architecture.
- Schema addition: Finding schema extended to optionally reference parent/child finding IDs for chain traversal, or a separate attack-chain schema document introduced.
Definition of Done Outline
(Full DoD produced during /aod.define.)
- Orchestrator produces an attack-chains artifact alongside threats.md that enumerates cross-layer chains with finding IDs.
- Threat report includes an Attack Chains section walking Critical and High chains through layer cascades.
- PDF security report has a new page rendering chains as Mermaid diagrams.
- At least one example architecture demonstrates a multi-layer chain end-to-end with matching baseline.
- ADR-020 updated or superseded by a new ADR documenting the correlation architecture.
- Backward compatible: attack chains section is gated (similar to
has-maestro-data) so architectures without detectable chains still render correctly.
- All six example pipeline outputs regenerated.
/aod.analyze passes with no inconsistencies.
References
Parent discovery item: #136 — MAESTRO framework compliance and enhancement
Canonical sources:
Related prior work:
- Feature 112: Attack Path Pages in Security Report PDF — already has Mermaid-to-PNG rendering pipeline that can be reused
- ADR-020: MAESTRO as taxonomy overlay (needs update)
- Feature 084: MAESTRO Layer Mapping (provides the taxonomy this feature builds on)
Context
This is Phase 2 of the MAESTRO compliance initiative captured in #136. It was split from the parent issue per PM recommendation: cross-layer attack chain analysis is substantially larger and higher-impact than the Phase 1 correctness fix, and the PM explicitly noted it "likely scores higher impact than Phase 3 patterns and should not be effort-coupled to it."
Dependency: This feature depends on the Phase 1 correctness fix landing first. Cross-layer attack chain narratives reference canonical layer names (L5 Evaluation and Observability, L6 Security and Compliance, L7 Agent Ecosystem), and shipping chain narratives against non-canonical layer labels would compound the credibility issue #136 fixes. Do not schedule Phase 2 implementation before #136 merges.
Design question: The central design decision is how to correlate findings into chains. Options include rule-based (explicit patterns keyed on STRIDE category + MAESTRO layer + component type), LLM-assisted (semantic similarity across finding descriptions), or hybrid (rules for structural chains, LLM for narrative synthesis). This decision belongs in the Phase 2 ADR and should be resolved during /aod.define.
Visualization note: Feature 112 already implements Mermaid-to-PNG rendering for attack trees in the PDF report. Phase 2 should reuse that pipeline rather than introducing a new visualization stack. Attack chains and attack trees are distinct concepts — trees show branching exploit paths for a single finding, chains show sequential cascading across multiple findings — but they share a rendering substrate.
ICE Score
Impact: 9, Confidence: 6, Effort: 5 = 20
Evidence
Follow-on from #136 per PM recommendation. Canonical MAESTRO sources (CSA, Snyk Labs, Practical DevSecOps) all describe cross-layer attack chain analysis as the defining MAESTRO capability and use a multi-agent financial trading worked example walking L1→L7 attack paths. Tachi today implements zero cross-layer correlation logic — MAESTRO is a static post-hoc label only. This is the single biggest gap between tachi's MAESTRO implementation and the canonical spec.
Metadata
Idea
Implement cross-layer attack chain analysis — the defining MAESTRO capability that traces vertical attack propagation across the seven-layer taxonomy (e.g., L2 data poisoning enabling L3 workflow hijack enabling L7 unauthorized action) — so tachi surfaces cascading agentic risks that STRIDE-per-element cannot express.
Detail
Vision
Tachi threat reports and PDF security assessments surface explicit cross-layer attack chains for every Critical and High finding, walking adopters through vertical attack propagation across the MAESTRO seven-layer architecture. Where STRIDE produces a flat list of findings per element, tachi produces correlated chains that show how an exploit at one layer enables an exploit at the next, ending in a concrete business impact. This is the defining MAESTRO capability and the single biggest differentiator for tachi versus generic STRIDE threat modeling tools.
Motivation
Canonical CSA MAESTRO uses a multi-agent financial trading system as its worked example. The example walks an attack path through all seven layers: L1 adversarial examples poisoning price predictions, L2 corrupting historical market data in the vector database, L3 workflow hijacking via prompt injection, L4 container escape accessing inter-agent messaging, L5 log injection hiding malicious trades, L6 policy manipulation disabling compliance checks, and L7 agent impersonation establishing false trust. The result is "unauthorized trades executed under the guise of normal operations." This is the canonical MAESTRO deliverable, and tachi today implements none of it.
Tachi treats MAESTRO as a static post-hoc label on each finding. There is no correlation logic, no narrative walkthrough, and no visualization of how findings relate across layers. Adopters reading our threat report see individual findings with layer tags but have no way to understand cascading risk.
User Stories
As a security engineer running tachi on an agentic system, I want the threat report to show cross-layer attack chains for Critical and High findings, so that I can reason about cascading vertical risk propagation without manually correlating findings across STRIDE categories.
As a CISO reading the PDF security report, I want a visual attack chain diagram showing how an exploit at one layer enables exploits at adjacent layers, so that I can brief executives on end-to-end business impact using a single image instead of reading seventy individual findings.
As a threat modeler, I want the orchestrator to surface which findings share a causal relationship, so that I can prioritize remediation based on chain-breaking controls rather than treating each finding as independent.
As a MAESTRO practitioner, I want tachi to produce the canonical MAESTRO deliverable (cross-layer attack propagation narratives) not just STRIDE findings with a MAESTRO tag, so that tachi is recognized as a full MAESTRO implementation rather than a STRIDE tool with MAESTRO metadata.
As a tachi adopter evaluating the tool, I want at least one example architecture to demonstrate a multi-layer chain end-to-end, so that I can see what the capability looks like before adopting.
Scope Outline
This is a multi-component feature touching orchestration, narrative generation, and PDF assembly. Detailed DoD will come from
/aod.defineand/aod.spec, but the headline deliverables are:threat-report.mdthat walks Critical and High findings through cascading layer propagation with explicit L1 through L7 references. Each chain includes initial exploit, intermediate cascades, and final business impact.Definition of Done Outline
(Full DoD produced during
/aod.define.)has-maestro-data) so architectures without detectable chains still render correctly./aod.analyzepasses with no inconsistencies.References
Parent discovery item: #136 — MAESTRO framework compliance and enhancement
Canonical sources:
Related prior work:
Context
This is Phase 2 of the MAESTRO compliance initiative captured in #136. It was split from the parent issue per PM recommendation: cross-layer attack chain analysis is substantially larger and higher-impact than the Phase 1 correctness fix, and the PM explicitly noted it "likely scores higher impact than Phase 3 patterns and should not be effort-coupled to it."
Dependency: This feature depends on the Phase 1 correctness fix landing first. Cross-layer attack chain narratives reference canonical layer names (L5 Evaluation and Observability, L6 Security and Compliance, L7 Agent Ecosystem), and shipping chain narratives against non-canonical layer labels would compound the credibility issue #136 fixes. Do not schedule Phase 2 implementation before #136 merges.
Design question: The central design decision is how to correlate findings into chains. Options include rule-based (explicit patterns keyed on STRIDE category + MAESTRO layer + component type), LLM-assisted (semantic similarity across finding descriptions), or hybrid (rules for structural chains, LLM for narrative synthesis). This decision belongs in the Phase 2 ADR and should be resolved during
/aod.define.Visualization note: Feature 112 already implements Mermaid-to-PNG rendering for attack trees in the PDF report. Phase 2 should reuse that pipeline rather than introducing a new visualization stack. Attack chains and attack trees are distinct concepts — trees show branching exploit paths for a single finding, chains show sequential cascading across multiple findings — but they share a rendering substrate.
ICE Score
Impact: 9, Confidence: 6, Effort: 5 = 20
Evidence
Follow-on from #136 per PM recommendation. Canonical MAESTRO sources (CSA, Snyk Labs, Practical DevSecOps) all describe cross-layer attack chain analysis as the defining MAESTRO capability and use a multi-agent financial trading worked example walking L1→L7 attack paths. Tachi today implements zero cross-layer correlation logic — MAESTRO is a static post-hoc label only. This is the single biggest gap between tachi's MAESTRO implementation and the canonical spec.
Metadata