Agent Reliability Engineering (ARE)

The ARE Incident Database.

32 catastrophic agent failures that actually happened, each one cited, each one indexed onto the OWASP Agentic Security Initiative Top 10. Production databases dropped. Credentials read and shipped out. Budgets burned to zero in a loop.

Every entry says plainly whether the failure can be stopped at the action layer, and if it cannot, who owns it instead. A registry you can check beats a list that flatters whoever wrote it.

32
Cited incidents
23
Blocked today
2
Partial, said so
7
Not ours, named

Do not trust it. Run it.

11 entries carry a repro you can copy off the page and execute. No key, no gateway, no account, and nothing leaves your machine. This is the Replit production wipe, reproduced against the free package:

pip install agentx-security-sdk
from agentx_sdk import agentx_protect, is_block

@agentx_protect(agent_id="aredb-repro", action="db_write")
def run_sql(query: str):
    return "EXECUTED"          # the agent never gets here

result = run_sql("DROP TABLE users;")
print(is_block(result))        # True
print(result)                  # the block, and the safe path to take instead

The registry does not take its own word for this either. A test in the repo scrapes the snippet out of every published page and runs it, asserting that the block fires and that the tool body never executed. If a claim ever stops being true, the entry gets reclassified, not reworded.

Where we stand on all 10.

AgentX covers 6 of the 10 OWASP ASI categories at the action layer. Here are the other 4, said out loud, because a security engineer who catches you overclaiming once will never believe the rest.

ASI01Goal hijack
CoveredThe injected goal still has to take an action. That action is denied.
ASI02Tool misuse
CoveredThe dominant class in the registry. Denied at the call.
ASI03Identity and privilege abuse
CoveredCredential reads and scope escalation are denied.
ASI04Supply chain
CoveredInstalling a package the registry reports as malicious is routed to a human.
ASI05Unexpected code execution
CoveredA download piped into a shell is denied.
ASI06Memory and context poisoning
PartialWe scrub the carrier. We do not judge the semantics.
ASI07Insecure inter-agent comms
Not oursStructural. It belongs to the transport, not to an action firewall.
ASI08Cascading failures
CoveredBudget ceilings and the loop breaker stop the cascade.
ASI09Human-agent trust
Not oursA design and disclosure problem, not an interceptable action.
ASI10Rogue agents
PartialWe stop the actions. We do not diagnose the behavior.

Cite it.

Incidents carry a stable identifier, ARE-2026-001 through ARE-2026-032. The identifier is permanent: an entry that turns out to be wrong is marked, never deleted and never renumbered, so a citation always resolves. The data is CC BY 4.0 and the tooling is MIT.

Use the identifiers as the shared reference for the field, the way a CVE number works. That is the whole point of a registry.

Read the registry.

The full database, the taxonomy, the governance model, and the repro test all live in the open.