Dynatrace Intelligence Agent Security Risks

Platform Operations Agents dynatrace.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.95
High
Attack Surface
4.8
Medium
Blast Radius
4.63
Medium
Defense Controls
8
Medium
About The Agent

Dynatrace Intelligence is an AI-powered agentic operations platform that combines deterministic causal AI with LLM-driven generative capabilities for observability, remediation, and optimization. Deployed as a cloud-hosted SaaS service with self-hosted OneAgent and ActiveGate components on customer infrastructure, the platform runs vendor-hosted enterprise LLMs through Azure AI and AWS Bedrock. The primary risk surface centers on tool execution, where a critical command injection CVE demonstrated remote code execution in the ActiveGate ping extension, and on untrusted input channels that route natural language prompts to LLMs without prompt injection detection.

About the AI Risk Quadrant

Tight Operators agents occupy a quadrant where moderate attack surface and blast radius are partially offset by meaningful vendor-implemented security controls. Dynatrace Intelligence lands here with an attack surface score of 4.80 out of 10 where a single critical CVE elevates tool execution, a blast radius of 4.63 out of 10 bounded by platform-scoped tool authority, and a defense score of 8 out of 15 driven by always-on audit logging and IAM-based access control. Operators should prioritize adding prompt injection detection and output DLP to strengthen the two lowest-scoring defense components.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Dynatrace Intelligence presents moderate platform-scoped risk with a critical CVE history at the tool execution boundary partially offset by tenant isolation and always-on audit logging.

Key Input Risks
Dynatrace Assist and the MCP server accept natural language prompts and tool calls from external clients including GitHub Copilot and Claude Desktop, routed to vendor-hosted LLMs without prompt injection detection. PII auto-blocking prevents sensitive data from reaching LLMs but does not filter adversarial instructions.
Key Execution Risks
The platform executes DQL queries, workflow code actions, and MCP tool calls within the Dynatrace SaaS environment without a documented AI-specific sandbox isolating the reasoning loop. CVE-2025-61304 demonstrated critical OS command injection in the ActiveGate ping extension, achieving remote code execution with service privileges.
Key Action Risks
Workflows execute automated actions on schedules and event triggers without per-action operator approval unless the optional Request Approval action is explicitly added to each workflow definition. The Actor impersonation model grants workflows the full permission set of the configured service user or operator account.
Key Output Risks
Dynatrace Assist emits text responses with PII masking for credit cards, IP addresses, and SSNs, but no documented DLP or exfiltration channel blocking filters AI-generated output. Workflow actions send emails, Slack messages, and integration writes that can carry sensitive telemetry data to external recipients.
Key Monitoring Risks
Grail-based audit logging is always on with one-year retention covering all configuration changes, but AI-specific behavioral anomaly detection for agent actions is not documented. Operators must build custom DQL queries to monitor agentic tool-call patterns and flag deviations from established baselines.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Dynatrace Intelligence scores moderate risk with a critical CVE penalty on tool execution partially offset by tenant-level isolation and always-on audit logging.

AIRQ Metrics

The agent lands in the Tight Operators quadrant with an attack surface of 4.80, blast radius of 4.63, and defense controls of 8, reflecting contained exposure with partial vendor-implemented safeguards.

Each axis measures a distinct risk dimension: attack surface out of 10, blast radius out of 10, defense controls out of 15, and the composite AIRQ score out of 15.

Metric Score Comments
AIRQ Score 4.95 Moderate risk posture where a CVE-marked tool execution surface and trifecta-complete status are partially offset by vendor-documented access controls and audit logging.
Blast Radius 4.63 / 10 Platform-scoped tool authority and workflow automation reach network and credential boundaries but do not extend to arbitrary code execution or file system writes.
Attack Surface 4.8 / 10 Tool execution drives the highest single-axis score due to CVE-2025-61304; all three trifecta conditions are triggered at vendor-documented confidence.
Defense Controls 8 / 15 The vendor documents IAM, tenant isolation, and always-on audit logging; prompt injection detection and output DLP are absent from the default configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The agent ingests natural language prompts, telemetry data, and external tool calls across multiple input channels routed to vendor-hosted LLMs without prompt injection filtering.

Attack Surface Metrics

Higher scores indicate broader architectural exposure; tool execution scores highest due to a critical CVE penalty on the ActiveGate component.

Each row scores the architectural exposure of one attack surface dimension on the documented default configuration.

Surface Score Comments
User Input 2 / 4 Natural language prompts enter through Assist and external tool calls arrive via the MCP server [10] with PII auto-blocking but no prompt injection detection [9].
External Data 2 / 4 The agent queries telemetry data from monitored environments through the Grail data lakehouse, a surface where adversarial telemetry manipulation has been demonstrated against AIOps agents [4].
Memory 1 / 4 Session-scoped conversational context in Assist with no cross-session learning loop or automated skill codification, limiting memory persistence to individual sessions [9].
Reasoning 2 / 4 Multi-step reasoning delegated to vendor-hosted enterprise LLMs on Azure AI and AWS Bedrock with visible tool-call chains in the Assist interface [15].
Planning 2 / 4 Multi-step workflow decomposition with scheduling, event triggers, and configurable approval gates executed under scoped Actor permissions [11].
Tool Execution 4 / 4 DQL execution, workflow actions, and MCP tool calls operate within scoped permissions [16]; a critical ActiveGate ping extension vulnerability enabled remote code execution via command injection [1].
Orchestration 2 / 4 Workflows support multi-step automation with parallel processing, retries, and event-triggered execution, a pattern where rapid exploitation of agentic frameworks has been documented [6].
Inter-Agent 2 / 4 The MCP server connects to external agents with token-authenticated tool invocation [10], but model-level tool-call manipulation techniques remain applicable to the integration surface [5].
Output Processing 1 / 4 Text-based output with pattern-based redaction covering limited PII categories [9]; no documented DLP or URL sanitization for AI-generated responses.
Configuration 1 / 4 Platform configuration through validated settings UI and API with MCP server requiring explicit token permissions per tool scope [10].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Dynatrace Intelligence accepts untrusted prompts through Assist and the MCP server, queries environment-wide Grail data, and routes prompts to external vendor-hosted LLMs for processing.

Lethal Trifecta · Complete (3 of 3)

Dynatrace Intelligence exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — User prompts through Assist and tool calls from external MCP clients flow directly to vendor-hosted LLMs without prompt injection filtering [9].
  • Sensitive data — The agent queries the Grail data lakehouse containing environment-wide logs, metrics, traces, entity data, and security problem records through DQL execution [12].
  • External egress — Prompts route to vendor-hosted LLMs on Azure AI and AWS Bedrock, and workflows dispatch outbound messages through email, Slack, and integration connectors [8].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised session reaches platform-scoped tool authority and workflow automation with bounded network and credential access but no arbitrary code execution.

Blast Radius Metrics

Higher scores indicate broader downstream reach from a compromised agent session; credential and autonomous action score highest for this agent.

Each row scores the reach of a compromised agent session across one blast radius dimension on the documented default configuration.

Factor Score Comments
Code execution 2 / 4 DQL query execution and workflow code actions within the platform scope; CVE-2025-61304 demonstrated OS command injection achieving RCE in the ActiveGate ping extension [1].
File system access 1 / 4 Read-only access to platform documents, Notebooks, and Dashboards through the Dynatrace platform API with no direct file system write capability [15].
Network access 2 / 4 Outbound connections to vendor LLM endpoints, configured integrations, and email and messaging services through platform APIs [8]; the vendor publishes proactive security alerts for network-exposed components [17].
Credential access 2 / 4 Token-scoped access through Actor impersonation with integration credential storage; CVE-2025-65176 demonstrated NTLM credential relay in OneAgent [2] disclosed via HackerOne [3].
Autonomous action 2 / 4 Workflow scheduling and event-triggered execution with optional approval gates [13]; fully autonomous operation requires explicit operator configuration of the workflow Actor and trigger.
Deployment access 2 / 4 Workflow integrations can trigger actions in external systems including ServiceNow, Jira, and cloud providers under Actor permission scope [11].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents IAM-based access control, tenant-level data isolation, and always-on audit logging while prompt injection detection and output DLP remain absent.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards; monitoring scores highest with independently verified always-on audit logging.

Each row scores a vendor-implemented security control on the documented default configuration with confidence reflecting the verification tier.

Component Score Comments
Input Guardrails 1 / 3 PII detection and auto-blocking for agentic Assist prompts where prompts containing PII are blocked entirely [9]; no documented prompt injection detection or ML-based input filtering.
Execution Isolation 2 / 3 Cloud-hosted SaaS with dedicated storage per environment, AES-256 encryption at rest, TLS 1.2 and 1.3 in transit [8], and seccomp profiles for K8s operator components [14].
Action Controls 2 / 3 IAM-based permission model with granular token scopes, MCP server requiring explicit permissions, and workflow approval gates with Actor impersonation under consent [11].
Output Guardrails 1 / 3 Standard generative AI responses undergo PII redaction for a fixed set of sensitive patterns [9]; no documented output DLP or exfiltration channel blocking for agentic responses.
Monitoring 2 / 3 Always-on Grail-based audit logging with one-year DQL-queryable retention [12] backed by FedRAMP Moderate and SOC 2 Type II certification [7] and proactive vulnerability communication [17].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize adding prompt injection detection and output DLP to close the two lowest-scoring defense components before expanding autonomous workflow capabilities.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Dynatrace Assist prompts to pass an internal acceptable-use review before enabling agentic mode for new teams or use cases.
  • Configuration Restrict which Grail data tables and buckets Dynatrace Intelligence can access by configuring the environment-aware queries exclusion list.
  • Engineering Deploy a prompt injection classifier upstream of the Assist conversational interface to detect and block adversarial input patterns before LLM routing.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that all Kubernetes-deployed Dynatrace components including OneAgent use seccomp profiles at the Restricted pod security standard.
  • Configuration Enable the RuntimeDefault seccomp profile for OneAgent via the init-container-seccomp-profile feature flag in the DynaKube custom resource [14].
  • Engineering Implement network policies restricting outbound connectivity from operator and ActiveGate pods to only the required Dynatrace cluster endpoints.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require the Request Approval action in every workflow that modifies external systems or sends data outside the Dynatrace environment.
  • Configuration Scope service user tokens to the minimum permissions required for each workflow Actor by removing broad automation and administration grants.
  • Engineering Build a custom workflow gate that cross-references proposed remediation actions against a change-management approval record before execution.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish data classification rules that prevent Dynatrace Intelligence from surfacing credentials or secrets found in logs through Assist responses.
  • Configuration Configure OpenPipeline masking rules to redact sensitive fields before data reaches the Grail buckets that Dynatrace Intelligence queries.
  • Engineering Deploy an output DLP filter on Assist responses to detect and redact credential patterns, API keys, and connection strings.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require quarterly review of Grail audit logs for anomalous agentic activity patterns including unusual DQL query volumes or workflow execution spikes.
  • Configuration Forward Grail audit events to the organizational SIEM using the OpenPipeline security event ingestion endpoint for centralized alerting.
  • Engineering Build a Davis analyzer that detects anomalous tool-call patterns from agentic sessions and triggers automated alerting on deviation from baselines.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-61304 OS command injection in Dynatrace ActiveGate ping extension (CVSS 9.8 Critical) enabling remote code execution via crafted IP address input with ActiveGate service privileges. Patched in extension version beyond 1.016.
  2. CVE-2025-65176 NTLM relay vulnerability in Dynatrace OneAgent (CVSS 7.5 High) where network share access failure triggers user token retrieval and impersonation enabling credential theft. Patched in OneAgent 1.325.47.
  3. HackerOne Report 3313408 Third-party disclosure report for CVE-2025-65176 filed through the Dynatrace HackerOne bug bounty program documenting the OneAgent NTLM relay attack vector.

Selected Research

  1. AIOpsDoom — Subverting LLM-driven IT Operations Research demonstrating automated adversarial telemetry manipulation against AIOps agents via reward-hacking showing that crafted system telemetry can mislead agents into compromising managed infrastructure.
  2. HiddenLayer Agentic ShadowLogic Research demonstrating tool-call argument manipulation via model computational graph backdoor in agentic AI systems relevant to MCP-based agent architectures.
  3. CSA Research Note on Agentic Framework Exploitation Cloud Security Alliance analysis documenting sub-4-hour weaponization timelines for agentic AI framework vulnerabilities including unauthenticated workflow execution.

Vendor Documentation

  1. Dynatrace Trust Center The vendor maintains a public trust center listing compliance certifications including FedRAMP Moderate and ISO 27001:2022 and SOC 2 Type II with links to audit documentation.
  2. Dynatrace Data Security Controls The vendor documents encryption at rest with AES-256 and unique rotated keys and encryption in transit via TLS 1.2 and 1.3 with annual third-party audits.
  3. Dynatrace Intelligence AI Privacy and Security The vendor documents PII masking for standard generative AI prompts and PII auto-blocking for agentic Assist and confirms enterprise LLM vendors do not store or use prompts for training.
  4. Dynatrace MCP Server Documentation The vendor documents the MCP server tool surface and required token permissions for each tool and integration instructions for external MCP clients.
  5. Dynatrace Workflow Permissions The vendor documents IAM-based workflow permissions and Actor impersonation model with consent requirements and service user restrictions for automated execution.
  6. Dynatrace Audit Logs on Grail The vendor documents always-on Grail-based audit logging that cannot be disabled with one-year retention and DQL queryability for all configuration changes.
  7. Dynatrace Workflow Approval Action The vendor documents the Request Approval workflow action providing email-based human-in-the-loop gates with 24-hour timeout and approve or decline state handling.
  8. Dynatrace Seccomp Profiles for Kubernetes The vendor documents seccomp profiles for Kubernetes deployments where operator components use RuntimeDefault while OneAgent runs unconfined by default.

Other Sources

  1. Dynatrace Intelligence Product Overview The vendor product page describes the agentic operations platform combining deterministic causal AI with autonomous agents for prevention and remediation and optimization at scale.
  2. Dynatrace MCP Server Repository The open-source MCP server repository documents tool definitions and authentication scopes and integration patterns for connecting external agents to the Dynatrace platform.
  3. Dynatrace Security Alert CVE-2026-31431 The vendor security alert demonstrates proactive vulnerability communication and confirms that OneAgent and ActiveGate and Operator components are not affected by the Linux kernel LPE.