OWASP Releases Agent Memory Guard to Defend AI Agents Against Memory Poisoning Attacks
OWASP has released Agent Memory Guard, an open-source runtime defense layer that protects AI agents from memory poisoning attacks targeting persistent stores like conversation history and vector databases.
OWASP has released Agent Memory Guard, an open-source runtime defense layer designed to protect AI agents from memory poisoning attacks. The tool addresses a growing threat where attackers plant malicious text in persistent memory stores—such as conversation history, vector databases, scratchpads, or RAG indexes—to override agent instructions, exfiltrate user data, or manipulate tool calls across sessions. Because AI agents read back from these stores as privileged inputs, a single poisoned entry can have lasting effects.
Agent Memory Guard sits between an agent and its memory store, screening every read and write through a pipeline of detectors and a YAML policy. It is the OWASP reference implementation for ASI06 (Memory Poisoning), one of the entries in the OWASP Top 10 for Agentic Applications. The guard includes five core detection categories: SHA-256 baselines to flag out-of-band tampering with immutable keys, built-in detectors for prompt injection markers, secret and PII leakage, protected-key modifications, and size anomalies. A YAML policy maps each finding to an action—allow, redact, quarantine, or block—and every decision emits a structured SecurityEvent. Point-in-time snapshots allow operators to roll memory back to a known-good state.
Benchmark results show strong performance: 92.5% recall, 100% precision, and a zero false positive rate across 55 test cases (40 attack payloads and 15 benign samples), with median latency of 59 microseconds. Prompt injection and protected-key tampering each scored 100% detection, while sensitive data leakage reached 83% and size anomaly reached 80%. The three missed payloads included two API tokens with lengths slightly exceeding fixed-length regex patterns and one nested JSON structure just under the 64KB threshold. Project creator Vaishnavi Gudur noted that higher-recall regex variants and adaptive threshold calibration are planned for v0.3.0.
Evasion remains a concern since the open-source code and visible YAML policy allow attackers to read the rules. Gudur described the current detectors as a first layer in a defense-in-depth design, with protected-key checks and SHA-256 integrity providing robust protection against bypass. Sensitive-data matching is more exposed to encoding tricks like base64 or homoglyphs. Future versions will add adaptive evasion testing through AgentThreatBench, ML-based anomaly detection in v0.4.0, and a plugin interface for custom detectors in v0.3.0.
Agent Memory Guard is available for free on GitHub, offering a practical solution for teams building AI agents that need to secure their memory against poisoning attacks.