Blast Radius¶

Maps the full impact chain from a CVE to the business assets at risk.

How it works¶

CVE → Package → MCP Server → Agent → Credentials + Tools

For each vulnerability found, agent-bom traces:

Which package is affected
Which MCP servers depend on that package
Which AI agents (clients) connect to those servers
Which credentials are accessible through those agents
Which tools an attacker could invoke

Usage¶

# CLI
agent-bom scan   # blast radius is included in scan output

# MCP tool
blast_radius(cve_id="CVE-2024-21538")

Scoring¶

Each CVE gets a blast radius score (0–10) factoring in:

CVSS base score
EPSS exploit probability
Number of affected agents
Credential exposure count
Tool access scope
CISA KEV listing (known exploited)

Context graph¶

The context_graph tool extends blast radius with lateral movement analysis — BFS traversal showing how compromising one server can reach others through shared agents.

# MCP tool
context_graph()