Existing OWASP threat modeling guidelines inadequately address novel security risks in LLM-driven multi-agent systems (MAS), including planner-executor reasoning collapse, metric overfitting, unsafe delegation escalation, emergent covert coordination, and heterogeneous agent collusion attacks. Method: We propose the first extended threat modeling framework specifically for LLM-MAS. It introduces a novel threat taxonomy encompassing six LLM-MAS–specific risk categories—e.g., benign objective drift, implicit coordination, and affective prompt manipulation—and designs new detection strategies: coordination assessment, emergent behavior monitoring, and cross-agent hallucination propagation tracing. The framework integrates robustness testing, security mechanism validation, and multi-agent backdoor detection via the MASEC architecture. Contribution/Results: Our framework significantly enhances OWASP MAS threat modeling’s coverage of adaptive, autonomously deployed scenarios and improves practical defensive efficacy against LLM-MAS–specific adversarial behaviors.

We propose an extension to the OWASP Multi-Agentic System (MAS) Threat Modeling Guide, translating recent anticipatory research in multi-agent security (MASEC) into practical guidance for addressing challenges unique to large language model (LLM)-driven multi-agent architectures. Although OWASP's existing taxonomy covers many attack vectors, our analysis identifies gaps in modeling failures, including, but not limited to: reasoning collapse across planner-executor chains, metric overfitting, unsafe delegation escalation, emergent covert coordination, and heterogeneous multi-agent exploits. We introduce additional threat classes and scenarios grounded in practical MAS deployments, highlighting risks from benign goal drift, cross-agent hallucination propagation, affective prompt framing, and multi-agent backdoors. We also outline evaluation strategies, including robustness testing, coordination assessment, safety enforcement, and emergent behavior monitoring, to ensure complete coverage. This work complements the framework of OWASP by expanding its applicability to increasingly complex, autonomous, and adaptive multi-agent systems, with the goal of improving security posture and resilience in real world deployments.