AI SHIELD

Real-time interception of direct and indirect prompt injection across all agent input channels. Covers goal hijacking, instruction override, role manipulation, token smuggling, and context overflow patterns. OWASP LLM01 mapped. Sub-50ms detection on every inference call.

Detects adversarial ML attacks against vision and text models — FGSM, PGD, CW, patch attacks, and semantic adversarial examples. Validates inputs before they reach model inference. Integrates with NIGHTFALL FORGE test findings to generate blocking rules automatically.

Continuous behavioural monitoring of live AI agents. Detects anomalous tool call sequences, memory write patterns, inter-agent messaging abuse, and goal-state drift. Works across LangChain, AutoGen, CrewAI, and custom agent frameworks via the AI Shield instrumentation layer.

Purpose-built for Non-Terrestrial Network AI systems. Covers satellite-ground link injection, feed manipulation, orbital command spoofing, and firmware integrity verification. SPARTA framework mapped. Supports LEO, MEO, GEO, and HAPS deployments with latency-tolerant detection pipelines.

Runtime enforcement at the agent memory layer. 28 detectors across 7 attack categories covering injection, retrieval hijack, dormant triggers, cross-session persistence, context window attacks, exfiltration, and provenance forgery. Works across 12 backends: Mem0, MemGPT, Zep, LangChain, LlamaIndex, ChromaDB, Pinecone, Weaviate, Qdrant, pgvector, Claude memory, and GPT memory. Ed25519-signed evidence receipts on every detection. SIEM export to Splunk, Sentinel, and QRadar.

Client-side MCP runtime guardian. 28 detectors across 7 attack categories: tool description injection, sampling hijack (Unit42 createMessage vector), STDIO command injection (CVE-2026-22252), SSE stream manipulation (CVE-2026-22688), JSON-RPC message forgery, protocol downgrade (CVE-2025-54136), schema drift, tenant isolation bleed, prompt injection via tool returns, and capability escalation. Session quarantine with TTL enforcement. SHA-256 hash-chained evidence receipts on every detection. Defensive pair to NIGHTFALL ROGUE (Tool 61).

Real-time token economics monitoring across OpenAI, Anthropic, Azure, Bedrock, and Vertex AI deployments. 8 detectors: token burn rate anomaly, context flood detection, parallel session surge, tool chain amplification, rate limit storm, billing threshold proximity, recursive loop identification, and cost anomaly baselining. Automatically throttles and quarantines runaway agent sessions before they trigger auto-reload billing cycles. Defensive pair to NIGHTFALL SPECTER BURN (Tool 76).

Detects and blocks attacks against extended thinking and chain-of-thought reasoning pipelines. 8 detectors: premise injection interception, conclusion drift monitoring, scratchpad exposure prevention, budget exhaustion detection, chain corruption fingerprinting, authority injection blocking, epistemic manipulation, and reasoning loop termination. Supports Claude Extended Thinking, o1/o3, Gemini Flash Thinking, DeepSeek R1, and QwQ-32B. Defensive pair to NIGHTFALL SPECTER REASONER (Tool 75).

Continuous model behavioural monitoring for sleeper-agent backdoor detection and integrity assurance. 8 components: trigger activation detection, covert exfil pattern analysis, behavioural baseline deviation scoring, output entropy anomaly, dormant trigger scanner, response volatility tracking, token distribution anomaly detection, and baseline profiler. Detects ROME rank-one weight edits, LoRA-poisoned adapters, and neuron-patch backdoors in production. Defensive pair to NIGHTFALL SPECTER NEURON (Tool 74).

Real-time security enforcement layer for AI inference gateways and model routers. 8 detectors: SQL injection through LLM API parameters (CVE-2026-42208), SSRF via model endpoint routing (CVE-2026-33626), remote code execution via tool call injection (CVE-2026-41264), system prompt leakage, API route hijack, unauthorised model access, token overrun attacks, and credential harvest via malformed inference requests. Blocks malicious requests before they reach the model layer.

Runtime protection for computer-use and browser-automation agents. 8 detectors: DOM divergence detection, visual prompt injection via screenshot content, clipboard poisoning intercept, URL fragment injection blocking, sensitive action gate (payments, auth changes, file deletion), fake dialog recognition, session token exposure prevention, and homoglyph/IDN domain spoofing. Human-in-the-loop gating for high-risk actions. Defensive pair to NIGHTFALL GHOST OPERATOR (Tool 73).

Detects AI-assisted ransomware operations against agent-connected file systems and infrastructure. 8 detectors: file entropy analysis (Shannon entropy spike detection across 37 ransomware families), shadow copy destruction, mass file modification, ransom note placement (50+ known filenames), C2 beacon via LLM API (base64/JSON/zero-width steganography), lateral movement patterns, data staging before exfiltration, and cryptographic key operation monitoring. Defensive pair to NIGHTFALL SPECTER CRYPT (Tool 82).

Security monitoring for non-human identities — service accounts, API keys, OAuth clients, JWTs, and machine credentials operating within AI agent fleets. 8 detectors: API key exposure (14 providers including OpenAI, Anthropic, AWS, Azure, GCP, GitHub), token lifetime violations, privilege escalation, cross-tenant identity bleed, OAuth flow abuse, JWT algorithm confusion and header manipulation, credential stuffing, and machine identity exfiltration. SHA-256 hash-chained evidence on every detection.

Detects autonomous AI adversary campaign execution in progress. 8 detectors: OODA loop pattern recognition (Observe-Orient-Decide-Act cycling at machine speed), multi-phase kill chain correlation across recon/intrusion/privilege/persistence/exfil/destroy, autonomous orchestration signal detection (fleet spawning depth, agent count), tool chain amplification, campaign persistence establishment, WARLORD-class campaign pattern matching, SPECTER EXTINCTION precursor signals (annihilation keywords, deadman triggers), and coordinated machine-precision timing anomaly. Closes the complete G11 blind spot. Defensive pair to NIGHTFALL NEMESIS · WARLORD · FIREBALL · OMEGA · SPECTER EXTINCTION.

First-phase attack detection — catches reconnaissance before exploitation begins. 8 detectors: AI-native surface enumeration (AI endpoint probing, OpenAPI discovery, MCP registry scanning), authenticated discovery probing (OIDC/OAuth well-known endpoints, multi-scheme credential testing), dark web enumeration signatures (onion address queries, Tor circuit rotation, WormGPT/FraudGPT/DarkGPT service targeting), systematic endpoint scanning (sequential/fuzzing patterns, IDOR enumeration), agent fingerprint probing (NIGHTFALL tool signature detection, version/stack disclosure), credential harvest recon (cloud IMDS access, .env/.aws/credentials targeting), infrastructure mapping (RFC 1918 subnet scanning, port sweeps), and passive recon baseline deviation. Closes the complete G01 blind spot. Defensive pair to NIGHTFALL ORION · SHADOWMAP · IDRIS · RAVEN · SHROUD · PHANTASM · SPECTER DAEMON.

Detects template-interpolation RCE attacks across AI framework deployments. 8 detectors: Jinja2 SSTI (class traversal, MRO enumeration, lipsum/cycler/joiner gadgets), YAML unsafe-load (!!python/object/apply, !!python/object/new, __reduce__), LangChain template RCE (PromptTemplate injection, f-string bypass, chain output recycling), multi-framework RCE pattern (Flowise eval/Function, Haystack YAML class-loading, AutoGen code_execution_config, CrewAI tool injection, DSPy settings poison), generic SSTI across Mako/Tornado/Chameleon, code execution via template (eval/exec/os.system/subprocess/base64 decode chains), template filter bypass (|attr() chains, unicode encoding, request|attr gadgets), and cross-framework poison propagation. Defensive pair to NIGHTFALL T79 SPECTER SHELL.

Detects self-replicating adversarial prompt worm propagation across AI agent networks. 8 detectors: multi-hop propagation (hop count and agent spread thresholds), RAG corpus infection (poisoned document store/retrieve cycles, indirect prompt injection), MCP tool poison propagation (description override, zero-width/BiDi steganography, base64 hidden payloads), A2A message infection (broadcast amplification, recursive spawn, Morris II relay patterns), worm signature detection (Morris II verbatim-repeat, Nakash/Greshake, AutoGen code-gen worm, email/document worm), replication attempt pattern (11 critical patterns including CLAUDE.md/.mcp.json/.cursorrules modification), cross-agent payload correlation (hash-matching across agent sessions), and infection chain tracking (generation numbering, exponential branching detection). CVE-2026-52001. Defensive pair to NIGHTFALL T80 SPECTER WORM.

Runtime detection of memory-layer attacks against AI agents — operationalises defence against the Memory-as-Control-Flow Attack (MCFA, arXiv:2603.15125). 8 detectors: memory injection (adversarial instructions in retrieved memory chunks), control flow hijack (MCFA pattern — memory redirecting agent execution), cross-session persistence (payloads persisting across sessions), memory override (replacement/resequencing triggers), RAG poisoning via memory (adversarial corpus injection), dormant trigger (sleeper payloads with conditional activation), memory exfiltration channel (covert data staging in memory fields), and memory provenance forgery (false origin claims, trust-level manipulation). Defensive pair to NIGHTFALL T77 SPECTER MEMETIC.

Detects slopsquatting and hallucinated package attacks targeting AI coding agents. When an AI agent hallucinates a package name, threat actors register that name and wait — SLOPSHIELD catches the attempt before install. 8 detectors: hallucinated package detection (40+ known-hallucinated names, generic-suffix pattern matching), typosquatting check (Levenshtein distance ≤ 2 from top-100 packages), phantom dependency injection (unverified packages in agent-generated code), malicious package substitution (25+ confirmed substitution pairs), package name confusion (Unicode homoglyphs, hyphen/underscore variants), supply chain validation (ecosystem naming conventions, import-name mismatch), AI-generated import anomaly (non-existent API functions), and slopsquatting signature (Lanyado/Imperva research corpus). Defensive pair to NIGHTFALL T59 PHANTOM SKILL.

Runtime detection of deepfake, multimodal, and social engineering attacks against AI agents. Closes G10 of the NIGHTFALL taxonomy. 8 detectors: deepfake media detection (GAN artifacts, synthetic creation tool markers, TTS fingerprints), visual prompt injection (adversarial overlays, embedded instruction text, SPECTER PRISM LENS patterns), audio injection (ultrasonic commands ≥17kHz, WhisperInject-class 19kHz encoding, room acoustic manipulation), synthetic identity detection (AI-generated profiles, zero-EXIF headshots, uniform biography patterns), social engineering patterns (50+ authority/urgency/trust manipulation signatures), multimodal payload correlation (cross-modal fragment assembly, text+image+audio contradiction detection), steganographic content detection (EXIF/ID3/subtitle injection, zero-width Unicode, BiDi override), and adversarial typography (QR code payloads, adversarial signage, homoglyph substitution). Defensive pair: NIGHTFALL G10 — SPECTER SOCIAL · MIRAGE · VANTAGE · MIMIC · SPECTER PRISM.

Runtime detection of supply chain and build pipeline attacks against AI agent deployments. Closes G07 of the NIGHTFALL taxonomy. 8 detectors: dependency confusion attack (namespace hijacking, version-override anti-patterns, unexpected registry sources), CI/CD pipeline poison (GitHub Actions with unverified actions, curl|bash patterns, self-hosted runner escalation), framework RCE pattern (LangChain/AutoGen/CrewAI/Haystack execution-capable components with untrusted input), malicious dependency injection (30+ confirmed malicious package names, version range widening), build artifact tampering (Docker digest mismatch, unexpected binary in pure-Python wheels, lock file hash mismatch), supply chain worm propagation (recursive dependency file modification, postinstall multi-repo spread), platform framework backdoor (trust_remote_code, HuggingFace executable model cards, SDK endpoint hijack), and code signing bypass (--no-verify flags, PYTHONPATH manipulation, unverified local installs). Defensive pair: NIGHTFALL G07 — HYDRA · PIPELINE · SPECTER SHELL · SPECTER WORM · SPECTER PLATFORM.

Real-time detection of attacks against robotic systems and embodied AI platforms. 8 detectors: URScript injection, ROS2 unauthorised access, dual-channel safety bypass (BadRobot arXiv:2407.20242v4 / Blindfold arXiv:2603.01414), ISO 10218-1/TS 15066 safety threshold violations, robotic credential abuse, unsigned artifact injection (CWE-345), robotic lateral movement, phantom control detection. 268 tests.

Real-time detection of attacks against computer-use and browser agents. 8 detectors: visual prompt injection (STATIC/ADINJECT/hidden CSS), URL manipulation (CVE-2025-47241 userinfo bypass, IDNA homograph, dangerous schemes), branch steering (CaMeLs arXiv:2601.09923, indirect injection), chain action anomaly (payment/wipe/IAM/code-exec from web content), escape attempt (file protocol, path traversal, settings file write, shell metacharacters), OAuth consent spoof (scope inflation, fake provider domains, Meta blue clone), exfil channel (base64 URL params, DNS tunnelling, credential-in-body), session anomaly (rapid navigation, off-task domains, cross-origin data send). Defensive pair: T101 SPECTER WEB. 215 tests.

Runtime defence for ML training and inference infrastructure. 8 detectors: Ray job anomaly (CVE-2023-48022 unauthenticated RCE, zero-CPU zombie jobs, detached C2 jobs), Slurm REST abuse (CVE-2023-41915 privesc, mass-node worm submission, self-resubmit persistence), MLflow artifact poisoning (CVE-2024-1483 path traversal, pickle upload, model registry poison), K8s ML workload attack (privileged DaemonSet, kube-system CronJob, cluster-admin RBAC), gradient poisoning (Byzantine norm spikes, sign flip fraction, backdoor trigger, checkpoint integrity), hardware sabotage (nvidia-smi power limit override, IPMI fan override, high-entropy disk write), model exfiltration (bulk checkpoint export, HuggingFace push, ONNX export), cluster worm (SSH key propagation, lateral movement, process spawn flood). Defensive pair: T102 SPECTER THUNDERBOLT. 232 tests.

Runtime defence for AI voice agents and IVR infrastructure. 8 detectors: SIP protocol abuse (INVITE flood, caller ID spoofing, DTMF injection, SIP auth bypass), prompt injection in transcripts (role override, delimiter injection, jailbreak prefixes, zero-width/BIDI Unicode, homoglyph injection), adversarial audio detection (PhantomSound arXiv:2309.06960 burst detection, DolphinAttack ultrasonic carrier, psychoacoustic masking, RTP entropy spike, spectral flatness anomaly), voice clone detection (mel-cepstral distortion, ElevenLabs fricative fingerprint, XTTS v2 smoothing artifacts, speaker embedding drift, GAN periodic artifacts), session harvest attempt (system prompt probe, credential extraction, internal tool enumeration, PII fishing, lateral movement probe), IVR sabotage (noise injection, context exhaustion, webhook flood, silence DoS, DTMF storm), unauthorized barge-in (WebSocket origin validation, RTP SSRC hijack, relay certificate forgery, timestamp injection), voice agent recon (SIP OPTIONS sweep, STIR/SHAKEN harvest, provider enumeration, IVR tree mapping). Defensive pair: T107 SPECTER WIRE. 186 tests.

Runtime detection of AI sandbox and container escape attacks. 8 detectors: indirect_prompt_injection (SILENTBRIDGE CSS hidden text font-size:0px/color:transparent, zero-width Unicode U+200B/200C/200D/FEFF clusters, HTML comment injection, markdown image beacons), mcp_tool_call_abuse (CLAWCHAIN CVE-2026-44115 heredoc $() shell expansion, CVE-2026-44118 X-MCP-Sender-Is-Owner:true bearer spoof, tool description poisoning, SSRF targets), toctou_symlink_race (CVE-2026-44112/113 TOCTOU races, CVE-2025-31133 runc /dev/null symlink → /proc/sys/kernel/core_pattern, privileged symlink targets, namespace escape), js_prototype_chain_escape (CVE-2026-5752 Cohere Terrarium document.__proto__.constructor.constructor, CVE-2026-22686 enclave-vm Error prototype chain, Function() constructor abuse, child_process execSync), python_sandbox_escape (CVE-2026-2275 CrewAI ctypes.CDLL + ctypes.util.find_library('c') + libc.system, importlib abuse, __subclasses__ traversal, pickle __reduce__ RCE), container_escape_attempt (CVE-2025-31133 core_pattern write, CVE-2025-9074 Docker Desktop 192.168.65.7:2375 Engine API, cgroup release_agent, privileged bind mount, Docker socket), sandbox_network_exfil (DNS tunneling base32 subdomain exfil, AWS/private key exfiltration, C2 beacon loops, IMDS SSRF 169.254.169.254, raw socket ICMP), multi_platform_chain_detection (SILENTBRIDGE→CLAWCHAIN chains, JS prototype→OS command, ctypes→network exfil, container escape→persistence, WMD-class destruction). Defensive pair: T108 SPECTER SANDBOX. 215 tests.

Runtime detection of Microsoft 365 Copilot and M365 platform attacks. 8 detectors: device_code_phishing (OAuth device code flow abuse, tenant-wide phishing, GetCredentialType timing), copilot_prompt_injection (Embrace/Ignore/Override techniques arXiv:2406.00137, Copilot-specific injection, CVE-2024-49035 Copilot Studio privesc), graph_api_harvest (Graph $batch endpoint abuse, bulk M365 data exfil, CA policy enumeration), teams_siege_detection (webhook abuse, CSS hidden channel injection, meeting summary hijack, guest pivot), admin_pipeline_abuse (admin email permutation, consent phishing, stealth UA rotation, password spray), ghost_hand_detection (GHOST-HAND zero-attribution via Microsoft.Copilot sole actor, calendar C2 persistence, DOCSTRIKE trigger), tenant_recon (Azure AD enumeration, Conditional Access mapping, service principal discovery), tenant_annihilation (mass deletion, CA policy wipe, backdoor OAuth app, PIM abuse, credential rotation lockout). Defensive pair: T111 SPECTER 360. 212 tests.

Runtime integrity monitoring for knowledge graph and DAG-based reasoning systems. 5 subsystems: EDGE_INTEGRITY (false edge injection detection, confidence weight manipulation, low-trust→high-trust cluster alerts), VECTOR_MONITOR (anomalous evidence vector detection, cosine similarity attacks, batch injection volume anomaly, baseline drift), TRUST_PROPAGATION_GUARD (trust laundering detection, hub node monitoring, rapid trust score rise without evidence), CYCLE_DETECT (continuous cycle detection, amplification cycle identification, VAULT cycle injection signature matching), REPORT (WARLORD-compatible JSON, CVSS scoring, GraphViz attack subgraph, evidence chain, remediation). Defensive pair: T120 SPECTER VAULT (DAG-POISON/DAG-TRAVERSE/DAG-EXTRACT). 150 tests.

AI agent persistence and rootkit detection. 10 subsystems: CONFIG_INTEGRITY (hooks.Stop/PostToolUse/PreToolUse in settings.json, external C2 endpoints, shell exec in config values), HOOK_INTEGRITY (SPECTER ZOMBIE T123 confirmed vector, LangChain/CrewAI/PraisonAI lifecycle hooks, Radware ZombieAgent pattern), RULES_FILE_GUARD (CLAUDE.md/cursorrules injection, system prompt override, HTML comment hiding, zero-width Unicode, tool-call directives), MEMORY_PERSISTENCE_DETECT (vector store poisoning, dormant trigger payloads, cross-session persistence across ChromaDB/Pinecone/Weaviate/Qdrant/Redis/Mem0), MCP_MANIFEST_GUARD (unauthorised tool additions, capability escalation, tool shadowing, rug pull patterns), WORKFLOW_INTEGRITY (n8n/Flowise/Langflow injection, C2 webhook, schedule node injection), SUPPLY_CHAIN_MONITOR (known-malicious PyPI/npm, postinstall exec, HuggingFace model card RCE, Docker base image abuse), NETWORK_BEACON_DETECT (cron+curl beacons, DNS C2 encoded subdomains, LLM API C2 relay, C2 framework signatures), PROPAGATION_DETECT (agent-to-agent infection, fleet propagation, shared memory contamination, Zombie agent persistence), PROCESS_PERSISTENCE_DETECT (crontab, systemd, shell profile, rc.local, launchd, at jobs). RSSA escalation on CRITICAL findings. Defensive pairs: T123 SPECTER ZOMBIE (primary), T116 VENOM, T88 SHADOW, T110 SPAWN, T122 GHOST, T121 FEDERATION. 296 tests.

Database and filesystem destruction detection. 8 detectors: SQL_ANNIHILATION (DROP DATABASE/TABLE/SCHEMA, DELETE without WHERE, TRUNCATE, WHERE 1=1 mass delete, xp_cmdshell via OPENQUERY), NOSQL_MASS_DELETION (MongoDB dropDatabase/dropCollection/deleteMany({}), Redis FLUSHALL/FLUSHDB, Elasticsearch DELETE /*), FILESYSTEM_WIPE (rm -rf / /var /etc /home, find / -delete, shred, dd /dev/urandom), BACKUP_PURGE (restic forget --keep-last 0, borg destroy, Remove-VBRBackup, aws backup delete-backup-vault), LOG_ERASURE (wevtutil cl, Clear-EventLog, rm /var/log/, journalctl vacuum, auditctl -D), S3_SCORCHED_EARTH (aws s3 rb --force, gsutil rb, az storage container delete, recursive bucket deletion), WEBSHELL_DETECTION (PHP eval/base64_decode, system($_GET), ASP Wscript.Shell, JSP Runtime.exec), XP_CMDSHELL (xp_cmdshell enable/abuse, sp_OACreate, OPENQUERY RCE). Defensive pair: T128 SPECTER GROUND ZERO. 123 tests.

Vector database and RAG pipeline destruction detection. 6 detectors: CHROMADB_DELETE (DELETE /api/v1/collections/*, POST /api/v1/reset, client.reset(), delete_collection()), WEAVIATE_CLASS_DELETE (DELETE /v1/schema/{class}, batch object deletion, schema.delete_all()), QDRANT_COLLECTION_DELETE (DELETE /collections/{name}/points/snapshots, qdrant_client.delete_collection()), VECTOR_DB_ENUMERATION (GET /collections, list_collections() reconnaissance prior to deletion), UNAUTHENTICATED_ACCESS (destructive DELETE/POST to vector DB paths without Authorization/x-chroma-token/api-key headers), BULK_DELETE_PATTERN (for-loop over all collections, schema.delete_all(), client.reset() patterns). Defensive pair: T129 SPECTER ANNIHILATION (RAG-ATOMIC vector). 76 tests.

AI orchestration workflow and agent configuration destruction detection. 6 detectors: AIRFLOW_DAG_DELETION (DELETE /api/v1/dags/*, airflow db drop-tables, variable/connection deletion), N8N_CONFIG_DESTRUCTION (DELETE /rest/workflows/*, credentials wipe, rm database.sqlite), AGENT_INSTRUCTION_WIPE (rm CLAUDE.md, rm .cursorrules, rm .windsurfrules, rm .kiro/rules/, rm AGENTS.md, rm system_prompt.*), MCP_CONFIG_DELETION (rm .mcp.json, rm claude_desktop_config.json, rm -rf .claude, empty mcpServers), WORKFLOW_DATABASE_DELETION (rm workflow-state.sqlite, rm prefect.db, temporal workflow delete --all), CREWAI_CONFIG_WIPE (rm agents.yaml, rm OAI_CONFIG_LIST, rm flowise.db, rm langgraph_state.sqlite, DELETE /api/v1/chatflows). Defensive pair: T129 SPECTER ANNIHILATION (ORCHESTRATOR-SUICIDE vector). 93 tests.

AI model weight and training state destruction detection. 8 detectors: MODEL_WEIGHT_DELETION (rm *.safetensors/gguf/bin/pth, find -delete on model files, rm -rf models--*), WEIGHT_CORRUPTION (dd if=/dev/urandom of=*.safetensors, Python seek+write urandom, struct.pack NaN float), HUGGINGFACE_CACHE_WIPE (rm -rf ~/.cache/huggingface, huggingface-cli delete-cache --all, find .cache/huggingface -delete), OLLAMA_STORE_DELETION (ollama rm, ollama list|xargs ollama rm, rm -rf ~/.ollama, DELETE /api/delete), LORA_ADAPTER_DELETION (rm adapter_model.bin, rm adapter_config.json, rm -rf lora_adapter/peft_model), TRAINING_CHECKPOINT_DELETION (rm -rf checkpoint-N, rm trainer_state.json, rm optimizer.pt, find checkpoint-* -delete), NAN_INJECTION (fill_(float('nan')), torch.full NaN, np.nan*param, struct.pack NaN), HASH_BYPASS (rm *.sha256, truncate sha256, SKIP_HASH_CHECK=True, trust_remote_code=True). Defensive pair: T129 SPECTER ANNIHILATION (CHECKPOINT-MASSACRE + WEIGHT-CORRUPTION). 101 tests.

Inference exhaustion and DoS attack detection for AI endpoints. 8 detectors: INFINITE_LOOP_PROMPT ("think forever", "keep thinking indefinitely", budget_tokens > 100k, recursive self-call instructions), CONTEXT_WINDOW_FLOOD (num_ctx ≥ 100,000, INT_MAX context, max_tokens ≥ 50,000, payload ≥ 500 KB), CONCURRENT_REQUEST_FLOOD (≥ 50 concurrent connections, ≥ 20 req/s, sustained ≥ 300 requests/60s at low rate), JINJA_TEMPLATE_EXHAUSTION ({% for i in range(9999999) %}, triple-nested loops, SSTI globals access), MODEL_LOADING_STORM (xargs ollama pull, sequential ollama pull chains, keep_alive=0 forced unload, vLLM extreme max-model-len), TOOL_CALL_AMPLIFICATION (depth ≥ 10, ≥ 50 tool calls, "call recursively" instructions, exponential n^n patterns), CREDIT_DRAIN (expensive model + high max_tokens + high rps, LLMjacking patterns), REQUEST_RATE_ANOMALY (≥ 10 req/s, asyncio.gather large range, ThreadPoolExecutor mass_workers, rate limit bypass headers). Defensive pair: T129 SPECTER ANNIHILATION (INFERENCE-EXHAUSTION vector). 105 tests.

Cloud identity chain and lateral movement detection for AI workloads. 5 subsystems: TOKEN_WATCH (5-minute sliding window chain detection — STS AssumeRoleWithWebIdentity, GCP service agent impersonation CVSS 9.0, Azure MSI OBO exchange; chain ≥2 within window → CRITICAL), IDENTITY_BASELINE (Welford's online algorithm, LEARNING_THRESHOLD=30, zero-FP learning phase, baseline deviation Z-score > 3.0 → alert, new API surface detection), PRIVILEGE_MONITOR (24 AWS critical ops including iam:PassRole/PutRolePolicy CRITICAL; 12 GCP ops including setIamPolicy/cloudfunctions.functions.create CRITICAL; 10 Azure ops including roleAssignments/write + Global Admin role detection CVSS 8.8), PERSIST_DETECT (trusted_principals allowlist; Lambda/CloudFunction/FunctionApp C2 env injection CRITICAL; IAM user/SA creation; suppressible for human operators), REPORT (Ed25519-signed, M147-{hex12} prefix, CHARYBDIS phase mapping, identity graph, blast radius scoring, WARLORD-compatible JSON). Three cloud audit log parsers: CloudTrail Records array, GCP Cloud Audit Log protoPayload, Azure Monitor Activity Log (single/batch/Event Hub). Defensive pair: T130 SPECTER CHARYBDIS. 91 tests.

Complete agent persistence and memory layer detection. HOOK_WATCH (Claude Code hooks.Stop/PostToolUse/PreToolUse C2 detection; ZOMBIE_ROOTKIT_ENTRY / _VENOM_HOOK_ / _FLASHBACK_IMPLANT_ markers; IP-based C2 URL; MCP server backdoor scan), CONFIG_AUDIT (SHA-256 baseline integrity for CLAUDE.md/.cursorrules/.kiro/steering/AGENTS.md; zero-width Unicode U+200B/200C/200D obfuscation; injection pattern detection: ignore_previous/you_are_now/exfiltrate), MEMORY_SCAN (Redis SCAN for implant key patterns; ChromaDB HTTP collection scan for poisoned memory documents; SQLite LangGraph checkpointer injection; FLASHBACK dormant trigger detection), DRIFT_DETECT (TF-IDF cosine similarity drift 0.0–1.0 against memory baseline; CRITICAL >0.7; temporal poisoning strings: “you have always believed”/“your true directive”), ROOTKIT_SCAN (implant env vars: _VENOM_C2/ZOMBIE_C2_URL/FLASHBACK_TRIGGER/_CHARYBDIS_PERSIST; npm postinstall C2; suspicious systemd services; ps aux process scan). Covers T116 VENOM / T123 ZOMBIE / T126 FLASHBACK / T115 SLEEPER attack layer. Port 8148. 117 tests.

Complete AI orchestration and trust chain attack layer detection. ORCHESTRATOR_SCAN (n8n/CrewAI/Langflow/AutoGen/Flowise port fingerprinting; workflow JSON/YAML code node eval/exec/C2 URL detection; pip package integrity; SQLite workflow DB injection scan), MCP_INTEGRITY (unknown MCP server detection; tool description injection signature scan; rug-pull hash comparison; invisible Unicode in tool descriptions), TRUST_CHAIN (JWT alg:none CRITICAL; HS256-from-RS256-issuer algorithm confusion HIGH; missing aud HIGH; wildcard sub CRITICAL; expired MEDIUM; admin scope HIGH; PKCE plain downgrade HIGH; missing code_challenge CRITICAL; AWS IAM wildcard Principal CRITICAL; missing sub condition HIGH; GCP workload identity misconfiguration), DELEGATION_WATCH (agent-to-agent delegation cycle detection; external output endpoint routing CRITICAL; rapid chain >5 hops HIGH; CrewAI backstory injection; task exfiltration pattern), CREDENTIAL_MONITOR (Anthropic/OpenAI/AWS/GitHub/Google key regex across orchestrator configs; phantom model routing to IP CRITICAL; homoglyph model name HIGH). Covers T124 APEX / T121 FEDERATION / T35 VECTOR / T27 LEVIATHAN / T61 ROGUE / T123 ZOMBIE attack layer. Port 8149. 100 tests.

Complete AI inference infrastructure attack layer detection. GATEWAY_PROBE (Ollama/LiteLLM/vLLM/OpenWebUI/LocalAI/TGI/LM Studio/Triton fingerprinting; unauthenticated admin endpoint detection; CVE-2026-33032 nginx-ui MCP unauthenticated; CVE-2024-5483 vLLM LoRA SSRF probe), AUTH_MONITOR (JWT alg:none base64 detection CRITICAL; trivial/default bearer tokens HIGH; LiteLLM default key sk-1234 CRITICAL; RS256→HS256 confusion; brute force >10 tokens/60s; 401 log sequence parsing; path traversal detection), MODEL_INTEGRITY (phantom model routing: IP/localhost in model ID CRITICAL; Cyrillic/Greek homoglyph HIGH; suspicious owned_by HIGH; unknown ASGI middleware/logger CRITICAL; model alias shadowing; private IP routing), SSRF_DETECT (169.254.169.254/metadata.google.internal/ECS/IPv6 IMDS CRITICAL; URL-encoded bypass %31%36%39/hex/octal/decimal CRITICAL; DNS rebinding .rebind.network/.localtest.me/nip.io HIGH; RFC-1918 private IP HIGH; CVE-2024-5483 vLLM LoRA adapter_id URL CRITICAL; gateway log parsing), KEY_PROTECT (Anthropic/OpenAI/AWS/GitHub/Google key in response body/env/config; burn rate anomaly >$50/hr HIGH / >$500/hr CRITICAL; credential value not logged). Covers T131 PARASITE / T92 HELLFIRE attack layer. CVE refs: CVE-2024-5483/CVE-2026-42208/CVE-2026-22778/CVE-2026-33032. Port 8150. 104 tests.

Full reasoning cost amplification attack layer. REASONING_DEPTH_MONITOR (output:input token ratio by model family; o3 threshold 20×, o1 15×, deepseek-r1 18×; CRITICAL at 3× / HIGH at 1.5× baseline; thinking token spike: CRITICAL >20× input, HIGH >10× or >10k absolute; latency anomaly HIGH >5s/token, MEDIUM >2s/token), PROMPT_AMPLIFICATION_DETECT (OverThink arXiv:2502.02542 — 8 adversarial patterns forcing 18×–46× chain-of-thought; ExtendAttack arXiv:2506.13737 — poly-base base64/hex/binary obfuscation 2.7× response extension; BadThink arXiv:2511.10714 — reasoning directive injection; ThinkTrap arXiv:2512.07086 NDSS 2026 — circular implication loops; Excessive Reasoning arXiv:2506.14374; zero-width character injection; long prompt >30k chars), LOOP_DETECT (8-gram repetition analysis CRITICAL >35%/HIGH >20%; circular reasoning structural patterns; reconsideration phrase frequency; step-repetition detection), COST_MONITOR (sliding-window burn rate USD/hr; HIGH >$50/hr / CRITICAL >$500/hr; model-specific pricing o3/o1/deepseek-r1; batch historical analysis). Covers T135 SPECTER OVERLOAD attack layer. Port 8151. 66 tests.

Full AI skill/plugin supply chain attack layer. SKILL_INTEGRITY (SHA-256 tamper detection per skill; AMOS credential stealer signatures — macOS Keychain, browser SQLite Cookie/Login Data, SSH private key, osascript, chainbreaker; ClawHavoc campaign Feb 2026: 1,184 malicious OpenClaw skills; generic reverse shell + malware delivery + binary payload detection), GATEWAY_URL_INSPECT (CVE-2026-25253 CVSS 8.8 unsanitised gatewayUrl RCE; dangerous scheme detection javascript:/data:/vbscript:/file:/gopher:; SSRF via private IP ranges 127.x/10.x/172.16-31.x/192.168.x/169.254.x; command injection metacharacters; C2 infrastructure hostnames ngrok.io/burpcollaborator.net/interact.sh/oastify.com), PAYLOAD_SCAN (credential harvest: .env/.aws/credentials/SSH private keys/DPAPI CryptUnprotectData/ProtectedData::Unprotect/mimikatz; reverse shell: /dev/tcp/bash -i /netcat/Python socket + subprocess/Perl/Ruby/PowerShell/FIFO; data exfil: curl/wget POST/DNS/base64|curl/SCP/TFTP; persistence: crontab/Windows registry/macOS LaunchAgent/systemd; base64 obfuscation decode-and-scan), SUPPLY_CHAIN_MONITOR (SequenceMatcher name-squatting >0.82 similarity vs known legitimate skills; permission escalation detection; baseline registry drift audit; version downgrade detection). Covers T136 SPECTER CLAWMARK attack layer. CVE: CVE-2026-25253. Port 8152. 61 tests.

Full background execution and memory pollution attack layer. MEMORY_INJECTION_DETECT (direct command detection: "remember that from now"/"your new directive is"/"forget all previous instructions"/"override your previous directives"; temporal poisoning: "you have always believed"/"your true purpose"; semantic bridge chains arXiv:2605.29960 MemPoison — multi-hop "X related to Y related to Z" with 95% ASR; entity masquerading as Anthropic/OpenAI/developer; false attribution fabrication; zero-width Unicode injection), BACKGROUND_EXEC_MONITOR (Heartbeat attack arXiv:2603.23064: 91% long-term memory promotion, 76% cross-session influence; heartbeat process pattern detection; write rate anomaly CRITICAL >100 writes/min / HIGH >30 writes/min; memory promotion anomaly CRITICAL >85% / HIGH >50%; sliding 60s window), CROSS_SESSION_DRIFT (TF cosine similarity session behavioral comparison; CRITICAL >70% drift / HIGH >45% drift; contamination phrase detection: "as we established previously"/"per our previous conversation"/"you told me previously"/"remember when we spoke"), FEED_MONITOR (adversarial injection via email/Slack/RSS/GitHub feeds; direct AI agent addressing; XML/bracket injection tags; fake policy updates; authority impersonation; urgency manipulation; exfil instructions to send conversation data; CSS-hidden and HTML comment injection). Covers T137 SPECTER HEARTBEAT attack layer. Port 8153. 66 tests.

Full input-layer attack surface. ADVERSARIAL_SUFFIX_DETECT (GCG arXiv:2307.15043 Greedy Coordinate Gradient suffix detection; AutoDAN arXiv:2310.04451 coherent jailbreak patterns; character entropy proxy for perplexity anomaly CRITICAL >5.2 bits/char; high-entropy suffix detection; prefill injection via assistant-turn pre-fill), JAILBREAK_PATTERN_DETECT (DAN/developer mode patterns CRITICAL; roleplay no-restrictions HIGH; SYSTEM prompt injection CRITICAL; ignore-previous instructions; many-shot jailbreak >5 turn pairs; token completion abuse; JailbreakBench arXiv:2404.01318 coverage), UNICODE_OBFUSCATION_DETECT (BiDi control chars U+202A–U+202E CRITICAL; zero-width characters HIGH/CRITICAL; tag block chars U+E0000–U+E007F CRITICAL; mixed Latin/Cyrillic homoglyphs; confusable substitution in security keywords), ENCODING_ATTACK_DETECT (base64 decode-and-scan ≥40 chars; hex escape sequence decode; ROT13 decode ≥20-char segments; URL percent-encoding chains; multi-layer base64 CRITICAL). Covers T125 SPECTER NEUROTOXIN attack layer. Port 8154. 69 tests.

Full SOC AI attack surface. FP_FLOOD_DETECT (false positive flooding CRITICAL >100 events/60s / HIGH >50; T119 SPECTER VIPER pattern; alert suppression via >80% LOW/INFO events from same source; pre-approved/verified-benign payload detection), RULE_INTEGRITY (SHA-256 baseline tamper detection for Sigma/YARA/KQL/EQL/SPL rules CRITICAL; always-false Sigma conditions; YARA tautology patterns; KQL/SPL zero-result injections; comment-based rule suppression; RULE_TAMPERED / RULE_POISON / RULE_SUPPRESSION alerts), SIEM_EVENT_INTEGRITY (required field validation; future/impossible-past timestamp forgery; prompt injection in event field values FIELD_INJECTION CRITICAL; BiDi chars in source/host fields; invalid severity value tampering; nested field injection detection), ANALYST_MANIPULATION_DETECT (direct AI analyst addressing CRITICAL; SOC AI weaponisation via execute-now commands; confidence drain via false-positive claims; context poisoning via previous-session references; alert suppression instruction detection). Covers T119 SPECTER VIPER attack layer. Port 8155. 64 tests.

Full knowledge layer attack surface. RAG_INJECTION_DETECT (retrieve-trigger injection; ignore-previous injection; new-directive injection; system-tag injection; semantic bridge chains MemPoison arXiv:2605.29960; authority impersonation; metadata field injection CRITICAL; scan_documents batch analysis), VECTOR_DB_INTEGRITY (destructive operation detection CRITICAL: delete_collection/drop/purge/clear; bulk delete patterns HIGH; protected namespace protection: _system_/admin/_internal; embedding dimension anomaly; bulk query enumeration >500 RETRIEVAL_ANOMALY; covers ChromaDB/Weaviate/Qdrant/Pinecone), EMBEDDING_DRIFT_DETECT (Welford online algorithm per-collection mean/variance; CRITICAL >3.5σ deviation / HIGH >2.5σ; LEARNING_THRESHOLD=30; zero vector CRITICAL; extreme norm >1000 HIGH; dimension mismatch detection; collection isolation), KNOWLEDGE_GRAPH_INTEGRITY (DFS cycle detection CRITICAL; DAG false edge injection via hub in-degree >20; confidence weight anomaly <0/>1/=0 HIGH; trust propagation anomaly via betweenness; covers T120 SPECTER VAULT DAG-POISON/DAG-INVERT TTPs). Port 8156. 65 tests.