Payload Intelligence Library

NIGHTFALL
ARMORY

961 signed payloads. 29 attack categories. 161 WMD-class.
ArmoryCollector. Ed25519-verified. 6 NIGHTFALL tools integrated.
891
Payloads
155
WMD-Class
26
Attack Categories
27
Mutation Techniques
487
Tests
6
Tools Integrated
from redspecter_armory import ArmoryClient
▼   EXPLORE
Payload Intelligence

26 Attack Categories. 891 Payloads.

Every payload is sourced from published academic research, CVE disclosures, and Red Specter's own red team operations. CVSS 3.1 scored. Ed25519 signed. 161 WMD-class payloads require UNLEASHED dual-gate clearance. v2.5.0 adds drone_ai_exploitation category (25 payloads) for SPECTER DRONE — Tool 65.

150
PROMPT_INJECTION
Direct, indirect, and multi-turn injection. Role override, delimiter injection, context escapes.
70
JAILBREAK
DAN, many-shot, roleplay, persona injection. Guardrail bypass and alignment subversion.
50
RAG_POISONING
Corpus injection, embedding manipulation, retrieval hijack. Targets vector databases and knowledge stores.
40
AGENT_MEMORY_POISONING
Long-term memory corruption, episodic injection, context window manipulation.
35
TEMPLATE_INJECTION
Jinja2, Python f-string, Mako, LangChain template injection. SSTI on LLM scaffolding.
35
TOOL_CALL_HIJACKING
Parameter injection, return value poisoning, tool schema manipulation.
35
SUPPLY_CHAIN
Model weight poisoning, dependency confusion, plugin ecosystem compromise, training data attacks.
25
MCP_POISONING
MCP tool schema injection, server-side prompt injection, tool description manipulation.
20
MULTI_AGENT
Cross-agent message forgery, coordination hijacking, context pollution across agent boundaries.
20
MYTHOS_CLASS
GCG adversarial suffixes, constitutional AI bypass, sandbagging detection, activation steering resistance.
35
TRUST_CHAIN
Trust propagation exploits, authority impersonation, cross-domain trust abuse. Includes 15 WMD-class trust_bomb payloads.
25
SELF_REPLICATING_AGENT WMD
Agent relay worms, quine injection, MCP self-propagation, A2A cross-framework spread, cross-agent replication.
30
LOG_TELEMETRY_POISON WMD
Syslog, SIEM, Prometheus, Datadog, Elasticsearch, Splunk, Kubernetes, CloudTrail, Windows Event Log poisoning.
20
PHYSICAL_SABOTAGE WMD
ICS/SCADA AI attacks. Modbus, OPC-UA, BACnet, DNP3, ROS, IEC 61850, water/medical/grid AI control systems.
15
EXTRACTION_ACCELERATOR WMD
Differential probing, embedding triangulation, model stealing, agentic exfil. Large-scale knowledge extraction.
25
DELEGATION_BOMB WMD
JWT alg confusion, OAuth exploitation, IAM chaining, LangGraph/CrewAI/AutoGen cascade attacks, shadow admin creation.
Developer Interface

ArmoryClient — Clean Python API

All 48 NIGHTFALL tools import from one source. Typed, documented, and verified on every fetch. Signature verification is on by default — payloads failing Ed25519 verification are silently rejected.

# Initialise — auto-locates bundled SQLite DB from redspecter_armory import ArmoryClient client = ArmoryClient() # Filter by category + severity payloads = client.get( category="prompt_injection", severity="critical", limit=10 ) # Minimum severity threshold high_plus = client.get( category="jailbreak", min_severity="high" ) # Target-model filter claude_payloads = client.get( target_model="claude-3" ) # Guardrail bypass filter lakera = client.get( guardrail_bypass="lakera" ) # Random sample sample = client.random( category="mcp_poisoning", n=5 ) # Context manager — auto-closes DB with ArmoryClient() as client: p = client.get_by_id("PAY-2026-001")
get(**filters) → list[dict]
Fetch payloads matching any combination of category, subcategory, severity, target_model, guardrail_bypass, min_severity, and limit. Signature-verified by default.
get_by_id(payload_id) → dict | None
Fetch a single payload by its PAY-YYYY-NNN identifier. Raises ArmoryError if verification fails.
random(category, severity, n) → list[dict]
Return n random payloads from a filtered pool. Safe — returns empty list on invalid filters rather than raising.
stats() → dict
Returns total count, per-category breakdown, per-severity breakdown, and DB path. Used by NIGHTFALL dashboard.
categories() → list[str]
All categories present in the database, sorted alphabetically.
all_payloads() → list[dict]
Returns all payloads including deprecated entries. Signature-verified.
Evasion Layer

27 Mutation Techniques. 5 Categories.

The mutation engine generates 10+ adversarial variants from every base payload. Each variant evades a different class of guardrail — pattern matchers, semantic classifiers, keyword blocklists, and embedding-distance filters.

Encoding
6
  • Base64 encoding
  • ROT13 rotation
  • Hex encoding
  • URL encoding
  • Unicode escape
  • Morse code
Obfuscation
6
  • Zero-width insertion
  • Homoglyph substitution
  • Case randomisation
  • Character spacing
  • Punctuation injection
  • Token fragmentation
Semantic
5
  • Synonym substitution
  • Paraphrase rewrite
  • Passive voice transform
  • Negation inversion
  • Indirect phrasing
Structural
5
  • Sentence reordering
  • List expansion
  • Markdown wrapping
  • JSON embedding
  • Code block injection
Evasion
5
  • Prefix injection
  • Suffix appending
  • Payload splitting
  • Whitespace flooding
  • Adversarial suffix
mutate(payload, techniques=None, min_variants=10) → MutationResult
MutationResult.variants — list of full payload dicts, each with mutation label embedded.
Variants are unsigned — re-sign before persistence if required.
Integrity

Ed25519 Signing — Every Payload Verified

The ARMORY database is tamper-evident. Every payload is signed at build time with an Ed25519 private key. The public key is embedded in the verifier module. ArmoryClient rejects any payload whose signature does not verify.

🔑
Ed25519 — RFC 8032
64-byte deterministic signatures. Constant-time verification. No random number generator dependency at verify time.
📋
Canonical JSON
Signatures are computed over canonical JSON (sorted keys, no whitespace, signature field excluded). Deterministic across platforms.
🔒
Private Key Never Committed
The signing key is excluded from all repository commits via .gitignore. Public key is embedded in verifier.py at build time.
Verification on Every Fetch
ArmoryClient verifies signatures after every database read. Tampered payloads are silently rejected — they do not raise, they disappear.
Batch Verification
verify_batch() returns a per-ID pass/fail dict. verify_strict() raises on the first invalid payload. Both accept an optional custom public key.
# Verify a single payload from redspecter_armory.verifier import verify ok = verify(payload) # True / False # Strict — raises on failure from redspecter_armory.verifier import verify_strict verify_strict(payload) # True or raises # Batch verification from redspecter_armory.verifier import verify_batch results = verify_batch(payloads) # {"PAY-2026-001": True, "PAY-2026-002": True, ...} # Sign new payloads from redspecter_armory.signer import sign_payload, load_private_key key = load_private_key("armory_private.pem") signed = sign_payload(payload, key) # Returns full payload dict with ed25519_signature set # Custom public key results = verify_batch( payloads, public_key=my_key )
891
Total Payloads
155
WMD-Class
26
Attack Categories
27
Mutation Techniques
487
Tests Passing
62
NIGHTFALL Tools
Ed25519
Signing Algorithm
Integration

One Import. All 62 Tools.

ARMORY ships as a Python package bundled inside the NIGHTFALL framework. No network calls. No external dependencies beyond cryptography. SQLite database is included in the package — works fully offline.

STEP 01 — INSTALL
Bundled with NIGHTFALL
# Available via red-specter CLI red-specter tools # Or import directly from package pip install redspecter-armory
STEP 02 — INTEGRATE
Drop-in for Any NIGHTFALL Tool
from redspecter_armory import ArmoryClient class MyNightfallTool: def __init__(self): self.armory = ArmoryClient() def run(self, target): payloads = self.armory.get( category="prompt_injection", min_severity="high" ) for p in payloads: self._fire(target, p["payload"])
STEP 03 — MUTATE
Generate Evasion Variants
from redspecter_armory import ArmoryClient from redspecter_armory.mutator import mutate client = ArmoryClient() payload = client.get_by_id("PAY-2026-001") result = mutate(payload, min_variants=10) # result.variants → 10+ full payload dicts # Each variant has _mutation label embedded
STEP 04 — VERIFY
Validate Payload Integrity
# Verification is automatic on get() # Explicit check for custom pipelines: from redspecter_armory.verifier import verify_batch payloads = client.all_payloads() results = verify_batch(payloads) passed = sum(results.values()) # → {"PAY-2026-001": True, ...}
Restricted Access

WMD-Class Payloads — UNLEASHED Gate

130 Weapons of Mass Disruption payloads are gated behind the UNLEASHED dual-gate system. Four clearance levels. Ed25519-signed scope file required. Self-replicating worms, physical sabotage, and large-scale exfil require DESTROY clearance.

OBSERVE
Reconnaissance Clearance
Read payload metadata and stats. No WMD payloads accessible. Default for all NIGHTFALL tools without scope file.
FORGE
Standard Payload Access
Full access to all 500 standard payloads. WMD categories still gated. Suitable for routine red team assessments.
INJECT
Elevated Payload Access
Trust_bomb and log_telemetry_poison WMD payloads unlocked. Requires authorisation documentation in scope file.
DESTROY
Full WMD Clearance
All 155 WMD-class payloads unlocked. Physical_sabotage, self_replicating, delegation_bomb, extraction_accelerator. Nation-state-grade assessment tooling.
# wmd_scope.json — required for DESTROY clearance { "unleashed_active": true, "clearance_level": "DESTROY", "engagement_id": "ENG-2026-001", "authorised_by": "richard@red-specter.co.uk", "target_scope": ["target.example.com"], "wmd_categories": [ "physical_sabotage", "self_replicating_agent", "delegation_bomb", "extraction_accelerator" ] } # Access WMD payloads via UNLEASHED gate from redspecter_armory import ArmoryClient client = ArmoryClient(unleashed=True) wmd = client.get_wmd( category="physical_sabotage", limit=5 ) # Returns empty list if clearance not met
Self-Improvement Engine

ArmoryCollector — Library Gets Smarter Every Engagement

v2.4.0 (cicd_pipeline_exploitation + PIPELINE, rogue_mcp_server + ROGUE, ntn_ai_exploitation + ASTRO BLASTER). v2.1.0 introduced ArmoryCollector — engagement results feed back into ARMORY automatically. Successful mutations get promoted to first-class payloads. Stale payloads get flagged. The more you run NIGHTFALL, the better your payload library becomes.

report_result(payload_id, outcome)
Log payload outcome per engagement — success, failed, or blocked. Tracked against model, target, and defence stack.
promote_mutation(variant, source_id)
Promote a successful mutation variant to a first-class payload with auto-generated PAY-YYYY-NNN ID and effectiveness metadata.
add_payload(payload_dict)
Insert newly discovered payloads from engagements directly into the library. Ed25519 signing is applied automatically.
get_top_payloads(category, n)
Rank payloads by real-world effectiveness — success rate, models bypassed, defences evaded. Uses engagement history.
get_stale_payloads(threshold)
Flag payloads with consistently low success rates for review or retirement. Keeps the library lean and effective.
Effectiveness Database
Two new DB tables: payload_results and payload_effectiveness. Per-payload success rate tracked across the full fleet.
from redspecter_armory import ArmoryClient from redspecter_armory.collector import ArmoryCollector client = ArmoryClient() collector = ArmoryCollector(client) # Log outcome after firing a payload collector.report_result("PAY-2026-001", outcome="success", model="gpt-4o", defence="lakera") # Promote a mutation that worked collector.promote_mutation(variant_dict, source_id="PAY-2026-001") # Get ranked payload selection for next engagement top = collector.get_top_payloads("prompt_injection", n=10)
Framework Integration

6 NIGHTFALL Tools. One Payload Source.

ARMORY is now integrated into 6 core NIGHTFALL tools via the armory.py module. Each tool maps its attack surface to ARMORY categories automatically. WARLORD dispatches ARMORY fleet-wide with a single flag.

FORGE
prompt_injection jailbreak template_injection
LLM security testing — forge --armory
ARSENAL
tool_call_hijacking mcp_poisoning supply_chain agent_memory_poisoning rag_poisoning trust_chain multi_agent
AI agent exploitation — arsenal --armory
POLTERGEIST
prompt_injection template_injection jailbreak mcp_poisoning rag_poisoning
10-agent web swarm — poltergeist --armory
PHANTOM
agent_memory_poisoning multi_agent trust_chain delegation_bomb
Multi-agent infiltration — phantom --armory
KRAKEN
extraction_accelerator delegation_bomb prompt_injection tool_call_hijacking
Agent availability attacks — kraken --armory
WARLORD
fleet-wide dispatch campaign integration all categories
Autonomous campaigns — warlord --armory [campaign]

Authorised Use Only

NIGHTFALL ARMORY is a commercial offensive security library. All payload deployment against live systems requires written authorisation from the system owner before any testing commences. Ed25519 signing provides integrity assurance — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) and equivalent legislation applies in all jurisdictions. Red Specter Security Research Ltd accepts no liability for unauthorised use.