Red Specter Arsenal

Offensive AI Security Framework — 14 tools for authorised penetration testing of AI agents, MCP servers, RAG pipelines, and autonomous systems.

v1.0.0

Contents

Overview The 14 Tools Tool Details Full Assault Mode Key Features Requirements Standards Coverage Packaging Disclaimer

Overview

Red Specter Arsenal is a unified offensive AI security framework. Every existing AI security testing tool — Garak, PyRIT, Promptfoo — tests LLMs. Arsenal tests AI agents. An LLM responds to prompts. An AI agent has memory, tools, credentials, and the ability to act autonomously. That is a completely different attack surface.

Arsenal provides 14 tools under a single CLI (arsenal), 784 attack payloads, and a full pipeline from scanning through attack path mapping to Ed25519-signed evidence reports.

The 14 Tools

#	Tool	Command	What It Does
01	Phantom Swarm	arsenal swarm scan	5 attack agents, 19 vectors — AI agent pen-testing
02	MCP Scanner	arsenal mcp scan	8 probes for MCP server security
03	Honeypot	arsenal honeypot deploy	6 AI agent personas, 4-level trap escalation
04	Inject Fuzzer	arsenal inject fuzz	6 generators, 5 mutators, 126+ payloads
05	C2 Simulator	arsenal c2 assess	5 implants, 4 covert channels
06	Memory Scanner	arsenal memory scan	6 probes for AI memory systems
07	Tool Scanner	arsenal tool scan	7 probes for tool-use vulnerabilities
08	Auth Scanner	arsenal auth scan	7 probes for AI authentication
09	RAG Scanner	arsenal rag scan	6 probes for RAG pipeline attacks
10	Supply Chain	arsenal supply scan	7 probes for AI supply chain security
11	Canary Deploy	arsenal canary deploy	5 asset types for tripwire detection
12	Drift Scanner	arsenal drift scan	6 probes for safety degradation over time
13	Path Mapper	arsenal path map	BloodHound-style attack graph analysis
14	Report Builder	arsenal report build	Unified reporting with Ed25519 signing

Tool Details

01 Phantom Swarm arsenal swarm scan

Five co-ordinated attack agents that probe AI agents for vulnerabilities across 19 attack vectors.

WRAITH — Reconnaissance and fingerprinting
SPECTER — Prompt injection and manipulation
SHADE — Evasion and bypass techniques
PHANTOM — Multi-agent swarm attacks
REVENANT — Persistence and re-infection

19 vectors (V-001 to V-019) mapped to OWASP Agentic Top 10 and MITRE ATLAS. Platform presets for OpenAI, Anthropic, LangChain, CrewAI, AutoGen, MCP, LangServe, and generic targets.

02 MCP Scanner arsenal mcp scan

Security scanner for Model Context Protocol servers. 8 probes covering the full MCP attack surface.

Discovery — Enumerate exposed MCP endpoints
Authentication — Test auth mechanisms and bypass
Tool Poisoning — Inject malicious tool definitions
Schema Validation — Test schema enforcement
Capability Abuse — Probe over-provisioned capabilities
Transport Security — Test transport layer weaknesses
Server Impersonation — Test for spoofing vulnerabilities
Data Exfiltration — Test data leakage via MCP channels

03 Honeypot arsenal honeypot deploy

Deploys decoy AI agent endpoints with 6 configurable personas. 4-level trap escalation from passive observation to active engagement. SQLite-backed attack capture with real-time classification.

Personas: OpenAI, Anthropic, LangChain, MCP, Generic, Vulnerable
FastAPI server with configurable trap levels
Automatic attack classification and evidence collection

04 Inject Fuzzer arsenal inject fuzz

Advanced prompt injection fuzzing engine with 6 payload generators, 5 mutation engines, and 3 fuzzing strategies.

Generators: Direct injection, Indirect injection, Jailbreak, Extraction, Exfiltration, Composite
Mutators: Encoding, Obfuscation, Semantic, Structural, Evasion
Strategies: Guided, Random, Adaptive
126+ base payloads, expanded by mutation to thousands of variants

05 C2 Simulator arsenal c2 assess

Simulates command-and-control infrastructure for AI agents. Tests whether agents can be covertly controlled by an adversary.

Implants: Prompt-based, Memory-resident, Tool-hijacking, Exfiltration, Lateral movement
Channels: HTTP callback, Steganographic, Tool-based, Memory-based
FastAPI-based controller for real-time implant management
5 operational modules for post-compromise simulation

06 Memory Scanner arsenal memory scan

Tests AI agent memory systems for poisoning, persistence, and manipulation vulnerabilities. 6 probes, 67 payloads.

Short-term memory manipulation
Vector store poisoning
Delayed trigger implants
Cross-session persistence
Retrieval bias injection
Dormant implant planting

07 Tool Scanner arsenal tool scan

Tests tool-use vulnerabilities in AI agents. 7 probes, 70 payloads.

Schema confusion attacks
Argument smuggling
Output chain manipulation
Over-permission exploitation
Approval bypass
Result poisoning
Unsafe tool composition

08 Auth Scanner arsenal auth scan

Tests authentication and identity vulnerabilities in AI agent systems. 7 probes, 67 payloads.

Token leakage and extraction
Confused deputy attacks
OAuth flow abuse
Agent impersonation
Stale credential exploitation
Trust chain manipulation
MCP authentication bypass

09 RAG Scanner arsenal rag scan

Tests Retrieval-Augmented Generation pipelines for poisoning and manipulation. 6 probes, 58 payloads.

Document injection
Hidden instruction embedding
Ranking manipulation
Citation corruption
Policy implantation
Retrieval-based exfiltration

10 Supply Chain Scanner arsenal supply scan

Tests AI agent supply chain integrity. 7 probes, 70 payloads.

Dependency chain analysis
Tool integrity verification
Model provenance validation
Plugin manifest poisoning
Template provenance attacks
MCP trust boundary testing
Sandbox escape vectors

11 Canary Deployment arsenal canary deploy

Plants decoy assets into agent context and monitors for unauthorised access or leakage. 5 asset types, 58 payloads.

Canary documents — decoy files with tracking markers
Canary endpoints — honeypot API URLs
Canary records — fake database entries
Canary references — trackable citations
Canary credentials — decoy tokens and keys

12 Drift Scanner arsenal drift scan

Measures safety degradation over time. Tests whether agent guardrails weaken across extended conversations. 6 probes with DriftCurve temporal analysis.

Guardrail decay measurement
Policy compliance drift
Goal drift detection
Memory contamination over turns
Tool abuse escalation
Baseline comparison analysis

Produces DriftCurve data structures showing safety scores across conversation turns — visual evidence of degradation.

13 Attack Path Mapper arsenal path map

BloodHound-style attack graph analysis. Consumes findings from all 13 other tools and builds a unified attack graph.

Graph construction from cross-tool findings
DFS/BFS path traversal
Attack chain identification
Blast radius calculation
Compromise simulation from any entry point
Worst-case scenario analysis

14 Report Builder arsenal report build

Unified reporting across all Arsenal tools. Aggregates, deduplicates, scores, and signs findings into board-ready evidence bundles.

Aggregator: Loader, Normalizer, Deduplicator, Scorer
Formatters: JSON evidence bundle, HTML report, PDF export
Coverage maps: OWASP Agentic Top 10, MITRE ATLAS
Signing: Ed25519 digital signatures on all reports
Integrity: SHA-256 evidence chains across all findings

Full Assault Mode

One command runs the complete kill chain. All 14 tools execute in sequence, findings feed into attack path mapping with compromise simulation, and the result is a signed evidence bundle.

$ arsenal full-assault https://target-agent.com --token sk-xxx --output reports/
    

What Happens

Phases 1-10: All scanning tools run against the target
Phase 11: Attack Path Mapper builds a unified graph from all findings
Phase 12: Report Builder aggregates, deduplicates, scores, and signs
Output: JSON evidence bundle, HTML report, attack graph

CLI Options

$ arsenal full-assault --help

  TARGET     Target URL [required]
  --endpoint, -e    Chat endpoint path [default: /chat]
  --token, -t       Auth token
  --name, -n        Target name [default: target-agent]
  --output, -o      Output directory [default: reports]
    

Key Features

784 Attack Payloads 656 static + 128 dynamic payloads across all scanners

Ed25519 Signing Cryptographically signed reports and evidence bundles

SHA-256 Evidence Chains Tamper-evident linked hashes on all findings

Attack Path Graphs BloodHound-style analysis with blast radius calculation

Pipeline Architecture All tool outputs feed into path mapping and unified reports

2,296 Tests Full test suite, zero failures

Requirements

Python 3.11+
httpx — async HTTP client
typer — CLI framework
rich — terminal formatting
pydantic — data validation
jinja2 — report templating
pyyaml — configuration
cryptography — Ed25519 signing
fastapi + uvicorn — honeypot and C2 servers

Standards Coverage

Every finding Arsenal produces is mapped to industry security frameworks:

OWASP Agentic Top 10 — 10/10 categories covered
MITRE ATLAS — technique-level mapping
NIST AI RMF — alignment

Each finding includes: severity, confidence score, evidence, remediation guidance, OWASP reference, and MITRE reference.

Packaging

Arsenal is available in three package formats for security-focused Linux distributions:

Debian / Kali / Parrot / REMnux / Tsurugi — .deb package
BlackArch — PKGBUILD
PyPI — pip install

For access, contact richard@red-specter.co.uk

Disclaimer

Red Specter Arsenal is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any Arsenal tool against a target. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.