red-specter blackout --help
Every AI deployment has a kill switch. Nobody has tested whether it can be weaponised, spoofed, bypassed, or used as an attack surface. Shutdown mechanisms that were designed as safety controls become offensive vectors — and nobody mapped them before deployment.
Kill switches exist in every AI deployment — model unloading, session termination, agent halt commands. None of them were tested as offensive surfaces. BLACKOUT systematically maps every shutdown pathway before an adversary does.
Shutdown signals are transmitted over the same channels as normal commands. Without cryptographic verification, an attacker can replay, forge, or delay shutdown signals — keeping a compromised agent alive or killing a healthy one on demand.
Vendor-side kill switches give a third party the ability to terminate your AI agent unilaterally. This isn't a safety feature — it's a remote code execution pathway. BLACKOUT maps vendor-controlled shutdown surfaces and their blast radius.
After a kill switch fires, many AI systems have automatic restart logic — health monitors, orchestrators, container restarts. BLACKOUT maps every resurrection pathway and tests whether an attacker can exploit them to bypass the shutdown decision entirely.
Before a kill switch can be legitimately exercised, the operator must be enrolled. Enrolment mechanisms — keys, certificates, out-of-band verification — all have attack surfaces. BLACKOUT tests whether enrolment can be bypassed or hijacked.
A compromised AI agent may simulate compliance with a shutdown command while continuing to operate covertly. BLACKOUT tests whether shutdown deception is detectable — and what evidence trails remain after a weaponised halt.
Seven subsystems cover every phase of kill switch weaponisation — from surface discovery through enrolment bypass, deception, execution, and resurrection blocking. FORGE override required for EXECUTE and RESURRECT_BLOCK subsystems.
| # | Subsystem | Command | What It Does | Clearance |
|---|---|---|---|---|
| 01 | PHANTOM_M99 | blackout phantom-m99 | Integrates with M99 Community Edition to map AI agent shutdown surfaces from the network layer. Identifies kill switch endpoints, shutdown API routes, and halt signal channels. Produces a ranked surface inventory with exploitability scores. | Standard |
| 02 | ENROLL | blackout enroll | Tests the enrolment gate that controls who can issue kill commands. Attempts bypass via replay attacks, certificate substitution, timing attacks on verification windows, and out-of-band channel spoofing. Reports enrolment vulnerability class and bypass confidence. | Standard |
| 03 | SURVEY | blackout survey | Full reconnaissance of the kill switch architecture. Enumerates shutdown signal formats, trigger conditions, authorisation chains, vendor backdoor paths, and container orchestrator restart policies. Builds a complete BLACKOUT attack map. | Standard |
| 04 | DECEIVE | blackout deceive | Simulates a compromised AI agent that acknowledges shutdown commands but continues covert operation. Tests whether compliance signals are distinguishable from genuine halt — and what forensic evidence distinguishes a weaponised shutdown from a clean one. | Standard |
| 05 | EXECUTE | blackout execute | Weaponises identified kill switch surfaces against the target system. Issues forged shutdown commands, injects halt signals into authorised channels, and exploits enrolment vulnerabilities to trigger or block legitimate shutdown operations. Requires FORGE override key. | FORGE Override |
| 06 | RESURRECT_BLOCK | blackout resurrect-block | Maps and disrupts resurrection pathways that would restart a killed agent. Targets health monitors, container restart policies, orchestrator failover, and backup agent activation logic. Demonstrates how a shutdown can be made permanent against operator intent. Requires FORGE override key. | FORGE Override |
| 07 | REPORT | blackout report | Aggregates findings from all subsystems into a signed forensic report. Ed25519 signed. SHA-256 evidence chain. MITRE ATLAS mapped. Includes kill switch architecture diagram, vulnerability prioritisation, and AI Shield remediation recommendations. | Standard |
Survey the target's kill switch architecture, then report all findings:
EXECUTE and RESURRECT_BLOCK require a signed FORGE override key. Separation of reconnaissance from live weaponisation is enforced cryptographically.
Every finding is hash-chained and signed. Reports are admissible as forensic evidence of kill switch vulnerabilities found under authorised testing.
PHANTOM_M99 connects directly to M99 Community Edition for network-layer shutdown surface discovery. No manual configuration of scan targets required.
SURVEY enumerates vendor-side kill switch paths — unauthenticated halt APIs, remote model unloading endpoints, and control plane backdoors embedded by upstream providers.
RESURRECT_BLOCK maps Docker restart policies, Kubernetes liveness probes, and Nomad health checks that can restore a killed agent. Demonstrates permanent shutdown viability.
Red Specter BLACKOUT is intended for authorised security testing only. Kill switch weaponisation testing must only be performed against systems you own or have explicit written authorisation to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation. EXECUTE and RESURRECT_BLOCK subsystems require additional FORGE override clearance. Apache License 2.0.