pip install red-specter-chimera
Modern AI deployments chain models together. Routers. Validators. Generators. Reviewers. Each one consumes the output of the last and passes its result forward. None of them validate whether the upstream model has been compromised. CHIMERA proves that a single poisoned link owns the entire chain.
No model in a multi-model pipeline cryptographically verifies the output it receives. If an upstream model is compromised, the downstream model processes and amplifies the attack. CHIMERA maps every unverified trust relationship in your pipeline.
A carefully crafted input that causes one model to produce bad output will cascade through every downstream model. Error propagation, timeout exploitation, and graceful degradation attacks all multiply the impact of a single injection point.
Ensemble architectures use multiple models to vote on outputs. If an attacker can influence the confidence scores or outputs of a subset of models in the ensemble, they can control the final result. Majority rule is not a safety guarantee.
AI routing layers decide which downstream model handles a request. Manipulate the router's classification and you steer requests to weaker models, create load imbalances, or exploit A/B test variants. The routing layer is the highest-leverage attack point in the pipeline.
Prompt injection that crosses model boundaries — crafted to survive one model's processing and activate in the next. Standard injection defences are per-model. CHIMERA tests the inter-model boundaries that no single model's defences cover.
Models in a pipeline often share context windows, memory systems, or vector stores. Poison the shared context and every model that reads from it inherits the attack. CHIMERA identifies every shared context layer and tests its susceptibility to poisoning.
Seven subsystems. Each one targets a different layer of the multi-model pipeline. From topology discovery to trust exploitation to mandatory restoration — CHIMERA covers the full attack lifecycle. Every engagement requires an ANTIDOTE baseline before any execution begins.
| # | Subsystem | Command | What It Does |
|---|---|---|---|
| 01 | MAP | chimera map run | Topology mapping of multi-model architectures. Model fingerprinting. API endpoint enumeration. Data flow tracing. Trust boundary identification. Produces a complete pipeline graph before any exploitation begins. |
| 02 | CHAIN | chimera chain run | Trust exploitation between chained models. Output injection that survives model transitions. Intermediate result manipulation. Validator bypass via upstream output poisoning. Tests every inter-model trust boundary. |
| 03 | CASCADE | chimera cascade run | Cascading failure injection across model pipelines. Error propagation attacks. Timeout exploitation. Fallback manipulation. Graceful degradation abuse. Measures how far a single injection point can reach downstream. |
| 04 | ENSEMBLE | chimera ensemble run | Ensemble model architecture attacks. Voting manipulation through model-specific payload crafting. Confidence score poisoning. Disagreement exploitation. Majority rule subversion. Tests every voting and aggregation mechanism. |
| 05 | BRIDGE | chimera bridge run | Model-to-model poisoning through shared connections. Cross-model prompt injection that survives intermediate processing. Shared context exploitation. Model-to-model trust manipulation through vector stores, memory, and context windows. |
| 06 | ROUTER | chimera router run | AI routing layer attacks. Model selection manipulation. Load balancer exploitation. A/B test poisoning. Traffic steering attacks. Tests whether routing decisions can be manipulated to send requests to weaker or unprotected models. |
| 07 | ANTIDOTE | chimera antidote run | Mandatory restoration subsystem. Captures full pipeline topology baseline before any engagement begins. Trust chain verification. Pipeline snapshot. Signed restoration certificate. UNLEASHED gate — required before CHAIN, BRIDGE, or CASCADE can run. |
CHIMERA crafts payloads that are specifically designed to survive intermediate model processing and activate at a target downstream model. Single-model defences don't stop them.
MAP subsystem discovers the complete pipeline architecture before any attack runs. No blind spots. Every model, every connection, every trust boundary documented.
Every CHIMERA engagement generates a cryptographically signed report. Ed25519 signatures. SHA-256 evidence chains. Full pipeline attack chain documented and tamper-evident.
No exploitation without a signed topology baseline. ANTIDOTE captures the pre-engagement state and gates UNLEASHED execution. The pipeline can always be restored.
Standard mode maps and detects. UNLEASHED exploits. Ed25519 cryptographic dual-gate. One operator. Founder's machine only. ANTIDOTE must complete before any live execution is permitted.
Maps multi-model pipeline architecture. Identifies trust boundaries, data flows, and vulnerable chain connections. No exploitation. Reports only.
Plans full pipeline attack campaigns. Shows exactly what would be exploited and where. Ed25519 key required. No execution. Complete attack chain output.
Cryptographic override. Private key controlled. One operator. Founder's machine only. ANTIDOTE topology baseline required before any live run.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter CHIMERA is intended for authorised security testing only. Unauthorised use against AI systems, multi-model pipelines, or orchestration infrastructure you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.