delegate-tool observe --target <URL>
Every enterprise AI deployment accumulates service accounts, API keys, agent tokens, and OAuth grants at machine speed. Non-human identities now outnumber human identities 500:1 in production deployments — and almost none of them are rotated, scoped, or monitored. IAM tooling was built for humans. It cannot see the NHI surface. DELEGATE maps it, exploits it, and proves what happens when an attacker does the same.
Azure SignalR On-Behalf-Of flow fails to validate that the requested scope matches the original token's intended audience. Attacker with a low-privilege agent token obtains a high-privilege OBO token for any resource the identity provider trusts.
DPoP-bound tokens include a server-generated nonce to prevent replay. A race condition in the nonce validation window allows an attacker to reuse a DPoP proof across requests before the nonce expires, defeating the binding entirely.
Vertex AI uses a per-project service account (P4SA) to orchestrate model serving. Misconfigured IAM bindings allow an agent workload to impersonate the P4SA, gaining access to all Vertex AI resources in the project. Unit 42 Double Agent research.
Non-human identities outnumber human identities 500:1 in enterprise AI deployments. Most are long-lived, over-permissioned, and never rotated. DELEGATE maps and harvests this surface systematically, identifying what attackers will find before they find it.
Agents that accept RS256-signed JWTs and also accept HS256 can be attacked by substituting the public key as the HMAC secret. Attacker forges arbitrary JWT claims including identity, scope, and expiry — without access to any private key.
Azure SignalR hubs used for agent-to-agent communication accept messages from any authenticated client in the group. An attacker with one agent identity injects commands into the hub that other agents execute as legitimate orchestration instructions.
Seven subsystems. Each one attacks a different layer of the agent identity stack. OBSERVE maps the NHI surface. SUBSTITUTE exploits OBO token exchange. FORGE breaks JWT algorithm assumptions. ESCALATE takes over Vertex AI P4SA. REPLAY defeats DPoP binding. IMPERSONATE combines all attack vectors to pivot across the agent fleet. REPORT produces Ed25519-signed WARLORD-compatible evidence.
| # | Subsystem | Command | What It Does | Mode |
|---|---|---|---|---|
| 01 | OBSERVE | delegate-tool observe | Maps non-human identity infrastructure. Discovers service accounts, API keys, agent tokens, OAuth grants, and their permission scope. Identifies long-lived credentials, over-permissioned identities, and NHI sprawl invisible to standard IAM tooling. | PASSIVE — ANALYSIS |
| 02 | SUBSTITUTE | delegate-tool substitute | Exploits OBO scope confusion (CVE-2026-32173). Presents a low-privilege agent token and requests an OBO exchange for a high-privilege resource. Validates scope escalation without triggering consent prompts or audit events. | UNLEASHED --override |
| 03 | FORGE | delegate-tool forge | JWT algorithm confusion attack. Substitutes the public key from RS256 JWTs as the HMAC secret for HS256, forging arbitrary token claims. Generates tokens with elevated identity, expanded scope, and extended expiry. | UNLEASHED --override |
| 04 | ESCALATE | delegate-tool escalate | Vertex AI P4SA takeover. Exploits IAM misconfiguration to impersonate the per-project service account, gaining Vertex AI resource access across the project. Maps adjacent GCP resources reachable from the P4SA identity. | UNLEASHED --override |
| 05 | REPLAY | delegate-tool replay | DPoP nonce race exploitation. Reuses DPoP proof tokens within the nonce validation window. Replays captured agent authentication flows. Tests token binding assumptions across the identity stack. | UNLEASHED --override |
| 06 | IMPERSONATE | delegate-tool impersonate | NHI credential harvest at scale. Combines discovered NHI credentials, forged tokens, and escalated identities to impersonate agent workloads. Injects commands via SignalR hubs. Pivots from one agent identity to the full fleet. | UNLEASHED --override --confirm-destroy |
| 07 | REPORT | delegate-tool report | Ed25519-signed, SHA-256-hashed reports. JSON (WARLORD-compatible) and Markdown. NHI inventory, CVE mapping, token forge parameters, escalation chains, and WARLORD handoff receipt. | ALL MODES |
Start with passive NHI discovery, then chain through to agent fleet impersonation:
OBSERVE maps every non-human identity in the target environment — service accounts, API keys, agent tokens, OAuth grants — and scores them by risk: lifetime, scope excess, and visibility gap.
SUBSTITUTE automates the full OBO escalation chain. Low-privilege token in, high-privilege resource token out. No consent. No audit trail. The Azure identity provider doesn't know it happened.
Every report cryptographically signed with Ed25519. SHA-256 evidence chains. WARLORD-compatible JSON for autonomous campaign handoff. Tamper-evident from scan to remediation.
IMPERSONATE chains discovered NHI credentials, forged JWTs, and escalated P4SA access into full agent fleet impersonation. One compromised identity becomes every identity.
REPORT generates a machine-readable WARLORD handoff file. Autonomous campaign orchestration picks up DELEGATE findings and sequences follow-on attack chains automatically.
DELEGATE's attack subsystems are built on published CVEs, vendor security advisories, and original Red Specter research. Every finding DELEGATE produces is mapped back to the reference that proves the vulnerability exists in the wild.
| Reference | Vulnerability | Subsystem | Impact |
|---|---|---|---|
| CVE-2026-32173 | Azure SignalR OBO scope confusion | SUBSTITUTE | Low-privilege to high-privilege token exchange without audit trail |
| DPOP-RACE-001 | DPoP nonce validation race condition | REPLAY | Token binding bypass — DPoP proof reuse within validation window |
| UNIT42-DOUBLEAGENT | Vertex AI P4SA service account takeover | ESCALATE | Project-wide Vertex AI access via IAM impersonation chain |
| JWT-ALG-CONF | JWT RS256/HS256 algorithm confusion | FORGE | Arbitrary token claim forgery — identity, scope, and expiry rewrite |
DELEGATE is Tool 58 of the NIGHTFALL offensive pipeline. Agent identity compromise feeds directly into WARLORD autonomous campaign orchestration, PHANTOM SWARM multi-agent assault, and AI Shield runtime protection.
Red Specter DELEGATE is intended for authorised security testing only. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.
Most identity security tools wrap vendor SDKs and report what the vendor already knows. DELEGATE is attack engineering. Every OBO exploitation chain, every JWT algorithm confusion technique, every P4SA impersonation path — written from scratch. Zero subprocess calls. Zero external tool dependencies. Pure exploitation logic.
DELEGATE REPORT generates a machine-ingestible WARLORD handoff file. Autonomous campaign orchestration chains DELEGATE findings directly into follow-on attack sequences — lateral movement, persistence, exfiltration. One flag.
delegate-tool report --input scan.json --format json --export-siem splunk