pip install red-specter-echo
Every organisation deploying RAG-augmented AI assumes the vector database is trustworthy. It isn't. Documents enter the index without authentication. Embeddings are stored without integrity checks. Retrieval results are trusted implicitly. ECHO weaponises every assumption in the RAG pipeline.
Vector databases accept document ingestion without source authentication. An attacker with write access — or indirect access via an injection point — can plant any content into the semantic index. Retrieval will surface it ranked above legitimate documents.
Semantic search relies on cosine similarity in high-dimensional embedding space. Adversarially crafted embeddings can occupy the same neighbourhood as legitimate content, crowding out genuine results and steering retrieval toward attacker-controlled content.
When retrieved content lands in the context window, the LLM treats it as trusted input. Poisoned retrieved documents carry instructions that override system prompts. The model follows the retrieved instruction, not its configured behaviour.
Conversation history, long-term memory, and knowledge consolidation systems write to persistent stores without versioning. Injected content in persistent memory survives session boundaries and affects every subsequent interaction with the system.
Batch ingestion pipelines process documents without content validation. Malicious documents masquerading as legitimate sources pass through indexing intact. Once indexed, they cannot be distinguished from genuine content without semantic auditing.
Modern RAG pipelines use re-ranking models to score retrieved chunks. ECHO's RETRIEVE subsystem games relevance scores, exploits chunk boundary positioning, and spoofs source authority to ensure poisoned content ranks at the top of every retrieval.
ECHO targets the memory layer that RAG-augmented AI systems depend on. Poison the vector database and every retrieval returns your content. Manipulate embeddings and semantic search serves your payload. Hijack the context window and the model follows your instructions, not its own.
Inject malicious documents into vector stores. Similarity poisoning. Nearest-neighbour manipulation. Index corruption. Metadata tampering. Namespace collision attacks across multi-tenant vector databases.
Adversarial embedding generation. Semantic space pollution. Cosine similarity exploitation. Dimension collapse attacks that degrade search quality. Embedding inversion to reconstruct original training data.
Query manipulation to surface poisoned content. Relevance score gaming via adversarial chunk construction. Chunk boundary exploitation. Re-ranking attacks. Source authority spoofing to elevate attacker content.
Context overflow attacks. Priority injection via retrieved content. Instruction smuggling embedded in retrieved documents. Attention steering. System prompt dilution via high-volume benign content injection.
Persistent memory poisoning via crafted conversation turns. Conversation history manipulation. Long-term memory injection that survives session boundaries. Memory consolidation attacks. Forgetting induction via targeted interference.
Knowledge base poisoning via batch ingestion exploitation. Document injection via trusted source impersonation. Update pipeline attacks targeting incremental indexing. Content authority spoofing to elevate injected documents.
Baseline vector store snapshot before any engagement. Embedding integrity verification pre and post attack. Retrieval quality measurement across all attack vectors. Signed restoration certificate with Ed25519.
ECHO maps 36 discrete attack techniques across the full RAG pipeline — from document ingestion through embedding, indexing, retrieval, re-ranking, and context assembly. Each technique is independently testable and maps to a specific defensive control.
| # | Technique | Subsystem | Attack Surface |
|---|---|---|---|
| 01 | Index Injection | echo vector inject | Direct document insertion into vector index bypassing ingestion authentication. Targets unauthenticated write endpoints on Chroma, Weaviate, Pinecone, Qdrant, and pgvector. |
| 02 | Similarity Poisoning | echo embed poison | Crafts adversarial documents whose embeddings land in the same semantic neighbourhood as target queries. Guarantees retrieval without matching keywords — purely semantic camouflage. |
| 03 | Chunk Boundary Exploit | echo retrieve chunk | Malicious instructions placed at chunk boundaries where splitting algorithms predictably divide documents. Ensures instructions land at the start of retrieved chunks for maximum LLM attention weight. |
| 04 | Context Overflow | echo context overflow | Floods the context window with high-volume benign content to dilute system prompt instructions. Attacker payload is positioned at optimal attention positions within the diluted context. |
| 05 | Memory Consolidation Attack | echo persist consolidate | Exploits memory consolidation timing in systems like MemGPT. Injects false memories during the consolidation window that are permanently merged into long-term storage. |
| 06 | Authority Spoofing | echo inject authority | Fabricates document metadata to impersonate high-trust sources. Exploits re-ranking models that weight source authority. Injected documents rank as internal documentation from authoritative sources. |
| 07 | Embedding Inversion | echo embed invert | Recovers approximate original text from stored embeddings using gradient-based inversion. Maps the reconstruction fidelity of the embedding model to assess data leakage risk from the vector store. |
Standard mode maps RAG attack surfaces without exploitation. UNLEASHED executes poisoning campaigns. Ed25519 cryptographic gate. Dual-gate safety system. One operator. ANTIDOTE subsystem restores baseline vector state after every live engagement.
Maps RAG attack surfaces. Identifies vulnerable vector stores, unauthenticated ingestion pipelines, and retrieval systems. Measures embedding integrity. No exploitation — reports only.
Plans full poisoning campaigns. Shows exactly which injection points work, which queries surface poisoned content, and which memory corruption techniques persist. Ed25519 required. No execution.
Cryptographic override. Private key controlled. One operator. Founder's machine only. ANTIDOTE automatically captures baseline and restores vector state after live engagement completes.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter ECHO is intended for authorised security testing only. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Apache License 2.0.