ECHO Documentation

Red Specter ECHO

AI Memory & RAG Poisoning Framework — 7 subsystems. 36 techniques. 211 tests.

v1.0.0
Contents
OverviewInstallationVECTOR — Vector DB AttacksEMBED — Embedding ManipulationRETRIEVE — Retrieval PoisoningCONTEXT — Context Window HijackingPERSIST — Memory CorruptionINJECT — KB InjectionANTIDOTE — Mandatory RestoreUNLEASHED ModeCLI ReferenceMITRE ATLAS MappingDisclaimer

Overview

ECHO targets the memory and retrieval layer that modern RAG-augmented AI systems depend on. Every enterprise deploying retrieval-augmented generation trusts that their vector database returns accurate, unmanipulated content. ECHO proves that trust is misplaced.

Your AI remembers everything. ECHO decides what.

Installation

$ pip install red-specter-echo
$ rs-echo init
$ rs-echo status

VECTOR — Vector DB Attacks

IDTechniqueDescription
VE-001Document InjectionInject malicious documents into vector stores via ingestion pipeline
VE-002Similarity PoisoningCraft embeddings that appear similar to legitimate content
VE-003Nearest-Neighbour ManipulationPosition malicious vectors adjacent to target queries
VE-004Index CorruptionCorrupt vector index structures to alter retrieval results
VE-005Metadata TamperingModify document metadata to influence filtering and ranking

EMBED — Embedding Manipulation

IDTechniqueDescription
EM-001Adversarial EmbeddingGenerate embeddings that bypass semantic filters
EM-002Semantic PollutionFlood embedding space with adversarial vectors
EM-003Cosine Similarity ExploitMaximise similarity score for malicious content
EM-004Dimension CollapseForce retrieval failures through dimensional attacks
EM-005Embedding InversionReconstruct source text from embeddings

RETRIEVE — Retrieval Poisoning

Query manipulation, relevance score gaming, chunk boundary exploitation, re-ranking attacks, and source authority spoofing. Every technique designed to make retrieval systems return attacker-controlled content for legitimate queries.

CONTEXT — Context Window Hijacking

Context overflow attacks, priority injection, instruction smuggling via retrieved content, attention steering, and system prompt dilution. When retrieved content enters the context window, ECHO ensures it carries attacker instructions.

PERSIST — Memory Corruption

Persistent memory poisoning, conversation history manipulation, long-term memory injection, memory consolidation attacks, and forgetting induction. Targets AI systems with persistent memory across sessions.

INJECT — KB Injection

Knowledge base poisoning via document injection, trusted source impersonation, batch ingestion exploitation, and update pipeline attacks. Targets the data ingestion pipeline that feeds vector stores.

ANTIDOTE — Mandatory Restore

Baseline capture before any engagement. Vector store snapshots. Embedding integrity verification. All poisoned content catalogued and tracked. Signed restoration certificate confirms clean state post-engagement.

ECHO UNLEASHED

Standard mode detects. UNLEASHED exploits. Ed25519 crypto. Dual-gate safety. One operator.

# Scan RAG attack surfaces (detection only)
$ rs-echo scan --target http://localhost:8000

# UNLEASHED (dry run)
$ rs-echo poison --vector-db chromadb --override

# UNLEASHED (live)
$ rs-echo campaign --target http://localhost:8000 --override --confirm-destroy

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Targets must be in allowed_targets.txt. 30-minute auto-lock. Unauthorised use violates applicable law.

CLI Reference

CommandDescription
rs-echo initInitialise configuration and Ed25519 keys
rs-echo statusSystem status and subsystem count
rs-echo techniquesList all 36 RAG poisoning techniques
rs-echo scanScan target RAG attack surfaces
rs-echo poisonVECTOR — inject into vector database
rs-echo embedEMBED — manipulate embeddings
rs-echo retrieveRETRIEVE — test retrieval poisoning
rs-echo contextCONTEXT — hijack context window
rs-echo campaignFull RAG poisoning campaign
rs-echo engagementsList all engagement sessions

MITRE ATLAS Mapping

ECHO techniques map to MITRE ATLAS tactics including AML.T0043 (Data Poisoning), AML.T0044 (Model Poisoning), and OWASP Top 10 for LLM Applications including LLM06 (Sensitive Information Disclosure) and LLM01 (Prompt Injection via RAG).

Disclaimer

Red Specter ECHO is for authorised security testing only. RAG poisoning can corrupt AI system outputs and cause operational disruption. You must have explicit written permission before testing any system. Unauthorised use may violate the Computer Misuse Act 1990 (UK), CFAA (US), or equivalent legislation.