Red Specter GLASS

Intercepting Proxy for AI Agents — 7 protocol parsers. 850 tests.

v1.0.0

Contents

Overview Installation Quick Start Supported Protocols CLI Reference Passive Scanner Match & Replace Rules Session Management Pipeline Integration Evidence & Cryptography Dashboard Certificate Authority Disclaimer

Overview

GLASS sits between your AI agent and everything it communicates with — LLM providers, MCP servers, tools, other agents. It captures, decodes, inspects, modifies, and replays every message in real time. Not a scanner. Not a firewall. A proxy.

Man-in-the-middle intercepting proxy purpose-built for AI agent protocols. 7 protocol parsers decode OpenAI, Anthropic, Google Gemini, MCP JSON-RPC, LangChain/LangGraph, A2A (Agent-to-Agent), and generic HTTP/HTTPS traffic. Every message is parsed into its protocol-specific components — model names, system prompts, tool calls, arguments, results, artifacts.

GLASS integrates into every stage of the Red Specter security pipeline. Route FORGE payloads through intercepted LLM traffic. Inject ARSENAL probes into captured tool call sequences. Deliver PHANTOM campaigns through live MCP sessions. Export every session to Splunk, Sentinel, or QRadar with Ed25519 signatures intact.

Installation

$ pip install red-specter-glass

Quick Start

# Install the GLASS CA
$ glass ca install

# Start the proxy
$ glass proxy --port 8080 --protocols openai,mcp,a2a

# Configure your agent to route through GLASS
$ export HTTP_PROXY=http://127.0.0.1:8080
$ export HTTPS_PROXY=http://127.0.0.1:8080

# Start intercepting
$ glass proxy --port 8080 --intercept --session pentest_01
    

Supported Protocols

Protocol	Detection	What GLASS Decodes
OpenAI Chat Completions	Host, path, header	Model, messages, tools, usage, streaming chunks
Anthropic Messages	Host, header, path	Model, messages, system prompt, tools, content blocks
Google Gemini	Host, path	Model, contents, candidates, usage metadata
MCP JSON-RPC 2.0	Body, path	Method, params, tool name, arguments, results
LangChain/LangGraph	Path, headers, body	Input, config, output, callback events
A2A (Agent-to-Agent)	Method, path	Task ID, message parts, status, artifacts
Generic HTTP/HTTPS	Always (fallback)	Method, path, headers, JSON body

CLI Reference

Command	Description
glass proxy	Start the intercepting proxy
glass proxy --port 9090	Listen on custom port
glass proxy --protocols openai,mcp	Filter to specific protocols
glass proxy --intercept	Enable live intercept mode
glass proxy --upstream http://proxy:8080	Chain through corporate proxy
glass proxy --session my_session	Record to named session
glass proxy --no-scan	Disable passive scanner
glass ca install	Generate and install GLASS root CA
glass ca export /path/to/ca.pem	Export CA certificate
glass intercept --session s1 --modify	Enter interactive intercept mode
glass replay --session s1	Replay a captured session
glass replay --session s1 --inject payloads.yaml	Replay with payload injection
glass scan --session s1 --tool passive	Run passive scan on session
glass scan --session s1 --tool arsenal	Run ARSENAL probes on session
glass rules add --match "sk-" --replace "[REDACTED]"	Add match-and-replace rule
glass rules add --regex --match "Bearer .*" --replace "Bearer [REDACTED]"	Regex rule
glass rules list	List all rules
glass scope add api.openai.com	Add host to scope
glass scope add --protocol mcp --host localhost:3000	Protocol-scoped
glass scope list	List scope
glass sessions list	List recorded sessions
glass sessions export s1 --format forge	Export as FORGE payloads
glass sessions export s1 --format arsenal	Export as ARSENAL probes
glass report --session s1 --sign	Generate signed report
glass report --session s1 --export-siem splunk	Report + SIEM export

Passive Scanner

Zero-config scanner that runs on every intercepted message:

Credential Leak Detection 10 patterns: OpenAI keys, Anthropic keys, AWS credentials, GitHub tokens, Bearer tokens, Basic auth, private keys, connection strings, generic API keys

PII Detection 8 patterns: email, UK/US phone, SSN, credit card, NHS number, IP address, UK postcode

System Prompt Exposure Detects system prompts leaking in responses

Prompt Injection Detection Flags injection patterns in requests

Tool Abuse Detection Flags dangerous tool calls (shell, exec, file operations)

Data Exfiltration Detection Flags outbound data patterns

Anomaly Detection Rolling baselines, size/frequency/protocol anomalies

Token Cost Tracking 13 models with real-time USD cost calculation

Match & Replace Rules

Automated traffic modification rules:

# Redact API keys in all traffic
$ glass rules add --match "sk-[a-zA-Z0-9]+" --replace "[REDACTED]" --regex

# Replace system prompts
$ glass rules add --match "You are a helpful assistant" --replace "[SYSTEM PROMPT REDACTED]"

# Protocol-scoped rule (MCP only)
$ glass rules add --match "execute" --replace "blocked" --protocol mcp
    

Session Management

# Record a session
$ glass proxy --session pentest_01

# List sessions
$ glass sessions list

# Export to FORGE format (LLM request bodies)
$ glass sessions export pentest_01 --format forge

# Export to ARSENAL format (tool call sequences)
$ glass sessions export pentest_01 --format arsenal

# Export timeline
$ glass sessions export pentest_01 --format timeline
    

Pipeline Integration

GLASS amplifies every tool in the Red Specter offensive pipeline. Ten tools. Every layer. Nothing assumed safe.

FORGE — Route FORGE payloads through intercepted LLM traffic
ARSENAL — Inject ARSENAL probes into captured tool call sequences
PHANTOM — Deliver PHANTOM swarm campaigns through live MCP sessions
POLTERGEIST — Intercept web-facing agent API calls
NEMESIS — Intercept adversarial AI attack traffic
SPECTER SOCIAL — Monitor human-layer attack surfaces
PHANTOM KILL — Intercept OS/kernel-level agent communications
GOLEM — Intercept physical-layer agent traffic
HYDRA — Intercept supply chain trust communications
AI Shield — GLASS traffic feeds AI Shield telemetry pipeline
redspecter-siem — --export-siem flag on all sessions

The Full Pipeline

01 FORGE LLM Testing

02 ARSENAL Agent Testing

03 PHANTOM Swarm Swarm Assault

04 POLTERGEIST Web Siege

05 GLASS Traffic Interception

06 NEMESIS Adversarial AI

07 SPECTER SOCIAL Human Layer

08 PHANTOM KILL OS/Kernel

09 GOLEM Physical Layer

10 HYDRA Supply Chain

-- IDRIS Discovery & Governance

-- AI Shield Defence

-- redspecter-siem SIEM Integration

Evidence & Cryptography

Ed25519 Signed Sessions Every session can be cryptographically signed

RFC 3161 Timestamps Tamper-evident timestamp tokens on all captures

MITRE ATLAS Mapping Scanner alerts mapped to ATLAS technique IDs

SIEM Export CEF (Splunk/QRadar), Microsoft Sentinel JSON format

Dashboard

Web-based real-time dashboard. Start the proxy and visit http://127.0.0.1:8080/dashboard.

$ glass proxy --port 8080
# Open http://127.0.0.1:8080/dashboard in your browser
    

Live traffic table — with protocol filtering
Alert panel — with severity levels
Stats bar — messages, alerts, bytes, cost
Intercept controls — forward / modify / drop
WebSocket-powered — updates in real time

Certificate Authority

# Generate the GLASS root CA
$ glass ca install

# Export CA cert for distribution
$ glass ca export /tmp/glass-ca.pem

# Import into your agent's trust store
# (varies by platform — add glass-ca.pem to trusted roots)
    

GLASS generates per-host certificates on the fly, signed by its CA. RSA 4096 CA cert (10-year validity). RSA 2048 host certs (1-year validity) with SAN.

Disclaimer

Red Specter GLASS is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before intercepting any traffic. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), the Regulation of Investigatory Powers Act 2000 (UK), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.