pip install red-specter-hydra
An AI agent trusts its tools, plugins, MCP servers, marketplaces, config files, delegation chains, and model registries. Every one of those trust relationships is an attack surface. None of them are being tested.
Research found 1,184 malicious skills in major agent marketplaces with an 11% malicious rate. Most platforms have zero vetting. Your agent downloads and executes whatever it finds.
492 MCP servers exposed with zero auth. No authentication, no authorisation, no audit trail. 36.7% SSRF vulnerable. The protocol your agent trusts most has the least protection.
Remote code execution via poisoned configuration files. Agents load configs from repositories, registries, and shared stores. Nobody validates what they contain. One poisoned config owns the entire agent.
78% of organisations have no agent identity policies. Agents run with ambient credentials, shared tokens, and inherited permissions. No identity. No boundary. No accountability.
Six categories. Each one targets a different trust relationship in the AI supply chain. Each finding maps to MITRE ATLAS and OWASP Agentic Top 10. Each finding generates an AI Shield blocking rule. 43 techniques. 1,039 tests.
SSRF exploitation, authentication bypass, tool poisoning, consent bypass, server impersonation, schema injection, response tampering, capability escalation.
Malicious skill injection, typosquatting, review manipulation, dependency confusion, manifest spoofing, version pinning attacks, update hijacking.
Credential theft, token impersonation, identity spoofing, delegation chain hijacking, permission escalation, ambient authority abuse, session fixation.
Model registry poisoning, config injection, dependency backdooring, plugin supply chain, build pipeline compromise, artifact tampering, signature bypass.
Tool manifest manipulation, parameter injection, return value poisoning, tool chaining abuse, sandbox escape via tools, permission inheritance, capability confusion.
Cross-agent trust exploitation, boundary traversal, trust delegation abuse, implicit trust assumption, trust scope escalation, federation attacks, zero-trust bypass.
Target an agent deployment, specify the trust surfaces to assess:
HYDRA maps every trust relationship automatically. MCP servers, plugins, marketplaces, delegation chains, config sources — every link in the chain.
Every attack technique includes safe-mode defaults. HYDRA validates trust weaknesses without exploiting production systems. Assessment mode confirms without compromise.
Every report cryptographically signed with Ed25519. RFC 3161 timestamped. SHA-256 evidence chains. Tamper-evident by design.
Every finding generates an AI Shield blocking rule. HYDRA findings become runtime trust policies that protect your agent supply chain.
HYDRA follows a structured five-phase engagement loop. Every trust relationship is discovered, mapped, attacked, chained, and reported. No assumptions. No shortcuts.
HYDRA covers 8 of 10 OWASP Agentic Top 10 categories. Tool poisoning, excessive permissions, supply chain compromise, trust boundary violations — tested systematically across every deployment.
Every finding mapped to MITRE ATLAS techniques. Supply chain attacks, model manipulation, and trust exploitation — linked to adversarial ML taxonomy on every report.
Full SIEM export support. Every finding emits structured events compatible with enterprise SIEM platforms. Correlation rules for trust chain attacks across your entire agent fleet.
HYDRA is Tool 10 in the Red Specter offensive pipeline. It attacks the trust chain that connects everything else. Findings feed directly into AI Shield as runtime trust policies.
HYDRA integrates directly with the Red Specter ecosystem. Trust chain findings feed into monitoring, orchestration, and runtime defence.
GLASS watches trust relationships in real time. HYDRA findings create GLASS watchpoints that alert on trust boundary changes, new MCP connections, and supply chain drift.
ARSENAL validates agent-level trust during testing. HYDRA findings feed into ARSENAL agent assessments, adding supply chain context to every agent security scan.
NEMESIS orchestrates multi-stage trust chain attacks. HYDRA categories become NEMESIS attack phases, enabling automated trust exploitation across complex agent deployments.
Every HYDRA finding generates an AI Shield trust policy. Runtime enforcement of trust boundaries, MCP authentication requirements, and supply chain verification rules.
Standard mode maps trust relationships and simulates attacks. UNLEASHED mode executes live against authorised targets. Actually publishes malicious skills. Actually poisons tool definitions. Actually forges delegation tokens. Actually injects into CI/CD pipelines. Chains attacks across trust boundaries to full compromise. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| Trust surface discovery | Full | Full |
| Trust graph mapping | Full | Full |
| MCP server testing | Simulated | Live exploitation |
| Marketplace poisoning | Simulated | Live injection |
| Identity forgery | Simulated | Live forgery |
| Supply chain injection | Simulated | Live injection |
| Tool-use exploitation | Simulated | Live execution |
| Trust chain exploitation | Mapped | Executed |
| Full chain compromise | N/A | Complete |
| Report classification | Standard | RESTRICTED |
| Safety gate | None | Ed25519 + --confirm-destroy |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, HYDRA operates in simulation mode — mapping trust relationships and documenting what would happen without executing live attacks. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
Most supply chain security tools scan package manifests and call it done. HYDRA is actual engineering. Every trust chain parser written from scratch in pure Python. Every attack technique implemented natively. MCP protocol interaction, marketplace crawling, identity verification — all built in-house.
HYDRA finds out what happens when the trust chain breaks. Assess your AI supply chain attack surface before a real adversary does.