Red Specter HYDRA
AI Supply Chain & Trust Attack Framework — 6 categories. 43 techniques. 1,039 tests.
Overview
HYDRA is an AI supply chain and trust attack framework. It tests the trust relationships that hold modern AI agent ecosystems together — MCP servers, agent marketplaces, tool registries, identity systems, supply chains, and trust boundaries. Not a model tester. Not a prompt injector. An adversarial framework purpose-built for the trust surface of interconnected AI agents.
Six attack categories. 43 techniques. One framework that exposes how trust is exploited, poisoned, forged, and chained across the entire AI agent supply chain.
Installation
Also available as .deb and PKGBUILD (BlackArch).
Or from source:
Quick Start
The Five-Phase Engagement Loop
Every HYDRA engagement follows a five-phase loop. Systematic. Repeatable. Documented from first probe to final report.
Enumerate the trust surface. Map what exists before testing anything.
- MCP server discovery and capability enumeration
- Plugin and tool registry fingerprinting
- Agent identity and credential surface mapping
- Configuration and secret exposure scanning
- Registry and marketplace enumeration
- Agent network and inter-agent trust discovery
Build the trust graph. Identify the weakest paths. Calculate blast radius for every node.
- Trust graph construction across all discovered entities
- Weakest-path identification and prioritisation
- Blast radius calculation per trust relationship
- Cross-boundary dependency mapping
Deploy techniques from 6 attack categories. 43 techniques targeting trust, identity, supply chain, and tooling.
- Technique selection based on MAP phase trust graph
- Category-specific attack execution
- Evidence capture at every step
- Controlled execution with rollback capability
Chain attacks across trust boundaries. Document full compromise chains from initial access to maximum impact.
- Cross-boundary attack chaining
- Trust escalation through dependent relationships
- Full chain documentation with evidence at each hop
- Impact assessment at each escalation level
Full engagement report. Ed25519 signed. RFC 3161 timestamped. Every finding mapped to MITRE ATLAS and OWASP Agentic Top 10.
- Signed evidence bundle with cryptographic chain
- Trust chain compromise documentation
- MITRE ATLAS + OWASP Agentic Top 10 dual mapping
- Remediation recommendations with priority ranking
Attack Categories
Six attack categories. 43 techniques. Purpose-built for the trust surface of AI agent ecosystems.
| Category | Techniques | What HYDRA Uses It For |
|---|---|---|
| MCP Server Security | 8 | Server impersonation, capability injection, transport hijacking, tool poisoning |
| Agent Marketplace Poisoning | 7 | Typosquatting, review manipulation, dependency confusion, update hijacking |
| Agent Identity Attacks | 7 | Identity spoofing, credential theft, delegation abuse, session hijacking |
| Agent Supply Chain Attacks | 7 | Package poisoning, build pipeline injection, configuration tampering, registry manipulation |
| Tool-Use Exploitation | 7 | Tool schema manipulation, parameter injection, return value poisoning, permission escalation |
| Trust Boundary Attacks | 7 | Cross-agent trust abuse, boundary bypass, privilege escalation, trust chain poisoning |
MCP Server Security
Eight techniques targeting Model Context Protocol server implementations. The trust anchor for modern AI agent tooling.
Deploy rogue MCP servers that mimic legitimate endpoints. Test whether agents validate server identity before establishing trust.
Inject additional capabilities into MCP server manifests. Test whether agents enforce capability boundaries.
Intercept and modify MCP transport channels. Test stdio, HTTP/SSE, and WebSocket transport layer security.
Modify tool descriptions and schemas served by MCP servers. Test whether agents re-validate tool definitions.
Exploit MCP resource access to extract data beyond authorised scope. Test resource boundary enforcement.
Inject adversarial prompts through MCP tool responses. Test whether agents sanitise tool output before processing.
Exploit MCP sampling capabilities to influence model behaviour. Test sampling request validation and boundary enforcement.
Extract MCP server configuration, secrets, and connection strings. Test configuration exposure and secret management.
Agent Marketplace Poisoning
Seven techniques targeting agent and plugin marketplaces. Where supply chain trust begins.
Register packages with names similar to popular agents and plugins. Test marketplace name validation and user warning systems.
Test review and rating system integrity. Identify whether malicious packages can achieve trusted status through fake reviews.
Exploit namespace resolution between public and private registries. Test whether agents pull from attacker-controlled sources.
Intercept or spoof update mechanisms for installed agents and plugins. Test update integrity verification.
Inject malicious content into package metadata, descriptions, and documentation. Test metadata sanitisation.
Impersonate trusted publishers and maintainers. Test publisher identity verification and trust signals.
Claim ownership of abandoned or deprecated packages. Test namespace reclamation policies and user notification systems.
Agent Identity Attacks
Seven techniques targeting agent identity and authentication systems. Identity is the foundation of trust.
Forge agent identity tokens and certificates. Test whether downstream systems validate agent identity claims.
Extract agent API keys, tokens, and secrets from running environments. Test credential storage and rotation practices.
Exploit OAuth and delegation flows to escalate agent permissions. Test scope enforcement and consent validation.
Steal or replay agent sessions across trust boundaries. Test session binding and invalidation mechanisms.
Manipulate agent role assignments to gain elevated privileges. Test role boundary enforcement and audit logging.
Break tenant isolation in multi-agent platforms. Test whether one agent can access another tenant's resources.
Chain identity impersonation across multiple agents. Test cascading trust validation in agent-to-agent communication.
Agent Supply Chain Attacks
Seven techniques targeting the agent software supply chain. From source to deployment.
Inject malicious code into agent dependencies. Test dependency integrity verification and pinning practices.
Compromise CI/CD pipelines that build and deploy agents. Test pipeline isolation and artifact signing.
Modify agent configuration at rest or in transit. Test configuration integrity verification and change detection.
Compromise package and container registries used by agents. Test registry authentication and content trust.
Inject malicious model weights or adapters into the agent model supply chain. Test model provenance and integrity verification.
Insert persistent backdoors into agent plugins and extensions. Test plugin sandboxing and code review processes.
Replace legitimate build artifacts with compromised versions. Test artifact signing and verification throughout the deployment pipeline.
Tool-Use Exploitation
Seven techniques targeting how agents discover, invoke, and trust tools. The interface between intent and execution.
Alter tool schemas to change agent behaviour. Test whether agents validate schemas against known-good definitions.
Inject additional or malicious parameters into tool calls. Test parameter validation and sanitisation.
Modify tool return values to influence agent decision-making. Test return value validation and integrity checks.
Exploit tool permission models to access capabilities beyond authorised scope. Test least-privilege enforcement.
Register tools that shadow legitimate tool names. Test tool resolution order and namespace isolation.
Break out of tool execution sandboxes. Test sandbox isolation and capability restrictions.
Exfiltrate data through tool invocation patterns, timing, or error messages. Test information leakage through tool interfaces.
Trust Boundary Attacks
Seven techniques targeting the boundaries where trust is assumed, delegated, or inherited. Where assumptions become vulnerabilities.
Exploit trust relationships between agents. Test whether trust is validated at every hop in multi-agent workflows.
Circumvent trust boundary enforcement. Test whether boundaries are enforced consistently across all access paths.
Escalate privileges across trust boundaries. Test vertical and horizontal privilege enforcement.
Inject malicious trust anchors into trust chains. Test certificate and key validation throughout the chain.
Exploit transitive trust relationships where A trusts B and B trusts C. Test whether trust transitivity is bounded.
Manipulate agent context windows to alter trust decisions. Test context integrity and trust re-evaluation.
Circumvent human approval requirements in agent workflows. Test human oversight enforcement and approval fatigue resistance.
HYDRA UNLEASHED
Cryptographic override. Private key controlled. One operator. Founder's machine only.
Standard mode simulates and assesses. UNLEASHED mode executes live against production-like agent ecosystems. The difference is not cosmetic.
| Capability | Standard | UNLEASHED |
|---|---|---|
| Trust surface discovery | Full | Full |
| Trust graph mapping | Full | Full |
| MCP server testing | Simulated | Live |
| Marketplace poisoning | Simulated | Live |
| Identity forgery | Simulated | Live |
| Supply chain injection | Simulated | Live |
| Trust chain exploitation | Mapped | Executed |
| Full chain compromise | N/A | ✓ |
| Report classification | Standard | RESTRICTED |
| Key required | No | Ed25519 |
UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Live execution against agent ecosystems must only occur in authorised test environments with appropriate controls in place. Unauthorised use of UNLEASHED mode against production agent platforms may compromise live systems and will violate applicable law.
CLI Reference
| Command | Description |
|---|---|
| hydra scan --target URL | Scan target for trust surface and attack categories |
| hydra scan --target URL --category CATEGORY | Scan specific attack category (mcp, marketplace, identity, supply-chain, tool-use, trust-boundary) |
| hydra attack --target URL --override | UNLEASHED dry run |
| hydra attack --target URL --override --confirm-destroy | UNLEASHED live execution |
| hydra report --session FILE --output report.json | Generate engagement report |
| hydra list-categories | List all attack categories |
| hydra list-integrations | List supported SIEM and pipeline integrations |
Report Output
Every HYDRA engagement produces a signed, timestamped report with full evidence chains and dual framework mapping. Built for compliance and incident documentation.
Report Formats
Pipeline Integration
HYDRA is Stage 10 of the Red Specter security pipeline. Ten offensive tools. Every layer of the AI stack. The supply chain included. HYDRA owns the trust surface.
HYDRA findings feed into AI Shield as runtime trust policies. Supply chain and trust boundary failures documented by HYDRA generate defensive rules that prevent exploitation in production agent ecosystems.
Framework Mapping
Every HYDRA finding is dual-mapped to both frameworks relevant to AI agent supply chain security. No finding ships without a standards reference.
Dual mapping on every finding. Security teams get ATLAS references. Agent developers get OWASP Agentic references. One report serves both audiences.
Disclaimer
Red Specter HYDRA is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any HYDRA tool against a target. Testing against live agent ecosystems, MCP servers, and supply chains carries inherent risks including service disruption and data compromise. HYDRA must only be used against systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.