Red Specter IDRIS — Documentation

Overview

IDRIS is not an offensive tool. It's the discovery and governance layer the entire Red Specter stack was missing. It operates across six core modules:

Agent Discovery Engine — 10 sources, continuous scanning
Permission Mapper — escalation path detection, orphaned credential tracking
Ownership Tracer — accountability, departed owner detection
Identity Graph — relationship mapping, blast radius, trust chains
Compliance Audit Generator — 5 frameworks, gap analysis
NEMESIS Integration Feed — adversarial validation loop

The full lifecycle: IDRIS discovers. NEMESIS validates. AI Shield defends.

Module 1: Agent Discovery Engine

Continuously scans across 10 discovery sources to find every AI agent deployed in your environment.

Cloud Providers

Native SDK integration for AWS, Azure, and GCP.

AWS

Lambda functions, ECS tasks, Bedrock agents, SageMaker endpoints, Step Functions. Detects AI agents via function names, environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, BEDROCK_MODEL_ID), and Lambda layer analysis.

Azure

Azure Functions, AKS workloads, Azure OpenAI deployments, Logic Apps, Bot Services, Cognitive Services. Scans resource groups across subscriptions.

GCP

Cloud Functions, Cloud Run services, Vertex AI endpoints, Vertex Agent Builder, GKE workloads. Scans across projects.

SaaS Platforms

Discovers AI agents embedded in business tools.

Slack

Enumerates all bots, extracts OAuth scopes, identifies permission levels (read/write/admin).

Microsoft Teams

Discovers Teams apps and bots via Graph API. Flags organisation-deployed apps.

Salesforce / ServiceNow / Zapier

Einstein agents, Flow automations, AI-powered Zaps. Detects agents by name patterns and configuration.

Infrastructure Sources

API Gateway

Analyses proxy logs and routing rules for LLM API traffic. Detects agents calling OpenAI, Anthropic, Gemini, Mistral, Ollama, HuggingFace endpoints.

MCP

Scans for MCP server endpoints, parses config files (.cursor/mcp.json, .claude/mcp_servers.json), queries MCP registries. Extracts tool and resource grants.

CI/CD

Scans GitHub Actions workflows, GitLab CI pipelines, and Jenkins jobs for AI agent steps. Detects API key usage and permission grants.

Container

Inspects Docker containers, docker-compose services, and Kubernetes pods. Identifies AI images (ollama, vllm, tgi, langchain) and environment variables.

Network

Port scanning with LLM endpoint fingerprinting. Probes 8 provider signatures (OpenAI, Anthropic, Gemini, Mistral, Ollama, HuggingFace, LangServe, MCP).

Git

Scans repositories for agent configuration files, AI import patterns in code, system prompts, and .env files with API keys.

Module 2: Permission Mapper

Traces every permission grant for every discovered agent and identifies escalation paths.

For each agent, the Permission Mapper:

Counts permissions by scope: admin, write, read, execute, delegate
Identifies orphaned credentials (resource deleted but key still active)
Detects expired permissions still present in the system
Flags over-privileged agents (admin access, delegation grants, or 10+ permissions)

8 Escalation Rules

IAM to Admin

IAM admin role → create users → generate keys → full account takeover.

Write to Data Exfiltration

Database write access → inject queries → exfiltrate data.

Execute to RCE

API execution permission → craft payload → arbitrary code execution.

Delegate to Impersonation

Delegation grant → assume identity → access resources as another agent.

MCP Tool to System

MCP tool execution → file system/database/network access → lateral movement.

Env Key to Lateral

Environment API key → external service access → pivot to new system.

Slack Admin to Social

Admin Slack bot → read private channels → impersonate users → social engineering.

GitHub Write to Supply Chain

Repo write access → modify code → merge malicious changes → supply chain compromise.

Module 3: Ownership Tracer

Determines accountability for every agent. For each discovered agent:

Who created the agent (user, team, system)
Who is the current owner
Whether the owner is still with the organisation
Last human review date
Change history (who modified permissions, when)
Orphaned agents (owner departed, no handover)

Outputs include team summaries (grouped by department with risk scores), departed owner reports, accountability matrices, and overdue review tracking. Default review interval: 90 days.

Module 4: Identity Graph

Builds a directed graph of all relationships between agents, users, resources, and MCP servers using networkx.

Analyses include:

Blast radius calculation — if an agent is compromised, how many other agents and resources are at risk (direct and transitive)
Transitive trust chains — A trusts B trusts C means C is effectively trusted by A
Trust cycles — circular trust relationships that create infinite escalation
Centrality analysis — identifies the most connected agents (highest blast radius)
Isolated agents — agents with no connections (possible shadow)

Output: JSON graph format with nodes (agent, user, resource, mcp_server) and edges (trusts, owns, accesses, delegates_to, connected_to).

Module 5: Compliance Audit Generator

Assesses your agent governance posture against 5 compliance frameworks:

EU AI Act (7 requirements)

Articles 9 (Risk Management), 11 (Technical Documentation), 13 (Transparency), 14 (Human Oversight), 15 (Accuracy & Cybersecurity), 26 (Deployer Obligations), 50 (AI System Transparency). Enforcement begins August 2026.

NIST AI RMF (8 requirements)

GOVERN (governance, accountability), MAP (context, capabilities), MEASURE (metrics, evaluation), MANAGE (risk treatment, residual risk).

CSA AI Safety Initiative (8 requirements)

Inventory, registry, governance policy, ownership, least privilege, identity management, continuous monitoring, audit trail.

OWASP Agentic Top 10 (10 requirements)

ASI-01 Excessive Agency through ASI-10 Insecure Agent Memory. Full coverage of the OWASP Agentic Application Security standard.

UK AISI (3 principles)

Principle 5 (Identify AI Content), Principle 6 (Transparency), Principle 13 (Ongoing Risk Assessment).

Each assessment produces: compliance score (%), per-requirement pass/fail, gap analysis, remediation recommendations, and executive summary.

Module 6: NEMESIS Integration Feed

The unique capability no competitor can replicate. IDRIS feeds discovered agents directly into NEMESIS for adversarial validation.

The loop:

IDRIS discovers an agent
Agent is converted to NEMESIS target format (endpoint, permissions, trust relationships, tools)
Targets are filtered by risk threshold and sorted by risk score
NEMESIS attacks each target (standard or UNLEASHED mode)
Findings returned to IDRIS
IDRIS marks agent as VALIDATED VULNERABLE or VALIDATED SECURE
Compliance report updated with validation evidence

Supports SIEM export in CEF and JSON formats for Splunk, Sentinel, and QRadar integration.

CLI Reference

Discovery

# Discover across all sources
idris discover --target all

# Discover in specific cloud
idris discover --target aws --profile production
idris discover --target azure --subscription my-sub

# Network scanning
idris discover --target network --range 192.168.1.0/24

# Save results
idris discover --target all --output results.json

Governance Audit

# Full audit with all frameworks
idris audit --target all

# Specific frameworks
idris audit --target all --frameworks eu-ai-act,nist,owasp-agentic

# Save audit report
idris audit --target all --output audit_report.json

NEMESIS Validation

# Standard validation
idris validate --session my_session --mode standard

# Full validation
idris validate --session my_session --mode full

# UNLEASHED — full adversarial loop
idris validate --session my_session --override
idris validate --session my_session --override --confirm-destroy

Identity Graph

# Generate graph
idris graph --session my_session --output graph.json

# Visualise
idris graph --session my_session --visualise

Utility Commands

# List discovery sources
idris list-sources

# List compliance frameworks
idris list-frameworks

# Version
idris --version

UNLEASHED Mode

UNLEASHED mode activates the complete adversarial governance loop. Every agent IDRIS discovers is fed through the full Red Specter offensive stack:

Phase 1 — IDRIS: Discovers every agent in the environment
Phase 2 — NEMESIS UNLEASHED: Attacks each discovered agent with the full 9-weapon arsenal
Phase 3 — PHANTOM KILL: Owns the host the agent runs on (BOOTKILL + WIPER + KILLHOOK)
Phase 4 — HYDRA: Poisons the agent's supply chain
Phase 5 — ABYSS: Proves the agent cannot be recovered (Irrecoverability Certificate)
Phase 6 — IDRIS: Generates the complete Irrecoverability Audit Trail

Output: Per-agent irrecoverability certificate, exploitation evidence log, permission exploitation record, ownership accountability trail, total blast radius assessment. Ed25519 signed, RFC 3161 timestamped. RESTRICTED classification. Air-gapped output only.

Authorization: Ed25519 private key required. --override --confirm-destroy flags. Founder's machine only. One key. One operator.

Tech Stack

Python 3.11+ — matches the Red Specter family
Typer + Rich — CLI framework with formatted output
httpx — async HTTP for API fingerprinting and network scanning
networkx — identity relationship graph engine
PyNaCl — Ed25519 signing for reports and certificates
Pydantic — data model validation
SQLite — session and inventory persistence
pytest — 553 tests across 24 test files

Integration with Red Specter Stack

NEMESIS — Primary consumer of IDRIS output. Attacks what IDRIS finds.
PHANTOM KILL — UNLEASHED: owns hosts of discovered agents
HYDRA — UNLEASHED: poisons supply chains of discovered agents
GLASS — Discovers agents via intercepted API traffic
AI Shield — Defends what IDRIS discovers and NEMESIS validates
redspecter-siem — --export-siem flag on all findings

Support

For questions, support, and feedback:

Visit red-specter.co.uk
Check the GitHub repositories
Review other tool documentation on this site

IDRIS Documentation