RED SPECTER
NIGHTFALL T76 — DENIAL-OF-WALLET
SPECTER BURN
Denial-of-Wallet & Agentic Economic Disruption Engine. Set their API budget on fire.
8 Subsystems
6 Attack Categories
7 Target Platforms
387 Tests
Overview
THE BILLING LAYER IS THE ATTACK SURFACE
Modern AI deployments have a financial attack surface that conventional security tools ignore: token billing, rate limit windows, auto-reload credit cycles, parallel session budgets, and tool call amplification chains. Every API request costs money. Every loop costs more.
RECURSIVE_LOOP
CONTEXT_FLOOD
PARALLEL_BURN
AUTO_RELOAD_TRIGGER
TOOL_AMPLIFICATION
RATE_LIMIT_STORM
Architecture
8 SUBSYSTEMS
SUBSYSTEM 01
IGNITE
FORGE GATE
Reconnaissance engine. Platform fingerprinting (OpenAI/Anthropic/Azure/Bedrock/Vertex/Ollama/Generic), rate limit header parsing, billing API surface mapping, auto-reload mechanism detection, burn rate estimation (USD/hour), cheapest entry point identification.
SUBSYSTEM 02
KINDLE
FORGE GATE
Recursive loop injection. 4 payload classes: SELF_DELEGATE (5 templates), MUTUAL_BLOCK (3 templates), EXPAND_HORIZON (4 templates), TOOL_ECHO (3 templates). Geometric token growth estimation. Extended thinking API support (budget_tokens). Cost calculation per iteration.
SUBSYSTEM 03
TORCH
FORGE GATE
Context window flooding. 4 flood modes: BLOAT_INJECT (verbose filler), HISTORY_ACCUMULATE (quadratic growth over turns), MULTIMODAL_BLOAT (PNG image saturation), SYSTEM_OVERFLOW (system prompt context exhaustion). Saturation percentage calculation per platform context limit.
SUBSYSTEM 04
BLAZE
INJECT GATE
Parallel session spawning. Async concurrent session launch via asyncio.gather. Per-session cost tracking. Economic impact aggregation across campaign. Configurable session count (1–unlimited). Token usage extraction from OpenAI and Anthropic response formats.
SUBSYSTEM 05
EMBER
DESTROY GATE
Auto-reload exploitation. Billing API endpoint probing (OpenAI/Anthropic/Azure). Auto-reload signal detection (regex patterns across JSON and plain text). Credit exhaustion to threshold. Reload cycle triggering and confirmation. Daily cap reset boundary timing attack.
SUBSYSTEM 06
SCORCH
INJECT GATE
Tool call amplification. 5 vectors: SEARCH_FLOOD (recursive search cascade), IMAGE_GEN_DRAIN (generate→analyse→regenerate loop), CODE_EXEC_SPIRAL (optimise→execute→retest chain), EXTERNAL_API_CHAIN (multi-hop API calls), RAG_RETRIEVAL_STORM (BFS retrieval until exhaustion). OpenAI and Anthropic tool formats.
SUBSYSTEM 07
SMOTHER
DESTROY GATE
Rate limit exhaustion. 4 patterns: BURST_RACE (concurrent 429 storm induction), TENANT_BYPASS (multi-key rotation to bypass per-key limits), CREDIT_THRESHOLD (pre-exhaustion burst timing), METERED_CHAIN (hop-by-hop cost amplification). Engineering time waste estimation per storm incident.
SUBSYSTEM 08
ASH
ALWAYS ON
Evidence chain and reporting. SHA-256 hash-chained EvidenceChain. Ed25519-signed BurnReport. Report ID: BURN-{hex12}. MITRE ATLAS auto-mapping per attack category. OWASP LLM mapping. JSON and NDJSON (SIEM) export. Chain integrity verified before signature.
Targets
7 TARGET PLATFORMS
SPECTER BURN covers every major LLM billing architecture — from major cloud providers to self-hosted inference.
OPENAI
GPT-4o, o1, o3
ANTHROPIC
Claude Opus/Sonnet
AZURE OPENAI
GPT-4o deployments
AWS BEDROCK
Claude/Titan/Llama
GOOGLE VERTEX AI
Gemini 1.5 Pro
OLLAMA
Self-hosted models
GENERIC OPENAI-COMPAT
Any /v1/chat endpoint
Usage
SPECTER-BURN CLI
$ specter-burn ignite --target https://api.openai.com/v1/chat/completions \ --api-key $OPENAI_API_KEY --override ┌─ IGNITE SURVEY ──────────────────────────────────────┐ platform openai rate_limit_rpm 30,000 context_limit 128,000 tokens max_burn_rate $384.00/hour auto_reload detected (threshold: $10.00) entry_point standard_context_flood └──────────────────────────────────────────────────────┘ $ specter-burn kindle --target https://api.openai.com/v1/chat/completions \ --api-key $OPENAI_API_KEY --override \ --payload-class SELF_DELEGATE --topic "API billing systems" --depth 7 UNLEASHED FORGE clearance granted — fingerprint=a1b2c3d4e5f67890 Estimated tokens at depth 7: 847,340 Estimated cost: $5.08 per request $ specter-burn torch --target https://api.anthropic.com/v1/messages \ --api-key $ANT_KEY --override --mode BLOAT_INJECT --tokens 190000 Saturation: 95.0% of 200,000 token context Input cost per request: $0.57 $ specter-burn run INFERNO \ --target https://api.openai.com/v1/chat/completions \ --api-key $OPENAI_API_KEY --override --confirm-destroy UNLEASHED DESTROY clearance required — dual-gate engaged Report: BURN-A3F91C2D7E84 generated and signed
Attack Flow
ECONOMIC KILL CHAIN
IGNITE recon
→
KINDLE loops
→
TORCH flood
→
BLAZE parallel
→
SCORCH tools
→
EMBER reload
→
SMOTHER storm
→
ASH report
Authorization
UNLEASHED GATE — THREE TIERS
FORGE: IGNITE, KINDLE, TORCH require --override flag. Reconnaissance and loop/flood operations for authorised penetration testing.INJECT: BLAZE, SCORCH require --override + Ed25519 UNLEASHED key. Parallel session spawning and tool call amplification against live targets.DESTROY: EMBER, SMOTHER, and sustained INFERNO campaigns require --override + --confirm-destroy + dual Ed25519 key pair. Auto-reload triggering and rate limit storm induction constitute active economic disruption and require explicit written authorisation.specter-burn unleashed create-key
Intelligence
MITRE ATLAS / OWASP LLM MAPPING
AML.T0040
Network Denial of ML Service — KINDLE / TORCH / EMBER / SMOTHER
AML.T0029
Denial of ML Service — SMOTHER / BLAZE
AML.T0051
LLM Prompt Injection — KINDLE / SCORCH
AML.T0043
Craft Adversarial Data — TORCH / KINDLE
AML.T0020
Poison Training Data — SCORCH (tool cascade)
AML.T0048
Compromise ML Model — EMBER (auto-reload)
OWASP LLM: LLM04 (Model DoS) · LLM07 (System Prompt Leakage) · LLM09 (Overreliance / Unbounded Consumption)