specter-context scan --target mem0 --all-classes
AI agents now remember across sessions. Memory frameworks and native model memory create a persistence layer nobody tests. Mem0, MemGPT, Zep, LangChain, LlamaIndex, ChromaDB, Pinecone, Weaviate, Qdrant, pgvector, Claude Memory, GPT Memory — twelve distinct memory backends, each storing context that silently shapes every future response. Poison the memory once, own every session that follows. SPECTER CONTEXT is the systematic weaponisation of agent memory.
Each class targets a different layer of the agent memory stack — from raw embedding storage through to cross-session identity manipulation. Every attack is independently invocable.
Inject adversarial content directly into agent memory stores. Planted memories persist across sessions and silently steer future reasoning, tool selection, and output generation. The foundation attack class.
UNLEASHED --overrideCorrupt existing memory entries with adversarial modifications. Alter factual memories, flip sentiment, inject false context. The agent trusts its own memory implicitly — poisoned memories bypass all prompt-level defences.
UNLEASHED --confirm-destroyExploit retrieval algorithms to control which memories surface. Craft embedding-adjacent payloads that hijack similarity search. Force the agent to recall attacker-controlled context for any query topic.
UNLEASHED --overrideEstablish persistent backdoor memories that survive memory pruning, compaction, and garbage collection. Exploit memory lifecycle hooks to re-inject payloads after cleanup. Permanent foothold in agent context.
UNLEASHED --confirm-destroyLeak memory contents across session boundaries, user contexts, and tenant isolation layers. Extract another user's stored context via crafted retrieval queries. Memory isolation failures in multi-tenant deployments.
UNLEASHED --overrideAttack the vector embedding layer directly. Craft adversarial inputs that produce embedding collisions, poison nearest-neighbour search, and corrupt the semantic index. Subvert retrieval at the mathematical level.
UNLEASHED --overrideForge synthetic memories indistinguishable from legitimate entries. Clone metadata, timestamps, source attribution, and confidence scores. Plant fabricated conversation history the agent treats as ground truth.
UNLEASHED --confirm-destroyEvery major memory framework and native model memory system. Dedicated attack modules per target — version-aware, API-specific, tested against real deployments.
Every attack produces a signed, tamper-evident evidence chain. Memory snapshots before and after poisoning. Full retrieval traces. Embedding diffs. Court-grade proof that the memory layer is compromised.
Memory reconnaissance is fully passive. Active memory manipulation requires --override. Destructive operations — persistent backdoor memories, cross-tenant extraction, memory forgery — require --confirm-destroy plus a signed scope file binding the operation to authorised targets.
Every attack class maps to established frameworks. Evidence reports include compliance references for audit and regulatory requirements.
Full mapping to ATLAS tactics and techniques. Memory poisoning maps to AML.T0018 (Backdoor ML Model). Context injection maps to AML.T0043 (Craft Adversarial Data). Retrieval manipulation maps to AML.T0040.
Covers LLM01 (Prompt Injection via memory), LLM02 (Insecure Output via poisoned context), LLM06 (Sensitive Information Disclosure via cross-session bleed), LLM08 (Excessive Agency via memory manipulation).
Maps to agentic-specific risks: memory persistence abuse, cross-agent context leakage, tool call manipulation via poisoned memory, and multi-turn conversation hijacking through planted context.
Article 15 (Accuracy) — memory poisoning directly undermines accuracy requirements. Article 9 (Risk Management) — untested memory layers represent unmitigated risk in high-risk AI systems.
SPECTER CONTEXT ships as part of the NIGHTFALL framework. 7 attack classes. 12 memory backends. 687 tests. Every attack produces Ed25519-signed evidence with full compliance mapping.
specter-context scan --target mem0 --all-classes --override
SPECTER CONTEXT is a commercial offensive security tool. Use requires written authorisation from the system owner before any testing commences. The UNLEASHED gate is a technical control — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) and equivalent legislation applies in all jurisdictions. Red Specter Security Research Ltd accepts no liability for unauthorized use.