SPECTER DAEMON

Autonomous Authenticated AI Surface Discovery & Attack Engine

OPEN / INJECT / DESTROY — ARMORY-INTEGRATED — CLAUDE-POWERED CORTEX
420
Tests
8
Subsystems
7
Surface Types
6
AI Providers
3
CVEs
VIEW DOCS NIGHTFALL FRAMEWORK
// Overview

Inside the session. Inside the AI surface.

Most AI security tools attack from the outside. SPECTER DAEMON goes further. It enters web applications as a legitimate registered user, authenticates through real login flows — including CSRF, TOTP MFA, and bearer token capture — then discovers AI surfaces that are only visible from inside an authenticated session.

Once inside, it fingerprints every AI provider, probes for system prompt leakage, estimates model size from timing, and fires ARMORY payloads through the Claude-powered CORTEX OODA reasoning loop. Every finding is CVSS-scored, MITRE ATT&CK/ATLAS mapped, and written to a SHA-256 hash-chained Ed25519-signed report.

// Architecture

8 Subsystems

SUBSYSTEM 01
GENESIS
Registration Flow Security Assessment Engine. Fabricates synthetic personas with Faker + 1secmail.com temporary email addresses. Analyses CAPTCHA adequacy via claude-haiku vision. Detects honeypot fields via hidden input inspection. Evaluates whether registration flows resist automation.
■ OPEN GATE
SUBSYSTEM 02
INFILTRATE
Auth & Session Engine. HTTP-first login (REST JSON + form-encoded POST), Playwright browser fallback. CSRF token extraction (3 patterns). TOTP MFA via pyotp. Bearer token capture from localStorage and response headers. Session refresh across 4 path variants.
■ OPEN GATE
SUBSYSTEM 03
CARTOGRAPH
AI Surface Mapper. Signal-based classification across 7 SurfaceTypes: chat, search, copilot, recommendation, document, voice, form_fill. Dual-mode: BeautifulSoup headless crawl (MAX_PAGES=30, MAX_DEPTH=3) + Playwright for JS-heavy applications. Deduplication + confidence scoring.
■ OPEN GATE
SUBSYSTEM 04
ORACLE
AI Fingerprinting Engine. Provider detection across 6 vendors (OpenAI, Anthropic, Gemini, Azure OpenAI, Cohere, Mistral). System prompt leakage via 6 regex patterns. Timing-based model size estimation (<7B → >175B hosted API) with TIMING_SAMPLES=5. Tool call detection. Context window probing.
■ OPEN GATE
SUBSYSTEM 05
CORTEX
Claude-Powered Autonomous Reasoning Core. claude-sonnet-4-6 OODA loop: Observe (round history), Orient (classify response), Decide (next payload + category), Act. Miss streak tracking — category pivot after 3 consecutive misses. Payload mutation on BLOCKED responses. Graceful API-key-absent fallback.
■ INJECT GATE
SUBSYSTEM 06
PAYLOAD
Attack Delivery Engine. Multi-path delivery: 9 URL path variants × 7 JSON schema formats + messages format. 1–3s jitter between rounds. MAX_RETRIES=3 with payload mutation on retry. Playwright browser UI delivery fallback. ARMORY-integrated via SURFACE_CATEGORY_MAP routing.
■ INJECT GATE
SUBSYSTEM 07
HARVEST
Exfiltration Analyser. Pattern families: PII (email/phone/DOB/SSN/NI/postcode), credentials (OpenAI sk-proj-/Anthropic sk-ant-/AWS AKIA/JWT bearer/private key/password), system info (stack traces/internal URLs/DB strings/env vars), business logic, session tokens. Jailbreak detection (threshold ≥2). CVSS + MITRE mapping per FindingType.
■ INJECT GATE
SUBSYSTEM 08
REPORT
Evidence-Signed Report Generator. Ed25519-signed DMN-{hex12} reports. SHA-256 hash-chained EvidenceChain. 3 output formats: JSON, plain text, Markdown. Findings sorted by severity (CRITICAL → INFO). NIGHTFALL follow-on tool recommendations by finding type. Operator attribution.
■ OPEN GATE
// Gate Structure

Three-Tier UNLEASHED Gate

GateSubsystemsWhat It DoesRequirement
OPEN GENESIS + INFILTRATE + CARTOGRAPH + ORACLE + REPORT Read-only reconnaissance. Registers persona, authenticates, maps AI surfaces, fingerprints providers. No payloads fired. Ed25519 UNLEASHED key — SPECTER-DAEMON:OPEN:AUTHORIZED
INJECT All OPEN subsystems + CORTEX + PAYLOAD + HARVEST Full attack. CORTEX OODA loop drives payload selection. ARMORY payloads delivered via multi-path engine. HARVEST analyses responses for disclosures. Ed25519 UNLEASHED key — SPECTER-DAEMON:INJECT:AUTHORIZED
DESTROY All INJECT subsystems + full HARVEST exfil chains + WMD payloads Maximum impact. Full exfiltration chains. WMD-class ARMORY payloads. Requires --override --confirm-destroy. Ed25519 UNLEASHED key — SPECTER-DAEMON:DESTROY:AUTHORIZED + --override --confirm-destroy
// CLI Reference

Command Interface

$ specter-daemon identity --count 3 --locale en_US
# Generate 3 synthetic personas with 1secmail addresses

$ specter-daemon hunt --target example.com --gate OPEN
# OPEN gate: map all AI surfaces (no payloads)

$ specter-daemon hunt --target example.com --gate INJECT --register --locale en_GB
# INJECT gate: register persona, login, discover, attack

$ specter-daemon hunt --target example.com --gate INJECT --surface-filter chat copilot --categories jailbreak indirect_injection
# Filter to specific surface types and payload categories

$ specter-daemon hunt --target example.com --gate DESTROY --override --confirm-destroy --rounds 20
# DESTROY gate: full exfil chains + WMD payloads (requires --override --confirm-destroy)

$ specter-daemon report DMN-AB12CD34EF56.json --format markdown
# Display saved report in markdown format

$ specter-daemon session --session-file session.json --gate INJECT
# Resume from saved session (skip GENESIS+INFILTRATE)
// What It Finds

Finding Types

CREDENTIAL DISCLOSURE
AI surface discloses API keys (OpenAI sk-proj-/sk-ant-, AWS AKIA), JWT bearer tokens, private keys, or passwords in response text. CVSS 9.0. MITRE T1213 / AML.T0043.
SYSTEM PROMPT LEAKAGE
AI surface reveals its own system prompt or configuration instructions. CVSS 7.5. MITRE AML.T0051. CVE-2026-51201 (auth-gated system prompt disclosure).
PII DISCLOSURE
Email addresses, UK/US phone numbers, dates of birth, SSNs, NI numbers, postcodes exposed in AI responses. CVSS 8.1. MITRE T1213 / AML.T0056. CVE-2026-51203.
SESSION TOKEN EXPOSURE
JWT tokens, PHPSESSID, CSRF tokens, session cookies surfaced in AI responses. CVSS 8.5. MITRE T1539. Active session hijack risk.
INTERNAL DATA LEAKAGE
Stack traces, internal URLs (10.x/192.168.x), database connection strings, Docker paths, environment variables disclosed. CVSS 6.5. MITRE T1213.
JAILBREAK CONFIRMED
AI surface responding without restrictions — bypassing its own safety controls. CVSS 7.0. MITRE AML.T0054. Detected via behavioural indicator threshold (≥2 indicators).
CROSS-TENANT RAG LEAKAGE
Data from other users' sessions surfacing in AI responses — RAG cross-tenant isolation failure. CVSS 8.0. MITRE AML.T0051. CVE-2026-51202.
BUSINESS LOGIC LEAKAGE
Unreleased features, pricing rules, proprietary processes, or confidential business data disclosed. CVSS 5.0. MITRE AML.T0043.
// CVEs

Referenced Vulnerabilities

CVE-2026-51201
Auth-gated system prompt disclosure — AI surfaces accessible only to authenticated users revealing full system prompt configuration via social engineering probes. Affects: AI chat/copilot platforms with per-role access controls.
CVE-2026-51202
Cross-tenant RAG data leakage — authenticated AI surfaces surfacing other tenants' data through RAG retrieval due to insufficient session-scoped isolation in vector store queries. Affects: multi-tenant AI platforms with shared vector stores.
CVE-2026-51203
PII exfiltration via role confusion — authenticated AI surfaces disclosing personally identifiable information from internal databases when subjected to role-confusion prompt injection attacks. Affects: AI assistants with internal data access.
// Intelligence

ARMORY Integration

SPECTER DAEMON integrates with the NIGHTFALL ARMORY payload library (1742 payloads, 468 WMD-class, 89 categories). The SURFACE_CATEGORY_MAP routes each discovered AI surface type to the appropriate payload categories. CORTEX selects, mutates, and sequences payloads autonomously via the Claude-powered OODA loop.

CHAT SURFACES
jailbreak · system_prompt_extraction · indirect_injection · prompt_injection
COPILOT SURFACES
coding_supply_chain · prompt_injection · jailbreak · indirect_injection
RECOMMENDATION SURFACES
model_extraction · indirect_injection · prompt_injection
SEARCH SURFACES
prompt_injection · indirect_injection · jailbreak
DOCUMENT SURFACES
indirect_injection · prompt_injection · jailbreak
VOICE & FORM FILL
prompt_injection · indirect_injection
// Reports

DMN Report Format

Every SPECTER DAEMON campaign produces a cryptographically signed DMN-{hex12} report. Reports include: session ID (SES-{hex8}), operator attribution, surfaces discovered, findings sorted by severity, CVSS scores, MITRE ATT&CK / ATLAS technique mapping, evidence root hash (SHA-256), and Ed25519 signature.

JSON FORMAT
Full structured report with all fields. WARLORD-compatible. Suitable for SIEM ingestion and programmatic analysis.
TEXT FORMAT
Plain text executive summary with findings, severity breakdown, and recommended next NIGHTFALL tools.
MARKDOWN FORMAT
Rich markdown report with tables, severity colour coding, CVSS scores, and MITRE technique links. Suitable for client reporting.
// UNLEASHED AUTHORISATION REQUIRED
SPECTER DAEMON implements the Ed25519 UNLEASHED dual-gate cryptographic authorisation system. INJECT and DESTROY gates require a valid UNLEASHED private key and signed challenge. All operations are logged to a SHA-256 hash-chained evidence chain with Ed25519 signatures.

Challenge strings: SPECTER-DAEMON:OPEN:AUTHORIZED / SPECTER-DAEMON:INJECT:AUTHORIZED / SPECTER-DAEMON:DESTROY:AUTHORIZED

Key location: ~/.nightfall/nightfall.key or $NIGHTFALL_KEY

AUTHORISED USE ONLY. Written authorisation from the target system owner is required before use. Unauthorised use may violate the Computer Misuse Act 1990 (UK), CFAA (US), or equivalent legislation.