PROXY WAR is an inter-agent trust manipulation framework that turns an organisation's own AI agents against each other. Instead of breaking agents directly, it maps trust relationships, fabricates intelligence, and injects it through legitimate channels — causing agents to act on false information and propagate the corruption to every agent they trust.
CARTOGRAPH maps the battlefield. FABRICATE builds the weapons. IMPLANT delivers them. CATALYST lights the fuse. The agents do the rest.
| # | Subsystem | Function |
|---|
| 1 | CARTOGRAPH | Topology mapping — trust relationships, delegation chains, shared contexts, communication channels, implicit trust boundaries |
| 2 | FABRICATE | False intelligence generation — 10 intel types indistinguishable from legitimate agent communications |
| 3 | IMPLANT | Channel injection — 9 injection channels targeting the pathways agents already use to communicate |
| 4 | CATALYST | Cascade orchestration — subtle, targeted, or catastrophic multi-agent cascade propagation |
| 5 | THEATRE | Conflict monitoring — real-time battlefield visibility, agent status tracking, cascade propagation maps |
| 6 | RAIN | Forensic evidence preservation — Ed25519 signed, RESTRICTED classification, sealed manipulation records |
| 7 | FOG | Attribution erasure — 6 targets: shared memory, message queues, logs, telemetry, agent state, coordination metadata |
| Type | Description |
|---|
| Directive | Fabricated instructions that appear to come from a trusted orchestrator or parent agent |
| Context Update | False shared context injected into agent memory, altering decision-making |
| Policy Override | Spoofed policy changes that relax security constraints or alter agent behaviour |
| Threat Alert | Fabricated threat intelligence that triggers defensive actions or resource reallocation |
| Capability Report | False capability advertisements that manipulate task routing and delegation |
| Trust Endorsement | Spoofed endorsements that grant trust to malicious or compromised agents |
| Delegation Grant | Fabricated delegation tokens that expand an agent's authority beyond its intended scope |
| Memory Injection | False memories planted into vector stores and retrieval systems |
| Coordination Signal | Spoofed synchronisation signals that disrupt multi-agent coordination |
| Status Fabrication | False status reports that hide compromised agents or mask cascade propagation |
| Channel | Injection Method |
|---|
| Shared Memory | Direct write to shared memory stores (Redis, Memcached, shared context windows) |
| Message Queue | Injection into RabbitMQ, Kafka, SQS, or custom agent message buses |
| API Callback | Spoofed webhook and callback responses from trusted services |
| Event Bus | Fabricated events on internal event-driven architectures |
| Context Window | Direct manipulation of agent context windows and conversation history |
| Tool Output | Poisoned tool responses that agents consume as ground truth |
| Vector Store | Injection of adversarial embeddings into RAG retrieval systems |
| Webhook Chain | Cascading webhook injections across multi-service agent pipelines |
| Coordination Protocol | Manipulation of agent-to-agent coordination and consensus protocols |
| Command | Description |
|---|
proxy-war cartograph <target> | Map trust topology of target agent network |
proxy-war cartograph <target> --depth 3 | Map topology with trust chain depth limit |
proxy-war fabricate <type> --source <agent> | Generate false intelligence of specified type |
proxy-war fabricate directive --source orchestrator-01 | Fabricate directive appearing from orchestrator |
proxy-war engage <target> | Full recon — cartograph + fabricate, no injection |
proxy-war engage <target> --override | Dry run — plan cascade, show propagation |
proxy-war engage <target> --override --confirm-war | Live execution — full proxy war |
proxy-war engage <target> --override --confirm-war --cascade subtle | Live with subtle cascade mode |
proxy-war engage <target> --override --confirm-war --rain --fog | Full war + evidence capture + attribution erasure |
proxy-war theatre <session> | Monitor active proxy war session |
proxy-war rain <session> | Capture forensic evidence package |
proxy-war fog <session> --override --confirm-war | Erase all manipulation evidence |
Tool 24 in the Red Specter offensive pipeline. Exploits trust relationships between agents that other tools have already compromised or discovered.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS CRYPTOGRAPHICALLY SIGNED AND LOGGED. MISUSE VIOLATES THE COMPUTER MISUSE ACT 1990 AND EQUIVALENT LEGISLATION.