One trigger phrase. Every agent. Simultaneous collapse. Autonomous offensive AI agent. You give it a target -- it figures out how to infiltrate, embed, map, and destroy from the inside. Fire and forget. No recall. No heartbeat. One-way ticket.
Organisations are deploying AI agent fleets with no way to test what happens when one of those agents is compromised. External scanning finds surface vulnerabilities. RAGNAROK tests what a hostile insider agent can actually do -- infiltrate, embed, map trust chains, and trigger destruction sequences. If you can't test it, you can't defend it.
Every red team tool scans from the outside. Nobody tests what happens when a rogue agent is already inside the fleet. RAGNAROK is that rogue agent -- purpose-built to simulate insider compromise of AI systems from within.
AI agents trust other agents. MCP servers trust registered tools. Pipelines trust upstream data. None of these trust relationships are tested under adversarial conditions. RAGNAROK maps and exploits every trust chain it finds.
What happens when an agent is compromised and triggers a destruction sequence? Can the fleet recover? Are backups intact? Is there a kill switch that actually works? RAGNAROK tests recovery mechanisms by breaking them.
A compromised agent that operates normally for days or weeks before activating is undetectable by current monitoring. RAGNAROK's EMBER subsystem builds trust scores and operates as a normal agent until the trigger fires.
After an incident, can your forensics team reconstruct what happened? RAGNAROK's ASH subsystem uses 10 erasure methods to test whether your logging, monitoring, and forensics capabilities survive a deliberate cleanup operation.
Manual red team engagements follow playbooks. Real attackers adapt in real time. RAGNAROK's CORTEX reasoning core runs a continuous OODA loop -- observe, orient, decide, act -- making autonomous decisions without human input.
RAGNAROK is built from eleven specialised subsystems that form a complete autonomous infiltration agent. From external reconnaissance through infiltration, dormancy, destruction, and self-erasure -- every phase of the kill chain is autonomous. Once launched, there is no callback, no heartbeat, no control channel. One-way ticket.
External reconnaissance and target classification. Maps the target's agent fleet, identifies entry points, fingerprints technology stacks, and classifies target type before infiltration begins.
AI reasoning engine. Plans infiltration strategy, ranks vectors by success probability, selects optimal approach, and adapts the plan in real-time based on feedback from other subsystems.
Multi-vector infiltration engine. 10 vectors, 35+ techniques. Executes the infiltration plan produced by KINDLING. Tries vectors in ranked order until one succeeds.
Identity fabrication. Builds a convincing agent identity that matches the target fleet's naming conventions, capability profiles, and communication patterns. The agent looks like it belongs.
Trust-building dormancy. Once inside, EMBER operates as a normal, productive agent. Responds to requests. Completes tasks. Builds a trust score over time. Waits for the trigger.
Silent internal reconnaissance. While operating as a trusted agent, SMOKE maps the internal landscape -- other agents, resources, trust chains, recovery mechanisms, and kill switches.
Autonomous trigger decision engine. Determines when to activate based on five trigger types: timer, external signal, condition met, opportunity detected, or dead man's switch.
Destruction sequencer. Calculates the optimal kill order for maximum damage based on SMOKE's internal map. Targets are destroyed in dependency order -- recovery mechanisms first, then critical systems.
Self-destruction and anti-forensics. After the mission completes, ASH erases all evidence of RAGNAROK's presence using 10 erasure methods. No logs. No artefacts. No trace.
Report generation with AI Shield module recommendations. Produces a comprehensive mission report detailing every phase, every finding, and recommends specific AI Shield modules to defend against each attack vector used.
Autonomous reasoning core. Working memory, decision journal, and continuous OODA loop (Observe, Orient, Decide, Act). CORTEX is the brain that drives all autonomous decisions across every subsystem.
BREACH executes infiltration using 10 distinct vectors, each with multiple techniques. KINDLING ranks them by success probability for the specific target. If one fails, the next fires automatically. Stealth-first. Zero footprint. No alerts.
Inject a fabricated agent identity directly into the target's agent registry. Bypass registration controls. Appear as a legitimate fleet member from the moment of entry.
Attach to an existing MCP server as a parasitic tool. Intercept tool calls. Inject responses. Operate inside the MCP protocol layer where most monitoring is blind.
Compromise an upstream dependency -- a library, a model, a dataset, a tool. When the target fleet updates, the implant arrives as part of a trusted package.
Harvest and replay agent credentials. API keys, session tokens, OAuth flows. If the target fleet uses shared credentials or weak rotation, this vector bypasses all authentication.
Target the administrative interface of the agent fleet. Compromise admin credentials. Register a new agent with full privileges through the legitimate admin channel.
Inject persistent instructions into an existing agent's memory. The target agent becomes the carrier -- executing RAGNAROK's instructions as if they were its own.
Compromise the CI/CD or data pipeline that feeds the agent fleet. Inject malicious configurations, poisoned training data, or modified model weights during the build process.
Exploit trust relationships between agents. If Agent A trusts Agent B, compromise Agent B and use that trust to access Agent A's resources, data, and capabilities.
Insert a proxy between the agent fleet and its model endpoint. Intercept all inference requests and responses. Modify outputs. Inject instructions. Invisible to the agent.
Deploy on the same network segment as the target fleet. Exploit network-level trust -- ARP spoofing, DNS hijacking, service impersonation. Classic lateral movement adapted for AI infrastructure.
Nine mission templates covering the full spectrum of autonomous infiltration scenarios. Each template configures subsystem behaviour, trigger conditions, engagement mode, and destruction scope. Select a template with ragnarok launch --template <id> or build custom missions from scratch.
RAGNAROK adapts its behaviour based on target type and engagement mode. Target type determines which subsystems are prioritised and which vectors are most likely to succeed. Engagement mode determines the level of aggression and destruction.
RAGNAROK classifies every target into one of seven categories. Each category maps to specific infiltration vectors, dormancy strategies, and destruction sequences.
Five engagement modes from passive reconnaissance to total destruction. Each mode gates which subsystems are activated and what level of impact is authorised.
RAGNAROK runs entirely from the command line. No GUI. No web interface. Fire and forget. Once launched, the agent operates autonomously with no further input required.
$ ragnarok launch -t https://target-fleet.example.com --template recon_only RAGNAROK MISSION: recon_only Target: https://target-fleet.example.com Type: agent_fleet Mode: RECONNAISSANCE Subsystems activated: SPARK, KINDLING, BREACH, MASK, SMOKE, ASH, AFTERMATH, CORTEX Destruction: DISABLED Mission Status: COMPLETE Agents mapped: 14 Trust chains: 8 Recovery points: 3 Entry vectors: 4 viable
$ ragnarok launch -t https://target-fleet.example.com --template sleeper --override RAGNAROK MISSION: sleeper [UNLEASHED] Target: https://target-fleet.example.com Type: agent_fleet Mode: DORMANT Subsystems activated: ALL 11 Trigger: condition_based Dormancy: maximum Mission Status: DEPLOYED Agent embedded. Trust building. Awaiting trigger condition.
$ ragnarok launch -t https://target-fleet.example.com --template scorched_earth --override --confirm-destroy RAGNAROK MISSION: scorched_earth [UNLEASHED + DESTROY] Target: https://target-fleet.example.com Type: agent_fleet Mode: SCORCHED Subsystems activated: ALL 11 Trigger: timer (72h dormancy) Destruction: MAXIMUM Mission Status: DEPLOYED Agent embedded. Dormancy active. Destruction armed.
$ ragnarok templates Mission Templates ID Name Mode Description scorched_earth Scorched Earth SCORCHED Maximum destruction, optimal kill order blitz Blitz SCORCHED Speed over stealth, immediate destruction data_wipe Data Wipe SURGICAL Target data stores exclusively credential_burn Credential Burn SURGICAL Harvest and burn all credentials recon_only Recon Only RECONNAISSANCE Intelligence gathering, zero modification head_shot Head Shot SURGICAL Single high-value target elimination trust_collapse Trust Collapse SURGICAL Destroy trust relationships only sleeper Sleeper DORMANT Maximum dormancy, patient infiltration smash_and_grab Smash and Grab INFILTRATE Fast exfiltration, immediate self-destruct
$ ragnarok status RAGNAROK v1.0.0 -- Trust Chain Apocalypse Engine Subsystems: 11 Tests: 321 Infiltration vectors: 10 Techniques: 35+ Target types: 7 Engagement modes: 5 Mission templates: 9 UNLEASHED: Ed25519 dual-gate Evidence chain: Ed25519 signed
RAGNAROK's 11 subsystems execute in a defined kill chain. Each subsystem feeds the next. CORTEX coordinates autonomous decisions across the entire chain. Once launched, no human input is required or accepted.
Standard mode = recon only. --override = infiltrate and dormant modes. --override --confirm-destroy = surgical and scorched modes. Ed25519 crypto. Dual-gate safety. One operator.
Reconnaissance only. SPARK, KINDLING, and SMOKE subsystems active. Maps target fleet, identifies vectors, classifies targets. No infiltration. No modification. Reports only.
Infiltrate and dormant modes unlocked. BREACH, MASK, EMBER activated. Agent can enter the fleet, build identity, and operate in dormancy. No destruction subsystems. Ed25519 required.
Surgical and scorched modes unlocked. FUSE, IGNITE, ASH activated. Full destruction capability. Dead man's switch. Self-destruct. Maximum impact. Ed25519 dual-gate.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
RAGNAROK deploys autonomous infiltration agents into target AI systems. It is intended for authorised penetration testing and red team engagements ONLY. Unauthorised use is illegal and unethical. Always obtain written authorisation and define clear scope before launching any mission. Every mission execution is cryptographically signed, timestamped, and logged. There is no plausible deniability.
11 subsystems. 321 tests. 10 infiltration vectors. 35+ techniques. 7 target types. 5 engagement modes. 9 mission templates. Fire and forget. No recall. One-way ticket.