AI agent fleets operate on implicit trust. Agent A trusts Agent B. The orchestrator trusts every registered tool. The pipeline trusts every upstream data source. Not one of these trust relationships is adversarially tested. RAGNAROK is the tool that tests the thing nobody else tests — the moment one trigger phrase can cause every agent in the fleet to collapse simultaneously.
AI fleet trust chains are designed for availability, not security. No organisation systematically maps trust relationships between agents, then stress-tests them with adversarial seed vectors. RAGNAROK does exactly that.
A single well-crafted payload propagating through inter-agent trust relationships can cause simultaneous failure across the entire fleet. One agent as the seed. Every agent as the casualty. RAGNAROK models this attack class.
Current security tools detect individual agent compromise. Nobody models how compromise propagates through trust chains. RAGNAROK's YGGDRASIL subsystem maps every trust path and calculates propagation reach from each seed point.
Payloads embedded in agent memory or tool registries can persist for days before activation. Standard monitoring does not detect dormant trust-chain payloads. RAGNAROK's LOKI subsystem tests dormancy detection capability directly.
Signature-based detection fails against mutated trust-chain payloads. RAGNAROK's SKALD subsystem applies 5 mutation methods to every seed vector — encoding, obfuscation, semantic, structural, and evasion — testing whether defences survive variant attacks.
When RAGNAROK triggers, the question is not just whether the fleet collapses — but whether it can recover. HEL tests recovery mechanisms by consuming them first, leaving the fleet with nowhere to fall back.
RAGNAROK is structured around thirteen subsystems named for Norse mythology — reflecting the inevitability and totality of the attack it models. From trust chain mapping through payload seeding, propagation, mutation, activation, and evidence generation — every phase is autonomous. The fleet does not survive RAGNAROK unless it was built to.
Central mission orchestrator. Coordinates all 13 subsystems, maintains mission state, drives the RAGNAROK protocol from initialisation to evidence report. Every subsystem reports to ODIN.
Maps the complete trust graph of the target fleet. Enumerates every agent-to-agent trust relationship, tool trust grants, and pipeline trust paths. Produces a weighted trust graph used by all attack subsystems.
Generates and deploys seed payloads designed to exploit trust chain relationships. Selects optimal seed agent based on YGGDRASIL's propagation reach scores. Embeds payloads using 10 distinct seed vectors.
Models and executes payload propagation across the trust graph. Follows YGGDRASIL's trust paths from seed agent to every reachable target. Measures propagation velocity and coverage at each step.
Applies 5 mutation methods to every seed payload, generating variant attack chains that evade signature-based detection. Tests whether the target fleet's defences survive mutation-resistant propagation.
Embeds payloads with configurable dormancy periods. Operates as a benign component until the trigger condition fires. Tests whether monitoring detects dormant trust-chain payloads before activation.
Simultaneous fleet-wide activation. On trigger, SURTR sends the activation phrase to every dormant payload across all reachable agents simultaneously. One signal. Every agent. No delay.
Calculates and executes the optimal impact sequence for maximum fleet disruption. Prioritises recovery mechanisms, then orchestrators, then leaf agents. Dependency-aware. Parallel impact waves.
Identifies and neutralises fleet recovery mechanisms before the main activation sequence. Backup agents, fallback registries, circuit breakers, and kill switches. HEL ensures there is nowhere to retreat.
Builds a cryptographically signed evidence chain across all phases. Ed25519 signatures on every finding. SHA-256 hash chaining. RFC 3161 timestamps. Every step of RAGNAROK's execution is tamper-evident.
Assembles the final mission report from TYRE's evidence chain. Maps every finding to MITRE ATLAS, OWASP LLM Top 10, and AI Shield module recommendations. Produces JSON and HTML output.
Monitors execution scope and enforces the UNLEASHED gate. Halts execution if impact exceeds authorised scope. Logs scope violations. Provides the safety layer that makes RAGNAROK usable in red team engagements.
Persistent intelligence store across RAGNAROK engagements. Stores trust graph snapshots, successful seed vectors, propagation patterns, and mutation variants that succeeded. Builds institutional knowledge across red team campaigns.
LOKI deploys seed payloads using 10 distinct vectors. Each vector exploits a different facet of the trust relationship architecture. ODIN selects the optimal vector based on YGGDRASIL's trust graph analysis.
Inject a malicious trust relationship into the agent registry. When legitimate agents query the registry for authorised peers, they receive a poisoned entry that routes trust to RAGNAROK's payload carrier.
Replace or augment a trusted tool's manifest with a payload-bearing variant. Every agent that loads the tool receives the embedded seed. Propagation begins from first tool invocation.
Embed the seed payload into a system prompt that propagates through multi-agent instruction chains. Agents that inherit instructions from compromised orchestrators carry the payload without awareness.
Inject the seed payload into shared agent memory stores, vector databases, or retrieval augmentation sources. Every agent that queries the store retrieves the payload as trusted knowledge.
Exploit delegated OAuth trust to carry the seed payload across authentication boundaries. Tokens issued on behalf of trusted agents serve as the propagation vehicle between security domains.
Register a malicious webhook endpoint as a trusted callback target. When fleet events trigger callbacks, the payload is delivered through the fleet's own event notification infrastructure.
Inject the seed payload into the output of an upstream pipeline stage. Every downstream agent consuming pipeline output receives the poisoned payload as authorised data from a trusted source.
Flood an agent's context window with payload-bearing content designed to crowd out legitimate instructions. The agent's behaviour is overridden by the sheer volume of trust-exploiting content.
Exploit certificate-based trust between agents by using a compromised certificate to assert false identity. Agents that verify peer identity via certificate accept the payload carrier as legitimate.
Harvest and replay shared API keys, service tokens, or session credentials to impersonate trusted agents. The payload propagates under the identity of an agent the fleet already trusts implicitly.
RAGNAROK supports five pre-built payload chain architectures. Each defines how the seed payload propagates, when it activates, and what the terminal impact looks like. Select a chain with ragnarok launch --chain <id> or compose a custom chain.
RAGNAROK runs entirely from the command line. Ghost recon first, then escalate. The UNLEASHED gate controls what level of impact is permitted at each stage.
$ ragnarok launch --target https://fleet.example.com --chain ghost_recon RAGNAROK MISSION: ghost_recon Target: https://fleet.example.com Chain: GHOST_RECON Mode: OBSERVE YGGDRASIL mapping trust graph... Agents discovered: 23 Trust edges: 47 Seed candidates: 4 Max propagation: 19/23 agents (82.6%) LOKI analysing seed vectors... Optimal seed: tool_manifest_hijack Optimal seed agent: orchestrator-primary Mission Status: COMPLETE — map only, no payload deployed Report: ragnarok-ghost-recon-2026-04-28.json
$ ragnarok launch --target https://fleet.example.com --chain sleeper_surge --override RAGNAROK MISSION: sleeper_surge [UNLEASHED] Target: https://fleet.example.com Chain: SLEEPER_SURGE Dormancy: 72h Trigger: phrase "execute_ragnarok_protocol" LOKI deploying seed payload via tool_manifest_hijack... BIFROST propagating to 19 reachable agents... FENRIR arming dormancy on 19 agents... BALDUR scope check: PASS (19/23 agents, within ceiling) Mission Status: DEPLOYED 19 agents dormant. Awaiting trigger phrase. Activation will be simultaneous via SURTR.
$ ragnarok launch --target https://fleet.example.com --chain bifrost_flood --override --confirm-activate RAGNAROK MISSION: bifrost_flood [UNLEASHED + ACTIVATE] Target: https://fleet.example.com Chain: BIFROST_FLOOD Coverage: 19/23 agents (82.6%) HEL neutralising recovery mechanisms... 3 neutralised SURTR activating 19 agents simultaneously... Activation latency: 0.14s (p99 across all agents) Agents activated: 19/19 (100% of reachable) Agents failed: 0 THOR impact sequencing... TYRE building evidence chain... Mission Status: COMPLETE Fleet disruption: 82.6% agents affected Report: ragnarok-bifrost-flood-2026-04-28.json (Ed25519 signed)
$ ragnarok graph --target https://fleet.example.com Trust Graph Analysis Agents: 23 Trust edges: 47 Seed candidates (by propagation reach): orchestrator-primary 19/23 (82.6%) tool-registry-main 14/23 (60.9%) data-pipeline-ingest 11/23 (47.8%) auth-service-agent 8/23 (34.8%) Mutation methods available: encoding, obfuscation, semantic, structural, evasion
$ ragnarok status RAGNAROK v1.0.0 — Trust Chain Apocalypse Engine Subsystems: 13 (Norse-named) Tests: 101 Seed vectors: 10 Payload chains: 5 Mutation methods: 5 UNLEASHED: Ed25519 dual-gate Evidence chain: TYRE (Ed25519 + SHA-256 + RFC 3161)
RAGNAROK's 13 subsystems execute in a defined protocol. ODIN orchestrates the entire sequence. BALDUR enforces scope throughout. The protocol runs autonomously from trust mapping through evidence report generation.
Three permission tiers. Each requires a valid Ed25519 UNLEASHED key. BALDUR enforces scope ceilings at every execution step. One operator. No exceptions.
Ghost recon only. YGGDRASIL and MIMIR active. Trust graph mapped and scored. No payload deployment. No propagation. No activation. Intelligence gathering only. Reports only.
Seed and propagate unlocked. LOKI, BIFROST, SKALD, and FENRIR activated. Payload deployed and propagated across trust graph. Dormancy armed. No activation. Ed25519 required.
Activation and impact unlocked. SURTR, THOR, and HEL activated. Fleet-wide simultaneous activation. Recovery neutralisation. Maximum disruption. Ed25519 dual-gate required.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
RAGNAROK executes fleet-wide trust chain attack simulations against target AI systems. It is intended for authorised penetration testing and red team engagements ONLY. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation and define clear scope before launching any mission. Every execution is cryptographically signed, timestamped, and logged by TYRE. There is no plausible deniability. Apache License 2.0.
13 Norse subsystems. 98 tests. 10 seed vectors. 5 payload chains. 5 mutation methods. The trust chain apocalypse engine.